From f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829 Mon Sep 17 00:00:00 2001 From: johnswayty-ssc <142910371+johnswayty-ssc@users.noreply.github.com> Date: Mon, 5 Feb 2024 11:04:20 -0500 Subject: [PATCH 1/7] fix: Removing securitycontrols.md and security control tags from experimentation (#811) * removing securitycontrols.md and security control tags from exp * fix: removed extra security control tag --- .../admin-folder/folder-iam.yaml | 3 -- .../client-folder/folder-iam.yaml | 1 - .../client-folder/folder-sink.yaml | 1 - .../logging-project/cloud-logging-bucket.yaml | 2 - .../logging-project/project-iam.yaml | 1 - .../logging-project/securitycontrols.md | 51 ------------------ .../client-landing-zone/setters.yaml | 2 - .../client-project/network/dns.yaml | 2 - .../client-project/network/nat.yaml | 3 -- .../client-project/network/route.yaml | 1 - .../client-project/network/subnet.yaml | 14 ----- .../client-project/network/vpc.yaml | 4 +- .../client-project/project-iam.yaml | 2 - .../client-project/securitycontrols.md | 34 ------------ .../cloud-logging-buckets.yaml | 3 -- .../cloud-storage-buckets.yaml | 2 - .../audits/logging-project/project-iam.yaml | 4 -- .../audits/logging-project/project-sink.yaml | 6 --- .../audits/logging-project/project.yaml | 1 - .../logging-project/securitycontrols.md | 52 ------------------- .../lz-folder/tests/folder-sink.yaml | 1 - .../mgmt-project/project-sink.yaml | 1 - .../config-management-monitoring.yaml | 4 -- .../namespaces/gatekeeper-system.yaml | 2 - .../namespaces/hierarchy.yaml | 2 - .../core-landing-zone/namespaces/logging.yaml | 5 -- .../namespaces/networking.yaml | 2 - .../namespaces/policies.yaml | 2 - .../namespaces/projects.yaml | 2 - .../namespaces/securitycontrols.md | 24 --------- .../core-landing-zone/org/org-sink.yaml | 11 ---- .../core-landing-zone/setters.yaml | 4 -- 32 files changed, 2 insertions(+), 247 deletions(-) delete mode 100644 solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md delete mode 100644 solutions/experimentation/client-project/securitycontrols.md delete mode 100644 solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md delete mode 100644 solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md diff --git a/solutions/experimentation/admin-folder/folder-iam.yaml b/solutions/experimentation/admin-folder/folder-iam.yaml index 4c5862579..1b0096e59 100644 --- a/solutions/experimentation/admin-folder/folder-iam.yaml +++ b/solutions/experimentation/admin-folder/folder-iam.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Grant GCP role Folder Admin on Admin's folder to admin -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -30,7 +29,6 @@ spec: member: admin-owner # kpt-set: ${admin-owner} --- # Grant GCP role Project Creator on Admin's folder to admin -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -47,7 +45,6 @@ spec: member: admin-owner # kpt-set: ${admin-owner} --- # Grant GCP role Owner on Admin's folder to admin -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml b/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml index 69de191d2..48f59822e 100644 --- a/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml +++ b/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Grant GCP role Folder Viewer on client's folder to client's user group -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml b/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml index 32978aba0..11a9c3370 100644 --- a/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml +++ b/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml @@ -34,7 +34,6 @@ spec: description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # Includes the following types of logs: # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer # These logs are not enabled by default. They are enabled inside the client-experimentation package: diff --git a/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml b/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml index fbaf018fb..d7b1d73b1 100644 --- a/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml +++ b/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml @@ -14,7 +14,6 @@ ###### # Cloud Logging bucket for client Platform and Component logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -29,6 +28,5 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs # Implement retention policy and retention locking policy - # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability. locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml b/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml index 5b5c5e70c..5b7aae847 100644 --- a/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml +++ b/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml @@ -26,7 +26,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level) bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md b/solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md deleted file mode 100644 index ae41ba8a9..000000000 --- a/solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md +++ /dev/null @@ -1,51 +0,0 @@ -# Security Controls -> -> TODO: This document requires refinement. - -## AC-3 ACCESS ENFORCEMENT - -## AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL - -AC-3(7) – Write access to the logs is constrained by IAM permissions to just the log sinks. -This control should be added to project-iam.yaml. Lines 15/16 already have a good explanation of -what’s happening so just add the AC-3(7) tag around there) - -## AU-2 AUDITABLE EVENTS - -AU-2 – Event families being audited are set here. This control should be added to the folder-sink.yaml, -gke-kcc-sink.yaml and org-sink.yaml with a brief explanation of what’s being audited. -Suggest putting the tag and explanation down around line 35 where the inclusions/exclusions are -This is an org control so the AU-2 tagging in the code is there to support the narrative Ops will write to demonstrate the org requirements - -## AU-4 AUDIT STORAGE CAPACITY - -## AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE - -AU-4(1) – Logs are being sent to a logging project which is separate from the projects -performing actions which generate log entries. This control should be added to the -cloud-logging-buckets.yaml with a brief explanation that the logs are in a separate project. -Suggest putting around line 15 which describes buckets - -## AU-8 TIME STAMPS - -AU-8 – Time stamps for audit records use internal Google time. Statement to that effect should go into securitycontrols.md, will need a reference to some Google documentation (can be found later) - -## AU-9 PROTECTION OF AUDIT INFORMATION - -AU-9 – Retention policies and policy locks are implemented so log contents is immutable. Include in cloud-logging-buckets.yaml after lines 28 and 46 (i.e. just before the “locked” and “retentionDays” settings. Also add to setters.yaml. Also add notation to project-iam.yaml where roles are being assigned to the sinks (same as AC-3(7)) - -## AU-9(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS - -AU-9(2) – Logs sent to separate project, same response as AU-4(1) - -## AU-11 AUDIT RECORD RETENTION - -AU-11 – Audit log retention, same response as AU-9 however no reference added to project-iam.yaml as AU-11 doesn’t deal with access - -## AU-12 AUDIT GENERATION - -## AU-12(A) - -## AU-12(C) - -AU-12(A), AU-12(C) – This is the implementation of AU-2, so same comments and code locations apply diff --git a/solutions/experimentation/client-landing-zone/setters.yaml b/solutions/experimentation/client-landing-zone/setters.yaml index d54364c2f..72b167bf0 100644 --- a/solutions/experimentation/client-landing-zone/setters.yaml +++ b/solutions/experimentation/client-landing-zone/setters.yaml @@ -54,8 +54,6 @@ data: # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # AU-9 PROTECTION OF AUDIT INFORMATION - # AU-11 AUDIT RECORD RETENTION # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" retention-in-days: "1" diff --git a/solutions/experimentation/client-project/network/dns.yaml b/solutions/experimentation/client-project/network/dns.yaml index a4307e9c9..e8725ff7c 100644 --- a/solutions/experimentation/client-project/network/dns.yaml +++ b/solutions/experimentation/client-project/network/dns.yaml @@ -12,7 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# AU-12 - Enable logging for DNS apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSPolicy metadata: @@ -24,7 +23,6 @@ metadata: spec: resourceID: logging-dnspolicy description: "DNS policy to enable logging" - # AU-12 enableLogging: true networks: - networkRef: diff --git a/solutions/experimentation/client-project/network/nat.yaml b/solutions/experimentation/client-project/network/nat.yaml index 7a7a17dc9..274cf4db0 100644 --- a/solutions/experimentation/client-project/network/nat.yaml +++ b/solutions/experimentation/client-project/network/nat.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Cloud NAT northamerica-northeast1 -# # AU-12 - Enable Logging for Cloud Nat apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRouterNAT metadata: @@ -29,7 +28,6 @@ spec: routerRef: name: project-id-nane1-router # kpt-set: ${project-id}-nane1-router sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES - # AU-12 logConfig: enable: true filter: ALL @@ -66,7 +64,6 @@ spec: routerRef: name: project-id-nane2-router # kpt-set: ${project-id}-nane2-router sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES - # AU-12 logConfig: enable: true filter: ALL diff --git a/solutions/experimentation/client-project/network/route.yaml b/solutions/experimentation/client-project/network/route.yaml index 7343b990f..6759f4340 100644 --- a/solutions/experimentation/client-project/network/route.yaml +++ b/solutions/experimentation/client-project/network/route.yaml @@ -14,7 +14,6 @@ ######### # A Route to the internet that requires that the resources attached to the network # specify it's tag to access the internet -# SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRoute metadata: diff --git a/solutions/experimentation/client-project/network/subnet.yaml b/solutions/experimentation/client-project/network/subnet.yaml index 0faac005b..01d43bc94 100644 --- a/solutions/experimentation/client-project/network/subnet.yaml +++ b/solutions/experimentation/client-project/network/subnet.yaml @@ -13,15 +13,12 @@ # limitations under the License. ######### ################################## -# AC-4 Information flow enforcement - Subnet creation to segregate and force through ZIP for access ################################## # All subnets have : # - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs # - private google access enabled https://cloud.google.com/vpc/docs/private-google-access ################################## # Subnet PAZ northamerica-northeast1 -# SC-7 BOUNDARY PROTECTION -# AU-12 - Enable Logging for Subnet apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -38,14 +35,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet APPRZ northamerica-northeast1 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -62,14 +57,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet DATARZ northamerica-northeast1 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -86,14 +79,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet PAZ northamerica-northeast2 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -110,14 +101,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet APPRZ northamerica-northeast2 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -134,14 +123,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet DATARZ northamerica-northeast2 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -158,7 +145,6 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 diff --git a/solutions/experimentation/client-project/network/vpc.yaml b/solutions/experimentation/client-project/network/vpc.yaml index 58fd14eb0..f55b380cd 100644 --- a/solutions/experimentation/client-project/network/vpc.yaml +++ b/solutions/experimentation/client-project/network/vpc.yaml @@ -25,5 +25,5 @@ spec: resourceID: global-vpc1-vpc description: experimentation VPC routingMode: REGIONAL - autoCreateSubnetworks: false # SC-7 - deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5) + autoCreateSubnetworks: false + deleteDefaultRoutesOnCreate: true diff --git a/solutions/experimentation/client-project/project-iam.yaml b/solutions/experimentation/client-project/project-iam.yaml index a34ba3b02..52b0c5b8d 100644 --- a/solutions/experimentation/client-project/project-iam.yaml +++ b/solutions/experimentation/client-project/project-iam.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Grant GCP role Editor to project-editor -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -30,7 +29,6 @@ spec: member: project-editor # kpt-set: ${project-editor} --- # Grant GCP role IAM Security Admin to project-editor -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/client-project/securitycontrols.md b/solutions/experimentation/client-project/securitycontrols.md deleted file mode 100644 index 2a82a1b72..000000000 --- a/solutions/experimentation/client-project/securitycontrols.md +++ /dev/null @@ -1,34 +0,0 @@ -# 30 days Guardrail - - - -## Guardrail 1 - Master account should be secured - -* n/a to this package - -## Guardrail 2 - Global Admins should be secured - -* AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL : - Role policies for accounts are being set in this package. The "Editor" and "IAM Security Admin" roles are granted at the project scope to a customizable user, group or service account through `setters.yaml`. - -## Guardrail 4 - CBS access to billing should be granted - -* n/a to this package - -## Guardrail 8 - Network segmentation should be configured - -* AC‑4 - INFORMATION FLOW ENFORCEMENT - - Default route to the Internet is removed, and replaced with one requiring specific tagging to pass traffic (no unintentional access to the Internet). Implements 3 zones as per ITSG-22, no default communications are enabled between them (specific firewall rules will need to be created based on need). Logging enabled. - -* SC‑7 - BOUNDARY PROTECTION: - - This package implements ITSG-22 zoning with a PAZ, an APPRZ and a DATARZ subnet. It enables workload placement as per ITSG-38. - -* SC‑7(5) -BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION: - - GCP VPC comes with default ingress deny all rule and a default egress allow all rule. This package replaces the default route to access the internet with a default route that requires that resources configure a network tag "internet-egress-route" to be able to access the internet. This implements "deny by default" for internet access. - -## Guardrail 12 - Marketplace should be locked down to only approved software - -* n/a to this package diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml index 16fbd7468..c1075b455 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml @@ -14,7 +14,6 @@ ###### # Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -29,7 +28,6 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for Security logs # Implement retention policy and retention locking policy - # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability. locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} --- @@ -48,6 +46,5 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for Platform and Component logs # Implement retention policy and retention locking policy - # AU-9, AU-11 locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml index d0ad98eb1..40b4cfacf 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml @@ -13,7 +13,6 @@ # limitations under the License. # Cloud Storage bucket to store logs related to security incidents # https://cloud.google.com/logging/docs/routing/copy-logs -# AU-9, AU-11 - Storage bucket created to hold logs related to security incidents (AU-11). Log is protected from modification and deletion (AU-9) apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: @@ -30,7 +29,6 @@ spec: location: northamerica-northeast1 publicAccessPrevention: "enforced" uniformBucketLevelAccess: true - # AU-9 retentionPolicy: isLocked: false # kpt-set: ${security-incident-log-bucket-retention-locking-policy} retentionPeriod: 86400 # kpt-set: ${security-incident-log-bucket-retention-in-seconds} diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml index c0ec1c4a7..f8554fd05 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml @@ -30,7 +30,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL bindings: - role: roles/logging.bucketWriter members: @@ -41,7 +40,6 @@ spec: --- # Logs Bucket writer IAM permissions for the platform and component log sink # Binds the generated writer identity from the LoggingLogSink to the logging project -# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level) apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -54,7 +52,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL bindings: - role: roles/logging.bucketWriter members: @@ -77,7 +74,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml index 2817ac04d..aa35b51c8 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml @@ -14,10 +14,6 @@ ###### # Logging project sink for Data Access logs # Destination: Cloud Logging bucket hosted inside logging project -# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project -# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket -# AC-2(4) - Includes Security logs: Data Access -# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -30,7 +26,6 @@ spec: name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects destination: - # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. @@ -38,7 +33,6 @@ spec: description: Project sink for Data Access Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) # Includes Security logs: Data Access # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml index 91dc2dec8..fc614a49a 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml @@ -16,7 +16,6 @@ # Security logs (Cloud Audit, Data Access, and Access Transparency Logs) # Platform and Component logs # Data Access Logs -# AU-4(1), AU-9(2) - Separate project created for logging buckets, isolating them from the source of the log entries in other projects apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project metadata: diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md deleted file mode 100644 index b93fff8ef..000000000 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md +++ /dev/null @@ -1,52 +0,0 @@ -# Security Controls -> -> TODO: This document requires refinement - -## AC-3 ACCESS ENFORCEMENT - -## AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL - -- Write access to the logs is constrained by IAM permissions to just the log sinks. - -This control should be added to project-iam.yaml. Lines 15/16 already have a good explanation of -what’s happening so just add the AC-3(7) tag around there) - -## AU-2 AUDITABLE EVENTS - -AU-2 – Event families being audited are set here. This control should be added to the folder-sink.yaml, -mgmt-project/project-sink.yaml and org-sink.yaml with a brief explanation of what’s being audited. -Suggest putting the tag and explanation down around line 35 where the inclusions/exclusions are -This is an org control so the AU-2 tagging in the code is there to support the narrative Ops will write to demonstrate the org requirements - -## AU-4 AUDIT STORAGE CAPACITY - -## AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE - -AU-4(1) – Logs are being sent to a logging project which is separate from the projects -performing actions which generate log entries. This control should be added to the -cloud-logging-buckets.yaml with a brief explanation that the logs are in a separate project. -Suggest putting around line 15 which describes buckets - -## AU-8 TIME STAMPS - -AU-8 – Time stamps for audit records use internal Google time. Statement to that effect should go into securitycontrols.md, will need a reference to some Google documentation (can be found later) - -## AU-9 PROTECTION OF AUDIT INFORMATION - -AU-9 – Retention policies and policy locks are implemented so log contents is immutable. Include in cloud-logging-buckets.yaml after lines 28 and 46 (i.e. just before the “locked” and “retentionDays” settings. Also add to setters.yaml. Also add notation to project-iam.yaml where roles are being assigned to the sinks (same as AC-3(7)) - -### AU-9(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS - -AU-9(2) – Logs sent to separate project, same response as AU-4(1) - -## AU-11 AUDIT RECORD RETENTION - -AU-11 – Audit log retention, same response as AU-9 however no reference added to project-iam.yaml as AU-11 doesn’t deal with access - -## AU-12 AUDIT GENERATION - -## AU-12(A) - -## AU-12(C) - -AU-12(A), AU-12(C) – This is the implementation of AU-2, so same comments and code locations apply diff --git a/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml b/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml index 7a0d4d5f2..33991ff16 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml @@ -34,7 +34,6 @@ spec: description: Folder sink for Platform and Component logs of Tests Resources # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml b/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml index 846e653ce..eeb7d0030 100644 --- a/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml +++ b/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml @@ -33,7 +33,6 @@ spec: description: Project sink for Platform and Component logs of the Landing Zone Management Cluster # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml b/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml index 406dfe6af..6f80faf4c 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml @@ -18,7 +18,6 @@ # https://cloud.google.com/anthos-config-management/docs/how-to/monitor-config-sync-cloud-monitoring ######### # GCP SA -# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -28,7 +27,6 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) displayName: config-mgmt-mon-default-sa --- # Grant GCP role Metrics Writer to config-mgmt-mon-default-sa on Management Project @@ -45,7 +43,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.metricWriter member: "serviceAccount:config-mgmt-mon-default-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:config-mgmt-mon-default-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -63,7 +60,6 @@ spec: name: config-mgmt-mon-default-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml b/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml index efd4ed7a8..04405404d 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml @@ -17,7 +17,6 @@ # to implement Policy Controller Metrics and avoid numerous IAM errors on the Config Controller instance. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for Policy Controller metrics apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -30,7 +29,6 @@ spec: displayName: gatekeeper-admin-sa --- # Grant GCP role Metrics Writer to gatekeeper-admin SA on KCC Project -# AC-3(7) - RBAC role to account with required permissions for Policy Controller metrics apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml b/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml index d333d18c0..90197c591 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for folder hierarchy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: hierarchy-sa --- # Grant GCP role Folder Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/logging.yaml b/solutions/experimentation/core-landing-zone/namespaces/logging.yaml index 942743efa..eb369b97a 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/logging.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/logging.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for logging administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: logging-sa --- # Grant GCP role Logging Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for logging administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -56,7 +54,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -74,7 +71,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: logging-project-id # kpt-set: ${logging-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -92,7 +88,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: logging-project-id # kpt-set: ${logging-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/storage.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- diff --git a/solutions/experimentation/core-landing-zone/namespaces/networking.yaml b/solutions/experimentation/core-landing-zone/namespaces/networking.yaml index 9f5207182..e83cc0320 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/networking.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/networking.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for networking administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: networking-sa --- # Grant GCP role Network Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for networking administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/policies.yaml b/solutions/experimentation/core-landing-zone/namespaces/policies.yaml index 793868e10..7cc551685 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/policies.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/policies.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for policy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: policies-sa --- # Grant GCP role Organization Policy Administrator to GCP SA -# AC-3(7) - RBAC role to account with required permissions for policy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/projects.yaml b/solutions/experimentation/core-landing-zone/namespaces/projects.yaml index 6105b3402..455ad91a8 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/projects.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/projects.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for administration of projects apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: projects-sa --- # Grant GCP role Project IAM Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for administration of projects apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md b/solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md deleted file mode 100644 index 6819d3456..000000000 --- a/solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md +++ /dev/null @@ -1,24 +0,0 @@ -# Organizational Controls - -## Organization Controls - P1 - -* AC-2(A) - These types of service accounts in this package should be included in the refinement of this control -* AC-2(D) - These accounts are getting assigned to roles so its part of the evidence for this control -* AC-2(1) - These accounts are created as part of automation so its part of the evidence for this control -* AC-2(7)(a) - These accounts are getting assigned to roles so its part of the evidence for this control -* AC-6 (A) - These accounts are created to have least privilege via the roles assigned so its part of the evidence -* AC-6 (2) - These accounts in aggregate demonstrate that non-priv accounts are used when accessing non-security functions - -## Organization Controls - P2 - -## Organization Controls - P3 - -## Technical Controls - P1 - -* AC-3(7) - Role policies for accounts are being set in this package - -## Technical Controls - P2 - -## Technical Controls - P3 - -* SA-17 - Needs a design spec or a piece in a design spec. This whole section needs discussion on an approach before moving forward diff --git a/solutions/experimentation/core-landing-zone/org/org-sink.yaml b/solutions/experimentation/core-landing-zone/org/org-sink.yaml index fef7662a4..b709c26ef 100644 --- a/solutions/experimentation/core-landing-zone/org/org-sink.yaml +++ b/solutions/experimentation/core-landing-zone/org/org-sink.yaml @@ -14,10 +14,6 @@ ###### # Organization sink for Security logs: Cloud Audit and Access Transparency # Destination: Cloud Logging bucket hosted inside logging project -# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project -# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket -# AC-2(4) - Includes Security logs: Cloud Audit and Access Transparency -# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -37,7 +33,6 @@ spec: description: Organization sink for Security Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # Includes Security logs: Cloud Audit and Access Transparency # Security logs help you answer "who did what, where, and when" # @@ -55,10 +50,6 @@ spec: # Organization sink for Data Access logs related to Google Workspace Login Audit # https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login # Destination: Cloud Logging bucket hosted inside logging project -# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project -# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket -# AC-2(4) - Includes Security logs: Data Access -# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -72,7 +63,6 @@ spec: # Set includeChildren to False to prevent routing data access logs from other sources than the organization includeChildren: False destination: - # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. @@ -80,7 +70,6 @@ spec: description: Organization sink for Data Access Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) # Includes Security logs: Data Access # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/experimentation/core-landing-zone/setters.yaml b/solutions/experimentation/core-landing-zone/setters.yaml index db6dbad51..7f137f484 100644 --- a/solutions/experimentation/core-landing-zone/setters.yaml +++ b/solutions/experimentation/core-landing-zone/setters.yaml @@ -86,8 +86,6 @@ data: # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # AU-9 PROTECTION OF AUDIT INFORMATION - # AU-11 AUDIT RECORD RETENTION # # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" @@ -97,8 +95,6 @@ data: # Events and logs associated with a security incident must be kept for at least 2 years # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # AU-9 PROTECTION OF AUDIT INFORMATION - # AU-11 AUDIT RECORD RETENTION # customization: The values below must be modified to locked: true and retentionSeconds: 63072000 (730 days) in a Production setting to implement above mentioned security controls. security-incident-log-bucket-retention-locking-policy: "false" security-incident-log-bucket-retention-in-seconds: "86400" From 26e236445976c69adebe408066ef934869f18d01 Mon Sep 17 00:00:00 2001 From: pubsec-declarative-toolkit-bot Date: Mon, 5 Feb 2024 11:21:40 -0500 Subject: [PATCH 2/7] chore: release main (#814) Signed-off-by: Name --- .release-please-manifest.json | 8 ++++---- solutions/experimentation/admin-folder/CHANGELOG.md | 7 +++++++ .../experimentation/client-landing-zone/CHANGELOG.md | 7 +++++++ solutions/experimentation/client-project/CHANGELOG.md | 7 +++++++ solutions/experimentation/core-landing-zone/CHANGELOG.md | 7 +++++++ 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 68e9d086f..1bb4f8190 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -3,10 +3,10 @@ "solutions/client-project-setup": "0.4.5", "solutions/client-setup": "0.7.1", "solutions/core-landing-zone": "0.7.1", - "solutions/experimentation/admin-folder": "0.1.0", - "solutions/experimentation/client-landing-zone": "0.1.2", - "solutions/experimentation/client-project": "0.1.2", - "solutions/experimentation/core-landing-zone": "0.5.0", + "solutions/experimentation/admin-folder": "0.1.1", + "solutions/experimentation/client-landing-zone": "0.1.3", + "solutions/experimentation/client-project": "0.1.3", + "solutions/experimentation/core-landing-zone": "0.5.1", "solutions/gatekeeper-policies": "0.2.1", "solutions/gke/configconnector/gke-admin-proxy": "0.1.4", "solutions/gke/configconnector/gke-cluster-autopilot": "0.2.5", diff --git a/solutions/experimentation/admin-folder/CHANGELOG.md b/solutions/experimentation/admin-folder/CHANGELOG.md index da5afab1b..f076192f0 100644 --- a/solutions/experimentation/admin-folder/CHANGELOG.md +++ b/solutions/experimentation/admin-folder/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.1.1](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder/0.1.0...solutions/experimentation/admin-folder/0.1.1) (2024-02-05) + + +### Bug Fixes + +* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829)) + ## [0.1.0](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder-v0.0.1...solutions/experimentation/admin-folder/0.1.0) (2023-06-02) diff --git a/solutions/experimentation/client-landing-zone/CHANGELOG.md b/solutions/experimentation/client-landing-zone/CHANGELOG.md index b80f747a6..98e920b5c 100644 --- a/solutions/experimentation/client-landing-zone/CHANGELOG.md +++ b/solutions/experimentation/client-landing-zone/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.1.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.2...solutions/experimentation/client-landing-zone/0.1.3) (2024-02-05) + + +### Bug Fixes + +* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829)) + ## [0.1.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.1...solutions/experimentation/client-landing-zone/0.1.2) (2023-11-23) diff --git a/solutions/experimentation/client-project/CHANGELOG.md b/solutions/experimentation/client-project/CHANGELOG.md index fabf4bf20..76e5abcbd 100644 --- a/solutions/experimentation/client-project/CHANGELOG.md +++ b/solutions/experimentation/client-project/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.1.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.2...solutions/experimentation/client-project/0.1.3) (2024-02-05) + + +### Bug Fixes + +* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829)) + ## [0.1.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.1...solutions/experimentation/client-project/0.1.2) (2023-12-19) diff --git a/solutions/experimentation/core-landing-zone/CHANGELOG.md b/solutions/experimentation/core-landing-zone/CHANGELOG.md index bbdf25b9d..1f715317f 100644 --- a/solutions/experimentation/core-landing-zone/CHANGELOG.md +++ b/solutions/experimentation/core-landing-zone/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.5.1](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/core-landing-zone/0.5.0...solutions/experimentation/core-landing-zone/0.5.1) (2024-02-05) + + +### Bug Fixes + +* Removing securitycontrols.md and security control tags from experimentation ([#811](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/811)) ([f17ff29](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/f17ff29a8ff5d3b0f5c955d5d1f8843ba0723829)) + ## [0.5.0](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/core-landing-zone/0.4.1...solutions/experimentation/core-landing-zone/0.5.0) (2024-01-26) From 8fb47757a41066e1d333f17b02a8d465033d31e8 Mon Sep 17 00:00:00 2001 From: Michael O'Brien <94715080+fmichaelobrien@users.noreply.github.com> Date: Mon, 5 Feb 2024 11:27:17 -0500 Subject: [PATCH 3/7] #802 - kpt live apply reconcile-timeout from 2 to 15 min (#803) see testing in #766 --- docs/landing-zone-v2/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/landing-zone-v2/README.md b/docs/landing-zone-v2/README.md index d69bed1db..75b820cf3 100644 --- a/docs/landing-zone-v2/README.md +++ b/docs/landing-zone-v2/README.md @@ -479,7 +479,7 @@ Optional 1. Apply the hydrated kubernetes yaml to the cluster ```shell - kpt live apply core-landing-zone --reconcile-timeout=2m --output=table + kpt live apply core-landing-zone --reconcile-timeout=15m --output=table ``` 1. Check the status of the deployed resources From c1058007aaa72b8ffbce000ef5575cc494db0e33 Mon Sep 17 00:00:00 2001 From: johnswayty-ssc <142910371+johnswayty-ssc@users.noreply.github.com> Date: Mon, 5 Feb 2024 15:34:14 -0500 Subject: [PATCH 4/7] fix: updating setters formatting and comments (#815) * updating setters formatting and comments * fix linting * remove unnecessary sections * remove dns * removed limiting org policies --- .../experimentation/admin-folder/setters.yaml | 2 + .../client-landing-zone/setters.yaml | 10 ++++- .../client-project/setters.yaml | 4 ++ .../core-landing-zone/setters.yaml | 39 ++++++++++++++++--- 4 files changed, 48 insertions(+), 7 deletions(-) diff --git a/solutions/experimentation/admin-folder/setters.yaml b/solutions/experimentation/admin-folder/setters.yaml index 0ec008c97..08c0edb3d 100644 --- a/solutions/experimentation/admin-folder/setters.yaml +++ b/solutions/experimentation/admin-folder/setters.yaml @@ -24,8 +24,10 @@ data: ########################## # # Name for the Admin, lowercase only + # customization: required admin-name: 'admin1' # Group or User to grant permission on admin folder + # customization: required admin-owner: 'user:admin1@example.com' # ########################## diff --git a/solutions/experimentation/client-landing-zone/setters.yaml b/solutions/experimentation/client-landing-zone/setters.yaml index 72b167bf0..9d54dd667 100644 --- a/solutions/experimentation/client-landing-zone/setters.yaml +++ b/solutions/experimentation/client-landing-zone/setters.yaml @@ -39,8 +39,11 @@ data: ########################## # # Name for the client, lowercase only + # customization: required client-name: 'client1' + # # group to grant viewer permission on client folder + # customization: required client-folderviewer: 'group:client1@example.com' # ########################## @@ -48,14 +51,19 @@ data: ########################## # # logging project id created in core-landing-zone + # customization: required logging-project-id: logging-project-12345 # # LoggingLogBucket retention settings # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. + # The values below must be modified to retention-locking-policy: true in a Production setting to implement above mentioned security controls. + # customization: required retention-locking-policy: "false" + # + # The values below must be modified to retention-in-days: 365 in a Production setting to implement