From 3fe38404a037d86ae8a864004d56a9b587f9ce24 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 17 May 2024 15:49:50 -0300 Subject: [PATCH 1/2] Add missing APIs --- 5-app-infra/5-vpc-sc/README.md | 24 ++++++++++++++++++++++++ 5-app-infra/README.md | 24 ++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/5-app-infra/5-vpc-sc/README.md b/5-app-infra/5-vpc-sc/README.md index 39aaa3ca..42c8e615 100644 --- a/5-app-infra/5-vpc-sc/README.md +++ b/5-app-infra/5-vpc-sc/README.md @@ -112,6 +112,30 @@ Once there, select the perimeter that is associated with the environment (eg. `d "cloudkms.googleapis.com" = { "methods" = ["*"] } + "iam.googleapis.com" = { + "methods" = ["*"] + } + "cloudresourcemanager.googleapis.com" = { + "methods" = ["*"] + } + "pubsub.googleapis.com" = { + "methods" = ["*"] + } + "secretmanager.googleapis.com" = { + "methods" = ["*"] + } + "aiplatform.googleapis.com" = { + "methods" = ["*"] + } + "composer.googleapis.com" = { + "methods" = ["*"] + } + "cloudbuild.googleapis.com" = { + "methods" = ["*"] + } + "bigquery.googleapis.com" = { + "methods" = ["*"] + } } } }, diff --git a/5-app-infra/README.md b/5-app-infra/README.md index b0b98c3a..f0c6616e 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -122,6 +122,30 @@ In `common.auto.tfvars` update your `perimeter_additional_members` to include: "cloudkms.googleapis.com" = { "methods" = ["*"] } + "iam.googleapis.com" = { + "methods" = ["*"] + } + "cloudresourcemanager.googleapis.com" = { + "methods" = ["*"] + } + "pubsub.googleapis.com" = { + "methods" = ["*"] + } + "secretmanager.googleapis.com" = { + "methods" = ["*"] + } + "aiplatform.googleapis.com" = { + "methods" = ["*"] + } + "composer.googleapis.com" = { + "methods" = ["*"] + } + "cloudbuild.googleapis.com" = { + "methods" = ["*"] + } + "bigquery.googleapis.com" = { + "methods" = ["*"] + } } } }, From d3d080bebfa006f5dd205cfebaca3ce4da146d90 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 17 May 2024 17:10:42 -0300 Subject: [PATCH 2/2] Remove redundant information --- 5-app-infra/5-vpc-sc/README.md | 6 ++- 5-app-infra/README.md | 92 +--------------------------------- 2 files changed, 7 insertions(+), 91 deletions(-) diff --git a/5-app-infra/5-vpc-sc/README.md b/5-app-infra/5-vpc-sc/README.md index 42c8e615..bb13c634 100644 --- a/5-app-infra/5-vpc-sc/README.md +++ b/5-app-infra/5-vpc-sc/README.md @@ -80,6 +80,8 @@ You can find the `sources.access_level` information by going to `Security` in yo Once there, select the perimeter that is associated with the environment (eg. `development`). Copy the string under Perimeter Name and place it under `YOUR_ACCESS_LEVEL` +## Ingress Policies + ``` ingress_policies = [ // users @@ -142,7 +144,9 @@ Once there, select the perimeter that is associated with the environment (eg. `d ] ``` -for your DEVELOPMENT.AUTO.TFVARS file, also include this as an egress policy: +## Egress Policies + +For your DEVELOPMENT.AUTO.TFVARS file, also include this as an egress policy: ```bash egress_policies = [ diff --git a/5-app-infra/README.md b/5-app-infra/README.md index f0c6616e..4fdc1e94 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -88,97 +88,9 @@ In `common.auto.tfvars` update your `perimeter_additional_members` to include: * your development environment logging bucket service account: `"serviceAccount:service-[prj-d-logging-project-number]@gs-project-accounts.iam.gserviceaccount.com"` * your development environment service acount for cloudbuild: `"serviceAccount:[prj-d-machine-learning-project-number]@cloudbuild.gserviceaccount.com"` - In each respective environment folders, update your `development.auto.tfvars`, `non-production.auto.tfvars` & `production.auto.tfvars` to include these changes: + In each respective environment folders, update your `development.auto.tfvars`, `non-production.auto.tfvars` & `production.auto.tfvars` to include the changes mentioned in Ingress Policies section. - ``` - ingress_policies = [ - // users - { - "from" = { - "identity_type" = "ANY_IDENTITY" - "sources" = { - "access_level" = "accessPolicies/270868347751/accessLevels/alp_d_shared_restricted_members_556e" - } - }, - "to" = { - "resources" = [ - "projects/[prj-[your-environment-shared-restricted-project-number]", - "projects/[prj-[your-environment-kms-project-number]", - "projects/[prj-[your-environment-bu3machine-learning-number]", - ] - "operations" = { - "compute.googleapis.com" = { - "methods" = ["*"] - } - "dns.googleapis.com" = { - "methods" = ["*"] - } - "logging.googleapis.com" = { - "methods" = ["*"] - } - "storage.googleapis.com" = { - "methods" = ["*"] - } - "cloudkms.googleapis.com" = { - "methods" = ["*"] - } - "iam.googleapis.com" = { - "methods" = ["*"] - } - "cloudresourcemanager.googleapis.com" = { - "methods" = ["*"] - } - "pubsub.googleapis.com" = { - "methods" = ["*"] - } - "secretmanager.googleapis.com" = { - "methods" = ["*"] - } - "aiplatform.googleapis.com" = { - "methods" = ["*"] - } - "composer.googleapis.com" = { - "methods" = ["*"] - } - "cloudbuild.googleapis.com" = { - "methods" = ["*"] - } - "bigquery.googleapis.com" = { - "methods" = ["*"] - } - } - } - }, - ] - ``` - -for your DEVELOPMENT.AUTO.TFVARS file, also include this as an egress policy: - - ``` - egress_policies = [ - // notebooks - { - "from" = { - "identity_type" = "" - "identities" = [ - "serviceAccount:service-[prj-d-bu3machine-learning-project-number]@gcp-sa-notebooks.iam.gserviceaccount.com", - "serviceAccount:service-[prj-d-bu3machine-learning-project-number]@compute-system.iam.gserviceaccount.com", - ] - }, - "to" = { - "resources" = ["projects/[prj-d-kms-project-number]"] - "operations" = { - "compute.googleapis.com" = { - "methods" = ["*"] - } - "cloudkms.googleapis.com" = { - "methods" = ["*"] - } - } - } - }, - ] - ``` +For your DEVELOPMENT.AUTO.TFVARS file, also include the egress policy mentioned in Egress Policies section. Please note that this will cover some but not ALL the policies that will be needed. During deployment there will be violations that will occur which come from unknown google projects outside the scope of your organization. It will be the responsibility of the operator(s) deploying this process to view logs about the errors and make adjustments accordingly. Most notably, this was observed for Service Catalog. There will be an instance where an egress policy to be added for `cloudbuild.googleapis.com` access: