-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Control code to ITSG-33 mapping and labels - add code comments and GCP labelling #2
Comments
@fmichaelobrien - these mappings are in the Technical Design Document in the top level of the repo. Please review and let us know if this aligns with the ask. |
Meeting with @chris Carty and @chris Daoust on DND/SSC security controls - thanks Guys for the pointer to the 3rd repo - missed (need more scrolling) the 1:n code to control mapping for the guardrails subset of the controls for example. We should be able to add labelling in the TF - https://github.com/canada-ca/cloud-guardrails/blob/master/EN/08_Segmentation.md |
#2 - grid for controls/service mapping
``` Step GoogleCloudPlatform#2 - "tf plan": Terraform will perform the following actions: Step GoogleCloudPlatform#2 - "tf plan": Step GoogleCloudPlatform#2 - "tf plan": # module.core-org-policy.google_organization_policy.boolean["constraints/commerceorggovernance.disablePublicMarketplace"] will be created Step GoogleCloudPlatform#2 - "tf plan": + resource "google_organization_policy" "boolean" { Step GoogleCloudPlatform#2 - "tf plan": + constraint = "constraints/commerceorggovernance.disablePublicMarketplace" Step GoogleCloudPlatform#2 - "tf plan": + etag = (known after apply) Step GoogleCloudPlatform#2 - "tf plan": + id = (known after apply) Step GoogleCloudPlatform#2 - "tf plan": + org_id = "959133349631" Step GoogleCloudPlatform#2 - "tf plan": + update_time = (known after apply) Step GoogleCloudPlatform#2 - "tf plan": + version = (known after apply) Step GoogleCloudPlatform#2 - "tf plan": Step GoogleCloudPlatform#2 - "tf plan": + boolean_policy { Step GoogleCloudPlatform#2 - "tf plan": + enforced = true Step GoogleCloudPlatform#2 - "tf plan": } Step GoogleCloudPlatform#2 - "tf plan": } ```
#2 - GR 12 disable public marketplace
commit d28dfcf Author: StanImprover <[email protected]> Date: Tue Aug 15 09:28:39 2023 -0600 Made changes to COMMIT ID (GoogleCloudPlatform#24) Co-authored-by: Stanley Onweni <[email protected]> commit 5af991c Author: Jackson Yang <[email protected]> Date: Mon May 8 11:48:02 2023 -0400 GCT-51 Fixed the rego policy test for the GR#11 (GoogleCloudPlatform#23) * GCT-51 Fixed the rego policy test for the GR#11 * GCT-51 Updated the git patch file again commit a23fe6c Author: Jackson Yang <[email protected]> Date: Wed May 3 14:39:40 2023 -0400 GCT-44 Built a rego policy for GR#7 (GoogleCloudPlatform#22) commit 5e2b41c Author: Jackson Yang <[email protected]> Date: Tue Apr 25 12:38:16 2023 -0400 GCT-45 build rego policy for guardrail 06 protection of data at rest (GoogleCloudPlatform#21) * GCT-45 Added rego policy for GR6 validation * GCT-45 Fixed some typos commit 0b0c3a5 Author: Jackson Yang <[email protected]> Date: Tue Apr 25 11:11:22 2023 -0400 GCT-45 Added rego policy for GR6 validation (GoogleCloudPlatform#20) commit c13855d Author: Jackson Yang <[email protected]> Date: Thu Apr 13 16:10:02 2023 -0400 GCT-46 mitigate cloud function resource location issues (GoogleCloudPlatform#19) * GCT-46 Enabled worker pool for run validation gcf * GCT-46 Supported worker pool for validation builds * GCT-46 Cleaned up the gcf archive folder * GCT-46 Recovered the gcf bucket setter commands commit 9fb968c Author: Jackson Yang <[email protected]> Date: Tue Apr 11 11:45:04 2023 -0400 GCT-20 run cloud builds from required location (GoogleCloudPlatform#18) * GCT-20 Specified the required location for builds * GCT-20 Added private worker pool for cloud builds * GCT-20 Fixed the misplaced worker pool option * GCT-20 Fixed the workpool user iam condition * GCT-20 Fixed the missed project to worker pool bug * GCT-20 Assigned worker pool owner role * GCT-20 Fixed the cloudbuild trigger location issue * GCT-20 Allowed gcf sa to use private worker pool * GCT-20 Allowed validation cf sa to use worker pool * GCT-20 Disabled worker pool of validation gcf * GCT-20 built cloudbuild staging and log buckets * GCT-20 Fixed late creation issue of cloudbuild sa * GCT-20 Removed the cloud build submit argument commit 64bce38 Author: Jackson Yang <[email protected]> Date: Mon Apr 3 13:40:01 2023 -0400 GCT-43 mitigate failures from guardrails report (GoogleCloudPlatform#17) * GCT-43 Fixed guardrails GoogleCloudPlatform#11 rego policy * GCT-43 Mitigated the egress range 0.0.0.0/0 issue * GCT-43 Delayed the organization policy application * GCT-43 Renamed the guardrails version variable commit 414ca0b Author: Jackson Yang <[email protected]> Date: Tue Mar 28 14:36:31 2023 -0400 GCT-38 Fixed unused and misused token issues (GoogleCloudPlatform#16) commit 88ba3dd Author: Jackson Yang <[email protected]> Date: Thu Mar 23 15:14:37 2023 -0400 GCT-35 Added service account expiry hours policy (GoogleCloudPlatform#15) commit 98aae24 Author: Jackson Yang <[email protected]> Date: Thu Mar 23 15:14:01 2023 -0400 GCT-36 Updated cmk rotation period (GoogleCloudPlatform#14) commit 970c16b Author: Jackson Yang <[email protected]> Date: Thu Mar 23 15:13:37 2023 -0400 GCT-39 Fixed the missed organization id token bug (GoogleCloudPlatform#13) commit e98a815 Author: Jackson Yang <[email protected]> Date: Thu Mar 23 15:13:15 2023 -0400 GCT-37 Fixed the rego policy parse error (GoogleCloudPlatform#12) commit 5e518a4 Author: Jackson Yang <[email protected]> Date: Mon Mar 20 14:34:01 2023 -0400 GCT-29 Enabled bucket logging for buckets (GoogleCloudPlatform#11) * GCT-29 Enabled bucket logging for buckets * GCT-29 Fixed iam and backward reference issues commit 1fccfd5 Author: Jackson Yang <[email protected]> Date: Thu Mar 16 13:34:29 2023 -0400 GCT-23 Updated log-based metrics (GoogleCloudPlatform#10) commit ea0a288 Author: Jackson Yang <[email protected]> Date: Fri Mar 3 14:02:12 2023 -0500 GCT-8 Added function to use another git repo (GoogleCloudPlatform#9) commit f12ff25 Author: Jackson Yang <[email protected]> Date: Wed Mar 1 15:09:38 2023 -0500 GCT-13 Added gcf artifact repository to functions (GoogleCloudPlatform#8) commit bcca300 Author: Jackson Yang <[email protected]> Date: Tue Feb 28 13:15:29 2023 -0500 GCT-14 Splitted the REPLACE_FOLDER_ID token and supported token replacement on macOS (GoogleCloudPlatform#7) commit cf715a7 Author: Jackson Yang <[email protected]> Date: Mon Feb 27 15:30:44 2023 -0500 GCT-12 Reverted the changes removed by Uday (GoogleCloudPlatform#6) commit aaf08d2 Author: uday kakkar <[email protected]> Date: Wed Feb 22 10:01:43 2023 -0500 Update bootstrap.sh commit 7dc51e9 Author: uday kakkar <[email protected]> Date: Tue Feb 21 13:46:18 2023 -0500 folder - org switch (GoogleCloudPlatform#5) Co-authored-by: root <[email protected]> commit 43f772e Author: root <[email protected]> Date: Fri Feb 17 19:27:44 2023 +0000 fixing the tfvars tokens commit 14c1380 Author: Jackson Yang <[email protected]> Date: Thu Feb 16 16:29:15 2023 -0500 Improved writeids-mod.sh to match all auto.tfvars commit 171fe14 Author: Jackson Yang <[email protected]> Date: Thu Feb 16 11:52:26 2023 -0500 Reduced bucket retention period to ease test commit 7a09624 Author: JacksonYang <[email protected]> Date: Thu Feb 16 06:39:23 2023 +0000 Fixed the duplicated map key issue. commit c0ea79b Author: JacksonYang <[email protected]> Date: Wed Feb 15 21:25:38 2023 +0000 Refactored logging module and fixed some bugs found. commit 2583469 Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:49:05 2023 -0500 Update nonp-network.auto.tfvars commit ca981f3 Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:48:40 2023 -0500 Update prod-network.auto.tfvars commit 533f8cf Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:43:46 2023 -0500 Update locals.tf commit 0a3bc15 Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:42:59 2023 -0500 Update main.tf commit a593a21 Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:42:11 2023 -0500 Update main.tf commit 9966dcb Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:41:40 2023 -0500 Update locals.tf commit c764438 Author: uday kakkar <[email protected]> Date: Wed Feb 15 00:30:24 2023 -0500 Update main.tf commit 729b499 Author: uday kakkar <[email protected]> Date: Tue Feb 14 23:56:05 2023 -0500 Update outputs.tf commit f499580 Author: uday kakkar <[email protected]> Date: Tue Feb 14 23:55:35 2023 -0500 Update locals.tf commit 77933f1 Author: uday kakkar <[email protected]> Date: Tue Feb 14 23:54:58 2023 -0500 Update main.tf commit cd2fa85 Author: Jackson Yang <[email protected]> Date: Mon Feb 13 22:53:22 2023 -0500 Added waitings to centralized logging commit b1f8aa0 Merge: f33a6cc f10657c Author: uday kakkar <[email protected]> Date: Mon Feb 13 16:29:18 2023 -0500 Merge pull request GoogleCloudPlatform#4 from yw-liftandshift/testing-cleanups Testing cleanups commit f10657c Author: root <[email protected]> Date: Mon Feb 13 21:28:12 2023 +0000 cleanup changes commit f33a6cc Author: Jackson Yang <[email protected]> Date: Mon Feb 13 16:27:57 2023 -0500 Added nat_config = [] to network host projects commit 980261e Author: root <[email protected]> Date: Mon Feb 13 21:24:40 2023 +0000 cleanup changes commit 43aef4c Author: root <[email protected]> Date: Mon Feb 13 21:17:49 2023 +0000 cleanup changes commit 8863533 Author: Jackson Yang <[email protected]> Date: Mon Feb 13 14:21:31 2023 -0500 Uncommented orgnization monitoring center in common commit 88f9cb4 Author: Jackson Yang <[email protected]> Date: Mon Feb 13 10:57:51 2023 -0500 Removed workloads from nonprod and prod commit 0320ab6 Merge: e0ac5af ef57045 Author: uday kakkar <[email protected]> Date: Sat Feb 11 00:13:03 2023 -0500 Merge pull request GoogleCloudPlatform#2 from yw-liftandshift/DRDC fixes commit ef57045 Author: root <[email protected]> Date: Sat Feb 11 05:11:20 2023 +0000 fixes commit e0ac5af Merge: c416c6d c0048c7 Author: uday kakkar <[email protected]> Date: Sat Feb 11 00:00:31 2023 -0500 Merge pull request #1 from yw-liftandshift/DRDC adding automation commit c416c6d Author: Jackson Yang <[email protected]> Date: Wed Feb 8 17:02:40 2023 -0500 Removed project-specific prefix from folder name commit c0048c7 Author: udaykakkar <[email protected]> Date: Wed Feb 8 16:39:55 2023 -0500 adding automation commit 53f69cc Author: JacksonYang <[email protected]> Date: Wed Feb 8 10:02:04 2023 -0500 Added feature to find all auto.tfvars files commit 2791bbc Author: JacksonYang <[email protected]> Date: Wed Feb 8 00:06:13 2023 -0500 reinitiated 2023-02-08.0002
See exercise at compliance dashboard and automated security control mapping extract - so we don't have to manually create one of these ![]() or the wiki based editing of ![]() |
20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards |
see canada-ca/accelerators_accelerateurs-gcp#18
We need a way to visually and programmatically link code to controls (in addition to control to code) - for human and IAC validation/reporting
For example which terraform module covers SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
Doc only example:
https://github.com/canada-ca/cloud-guardrails/blob/master/EN/07_Protect-Data-in-Transit.md
link/label to (I need to verify)
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc8
ITSG_33_SC_8
and
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc12
ITSG_33_SC_12
Code example:
https://github.com/canada-ca/cloud-guardrails/blob/master/EN/05_Data-Location.md
and
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/environments/common/main.tf#L84
link/label to ?
SC-7 BOUNDARY PROTECTION
ITSG_33_SC_7
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc7
or
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
ITSG_33_PE_18
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a311pe18
Additions to PBMM doc
firewall, AC-12, IAM, functions
AU-3(2)
AU-4
AU-5
AU-6(4)
SC-28(1)
SI-3(1)
The text was updated successfully, but these errors were encountered: