-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathsetters.yaml
165 lines (165 loc) · 7.75 KB
/
setters.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#########
apiVersion: v1
kind: ConfigMap
metadata:
name: setters
annotations:
config.kubernetes.io/local-config: "true"
data:
##########################
# Instructions
##########################
#
# Follow instructions specific to each section.
# Project IDs must follow the rules below, additionally,
# if a gatekeeper policy is used to enforce specific naming conventions, refer to its documentation.
# - All IDs should be universally unique.
# - Must be 6 to 30 characters in length.
# - Can only contain lowercase letters, numbers, and hyphens.
# - Must start with a letter.
# - Cannot end with a hyphen.
# - Cannot be in use or previously used; this includes deleted projects.
# - Cannot contain restricted strings, such as google and ssl.
#
##########################
# General Settings Values
##########################
#
# Use the same Google Cloud Organization ID that was used during the bootstrap procedure
# customization: required
org-id: "0000000000"
# root folder to which the Landing Zone will be deployed into. This folder is created during the bootstrap procedure
# customization: required
lz-folder-id: '0000000000'
# core-landing-zone billing id
# customization: required
billing-id: "AAAAAA-BBBBBB-CCCCCC"
#
##########################
# Management Project
##########################
#
# The management project is where the Landing Zone config controller instance is running, created during the bootstrap procedure.
# The $PROJECT_ID (management-project-id) is defined during Initial Organization Configuration (https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration)
# customization: required
management-project-id: management-project-12345
# The management-project-number can be obtained from the Dashboard via https://console.cloud.google.com/home/dashboard?project=$PROJECT_ID
# Alternatively, obtain the management-project-number from gcloud: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)'
# customization: required
management-project-number: "0000000000"
# kubernetes namespace set to the default, config-control.
# customization: Do not change this value.
management-namespace: config-control
#
##########################
# Org Policies
##########################
#
# The following are Settings for some org policies
#
# a list of allowed trusted image projects, see YAML file for more info:
# org/org-policies/compute-trusted-image-projects.yaml
# customization: This setting can be left as default or modified as required
allowed-trusted-image-projects: |
- "projects/cos-cloud"
#
# a list of allowed essential contact domains, see YAML file for more info:
# org/org-policies/essentialcontacts-allowed-contact-domains.yaml
# customization: this setting MUST be changed to a domain in which you choose to allow to receive notifications from Google.
allowed-contact-domains: |
- "@example.com"
#
# a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info:
# org/org-policies/iam-allowed-policy-member-domains.yaml
# run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id
# customization: # this setting MUST be changed to include the GCP org's directory customer ID and any other directory containing users that will need IAM roles assigned
allowed-policy-domain-members: |
- "DIRECTORY_CUSTOMER_ID"
#
# a list of allowed projects, folders, networks for VPC peering, see YAML file for more info:
# org/org-policies/compute-restrict-vpc-peering.yaml
# customization: this setting MUST be changed, replace ORGANIZATION_ID with the GCP organizations's ID
allowed-vpc-peering: |
- "under:organizations/ORGANIZATION_ID"
#
# a list of IP addresses that should be allowed to be VPN peers to the VPCs in the organization
# by default, all IP's are denied. see YAML file for more info: org/org-policies/compute-restrict-vpn-peer-ips.yaml
# If you need to allow/deny specific values, update org/org-policies/compute-restrict-vpn-peer-ips.yaml and set the below variable accordingly
# ResourceManagerPolicy schema: https://cloud.google.com/config-connector/docs/reference/resource-docs/resourcemanager/resourcemanagerpolicy#schema
# allowed-vpn-peering-ips: |
# - string
#
##########################
# Logging
##########################
#
# Core landing Zone logging project, used by the logging packages
# project id for the logging project to be created, following rules and conventions
# customization: required
logging-project-id: logging-project-12345
#
# Storage buckets
# Security incident log bucket
# Bucket names must be globally unique across all of GCP
# customization: required
security-incident-log-bucket: security-incident-log-bucket-12345
#
# Platform and Component Log Bucket
# customization: required
platform-and-component-log-bucket: platform-and-component-log-bucket-12345
#
# Retention settings
# Set the number of days to retain logs in Cloud Logging buckets
# Set the lock mechanism on the bucket to: true or false
# After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
# AU-9 PROTECTION OF AUDIT INFORMATION
# AU-11 AUDIT RECORD RETENTION
# customization: The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls.
retention-locking-policy: "false"
retention-in-days: "1"
#
# Retention settings for Cloud Storage bucket to store logs related to security incidents
# Events and logs associated with a security incident must be kept for at least 2 years
# Set the lock mechanism on the bucket to: true or false
# After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
# AU-9 PROTECTION OF AUDIT INFORMATION
# AU-11 AUDIT RECORD RETENTION
# customization: The values below must be modified to locked: true and retentionSeconds: 63072000 (730 days) in a Production setting to implement above mentioned security controls.
security-incident-log-bucket-retention-locking-policy: "false"
security-incident-log-bucket-retention-in-seconds: "86400"
#
##########################
# DNS
##########################
#
# DNS project
#
# project id for the dns project to be created, following rules and conventions
# customization: required
core-dns-project-id: dns-project-12345
#
# Core Landing Zone fqdn. The "dns-name" must end with a "."
# dns-name needs needs to receive delegation from the upper level of the domain example.com.
# customization: required
dns-name: "example.com."
#
##########################
# Labels
##########################
# Labels can be set on project using set-labels-project.yaml. Please make sure there is one pair of key-value pair otherwise render will fair
##########################
# End of Configurations
##########################