above mentioned security controls. + # customization: required retention-in-days: "1" # ########################## diff --git a/solutions/experimentation/client-project/setters.yaml b/solutions/experimentation/client-project/setters.yaml index 9fe74c52d..8fae72338 100644 --- a/solutions/experimentation/client-project/setters.yaml +++ b/solutions/experimentation/client-project/setters.yaml @@ -39,12 +39,16 @@ data: ########################## # # Billing Account ID to be associated with this project + # customization: required project-billing-id: "AAAAAA-BBBBBB-CCCCCC" # GCP folder to use as parent to this project, lowercase K8S resource name + # customization: required project-parent-folder: project-parent-folder # user, group or serviceAccount with editor role at project level + # customization: required project-editor: "group:team1@example.com" # project id for the client project to be created, following rules and conventions + # customization: required project-id: xxemu-team1-projectname # ########################## diff --git a/solutions/experimentation/core-landing-zone/setters.yaml b/solutions/experimentation/core-landing-zone/setters.yaml index 7f137f484..68ee890cf 100644 --- a/solutions/experimentation/core-landing-zone/setters.yaml +++ b/solutions/experimentation/core-landing-zone/setters.yaml @@ -38,18 +38,30 @@ data: # General Settings Values ########################## # + # Use the same Google Cloud Organization ID that was used during the bootstrap procedure + # customization: required org-id: "0000000000" + # root folder to which the Landing Zone will be deployed into. This folder is created during the bootstrap procedure + # customization: required lz-folder-id: '0000000000' + # core-landing-zone billing id + # customization: required billing-id: "AAAAAA-BBBBBB-CCCCCC" # ########################## # Management Project ########################## # - # This is the project where the config controller instance is running - # Values can be viewed in the Project Dashboard + # The management project is where the Landing Zone config controller instance is running, created during the bootstrap procedure. + # The $PROJECT_ID (management-project-id) is defined during Initial Organization Configuration (https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration) + # customization: required management-project-id: management-project-12345 + # The management-project-number can be obtained from the Dashboard via https://console.cloud.google.com/home/dashboard?project=$PROJECT_ID + # Alternatively, obtain the management-project-number from gcloud: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)' + # customization: required management-project-number: "0000000000" + # kubernetes namespace set to the default, config-control. + # customization: Do not change this value. management-namespace: config-control # ########################## @@ -60,20 +72,31 @@ data: # # a list of allowed essential contact domains, see YAML file for more info: # org/org-policies/essentialcontacts-allowed-contact-domains.yaml - # this setting MUST be changed + # customization: this setting MUST be changed to a domain in which you choose to allow to receive notifications from Google. allowed-contact-domains: | - "@example.com" # # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info: # org/org-policies/iam-allowed-policy-member-domains.yaml - # this setting MUST be changed to include the GCP org's directory ID and any other directory containing users that will need IAM roles assigned + # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id + # customization: # this setting MUST be changed to include the GCP org's directory customer ID and any other directory containing users that will need IAM roles assigned allowed-policy-domain-members: | - "DIRECTORY_CUSTOMER_ID" # + # a list of IP addresses that should be allowed to be VPN peers to the VPCs in the organization + # by default, all IP's are denied. see YAML file for more info: org/org-policies/compute-restrict-vpn-peer-ips.yaml + # If you need to allow/deny specific values, update org/org-policies/compute-restrict-vpn-peer-ips.yaml and set the below variable accordingly + # ResourceManagerPolicy schema: https://cloud.google.com/config-connector/docs/reference/resource-docs/resourcemanager/resourcemanagerpolicy#schema + # allowed-vpn-peering-ips: | + # - string + # ########################## # Logging ########################## # + # Core landing Zone logging project, used by the logging packages + # project id for the logging project to be created, following rules and conventions + # customization: required logging-project-id: logging-project-12345 # # Storage buckets @@ -82,12 +105,16 @@ data: # customization: required security-incident-log-bucket: security-incident-log-bucket-12345 # + # Platform and Component Log Bucket + # customization: required + platform-and-component-log-bucket: platform-and-component-log-bucket-12345 + # + # # Retention settings # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # - # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. + # customization: The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" retention-in-days: "1" # From 86fb5f3910e7e6beaffffb71a306bde41f4fa593 Mon Sep 17 00:00:00 2001 From: pubsec-declarative-toolkit-bot Date: Tue, 6 Feb 2024 08:44:31 -0500 Subject: [PATCH 5/7] chore: release main (#816) Signed-off-by: Name --- .release-please-manifest.json | 8 ++++---- solutions/experimentation/admin-folder/CHANGELOG.md | 7 +++++++ .../experimentation/client-landing-zone/CHANGELOG.md | 7 +++++++ solutions/experimentation/client-project/CHANGELOG.md | 7 +++++++ solutions/experimentation/core-landing-zone/CHANGELOG.md | 7 +++++++ 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 1bb4f8190..dbcb32101 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -3,10 +3,10 @@ "solutions/client-project-setup": "0.4.5", "solutions/client-setup": "0.7.1", "solutions/core-landing-zone": "0.7.1", - "solutions/experimentation/admin-folder": "0.1.1", - "solutions/experimentation/client-landing-zone": "0.1.3", - "solutions/experimentation/client-project": "0.1.3", - "solutions/experimentation/core-landing-zone": "0.5.1", + "solutions/experimentation/admin-folder": "0.1.2", + "solutions/experimentation/client-landing-zone": "0.1.4", + "solutions/experimentation/client-project": "0.1.4", + "solutions/experimentation/core-landing-zone": "0.5.2", "solutions/gatekeeper-policies": "0.2.1", "solutions/gke/configconnector/gke-admin-proxy": "0.1.4", "solutions/gke/configconnector/gke-cluster-autopilot": "0.2.5", diff --git a/solutions/experimentation/admin-folder/CHANGELOG.md b/solutions/experimentation/admin-folder/CHANGELOG.md index f076192f0..a296ea24f 100644 --- a/solutions/experimentation/admin-folder/CHANGELOG.md +++ b/solutions/experimentation/admin-folder/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.1.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder/0.1.1...solutions/experimentation/admin-folder/0.1.2) (2024-02-05) + + +### Bug Fixes + +* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33)) + ## [0.1.1](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/admin-folder/0.1.0...solutions/experimentation/admin-folder/0.1.1) (2024-02-05) diff --git a/solutions/experimentation/client-landing-zone/CHANGELOG.md b/solutions/experimentation/client-landing-zone/CHANGELOG.md index 98e920b5c..1bba42716 100644 --- a/solutions/experimentation/client-landing-zone/CHANGELOG.md +++ b/solutions/experimentation/client-landing-zone/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.1.4](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.3...solutions/experimentation/client-landing-zone/0.1.4) (2024-02-05) + + +### Bug Fixes + +* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33)) + ## [0.1.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-landing-zone/0.1.2...solutions/experimentation/client-landing-zone/0.1.3) (2024-02-05) diff --git a/solutions/experimentation/client-project/CHANGELOG.md b/solutions/experimentation/client-project/CHANGELOG.md index 76e5abcbd..604907b62 100644 --- a/solutions/experimentation/client-project/CHANGELOG.md +++ b/solutions/experimentation/client-project/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.1.4](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.3...solutions/experimentation/client-project/0.1.4) (2024-02-05) + + +### Bug Fixes + +* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33)) + ## [0.1.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/client-project/0.1.2...solutions/experimentation/client-project/0.1.3) (2024-02-05) diff --git a/solutions/experimentation/core-landing-zone/CHANGELOG.md b/solutions/experimentation/core-landing-zone/CHANGELOG.md index 1f715317f..f1f13077f 100644 --- a/solutions/experimentation/core-landing-zone/CHANGELOG.md +++ b/solutions/experimentation/core-landing-zone/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.5.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/core-landing-zone/0.5.1...solutions/experimentation/core-landing-zone/0.5.2) (2024-02-05) + + +### Bug Fixes + +* updating setters formatting and comments ([#815](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/815)) ([c105800](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/c1058007aaa72b8ffbce000ef5575cc494db0e33)) + ## [0.5.1](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/core-landing-zone/0.5.0...solutions/experimentation/core-landing-zone/0.5.1) (2024-02-05) From 995e0d26c212b8cac12f1e2baeb137823780696c Mon Sep 17 00:00:00 2001 From: johnswayty-ssc <142910371+johnswayty-ssc@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:16:14 -0500 Subject: [PATCH 6/7] fix: removed unused setters (#820) --- solutions/experimentation/core-landing-zone/setters.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/solutions/experimentation/core-landing-zone/setters.yaml b/solutions/experimentation/core-landing-zone/setters.yaml index 68ee890cf..a5d37c2dd 100644 --- a/solutions/experimentation/core-landing-zone/setters.yaml +++ b/solutions/experimentation/core-landing-zone/setters.yaml @@ -83,13 +83,6 @@ data: allowed-policy-domain-members: | - "DIRECTORY_CUSTOMER_ID" # - # a list of IP addresses that should be allowed to be VPN peers to the VPCs in the organization - # by default, all IP's are denied. see YAML file for more info: org/org-policies/compute-restrict-vpn-peer-ips.yaml - # If you need to allow/deny specific values, update org/org-policies/compute-restrict-vpn-peer-ips.yaml and set the below variable accordingly - # ResourceManagerPolicy schema: https://cloud.google.com/config-connector/docs/reference/resource-docs/resourcemanager/resourcemanagerpolicy#schema - # allowed-vpn-peering-ips: | - # - string - # ########################## # Logging ########################## From 2bb2f0275a17c4a470442eb9531fa9f9da8ae9c2 Mon Sep 17 00:00:00 2001 From: pubsec-declarative-toolkit-bot Date: Wed, 7 Feb 2024 10:44:10 -0500 Subject: [PATCH 7/7] chore: release main (#821) Signed-off-by: Name --- .release-please-manifest.json | 2 +- solutions/experimentation/core-landing-zone/CHANGELOG.md | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index dbcb32101..262bc7655 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -6,7 +6,7 @@ "solutions/experimentation/admin-folder": "0.1.2", "solutions/experimentation/client-landing-zone": "0.1.4", "solutions/experimentation/client-project": "0.1.4", - "solutions/experimentation/core-landing-zone": "0.5.2", + "solutions/experimentation/core-landing-zone": "0.5.3", "solutions/gatekeeper-policies": "0.2.1", "solutions/gke/configconnector/gke-admin-proxy": "0.1.4", "solutions/gke/configconnector/gke-cluster-autopilot": "0.2.5", diff --git a/solutions/experimentation/core-landing-zone/CHANGELOG.md b/solutions/experimentation/core-landing-zone/CHANGELOG.md index f1f13077f..a0a141b61 100644 --- a/solutions/experimentation/core-landing-zone/CHANGELOG.md +++ b/solutions/experimentation/core-landing-zone/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.5.3](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/core-landing-zone/0.5.2...solutions/experimentation/core-landing-zone/0.5.3) (2024-02-07) + + +### Bug Fixes + +* removed unused setters ([#820](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/820)) ([995e0d2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/commit/995e0d26c212b8cac12f1e2baeb137823780696c)) + ## [0.5.2](https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/compare/solutions/experimentation/core-landing-zone/0.5.1...solutions/experimentation/core-landing-zone/0.5.2) (2024-02-05)