feat: hub project (#283)

* project, vpc, subnet, nat, dnslogging * adding organization role admin to management namespace * adding fortigates * adding distinct ilb for explicit proxy * fixed explicit proxy, security controls and formatting * management vm: shielded vm and cis remark * adding org policies exemptions Removed ref to AC-5 * renamed project to hub and defined depends-on * added IAP permissions * Update securitycontrols.md Added missing text for AC-3(7) description * doc: adressing comments * feat: initial hub package --------- Co-authored-by: fmichaelobrien <[email protected]> Co-authored-by: Michael O'Brien <[email protected]> Co-authored-by: amcmullin <[email protected]>
GoogleCloudPlatform · Mar 14, 2023 · 160f630 · 160f630
1 parent 001c491
commit 160f630
Show file tree

Hide file tree

Showing 47 changed files with 3,103 additions and 18 deletions.
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -8,6 +8,7 @@
     "solutions/landing-zone-v2": "0.2.0",
     "solutions/org-policies": "0.0.2",
     "solutions/project/project-experimentation": "0.0.2",
+    "solutions/project/hub-env": "0.0.1",
     "solutions/logging/client-experimentation": "0.1.0",
     "solutions/logging/core-experimentation": "0.1.0"
 }
diff --git a/release-please-config.json b/release-please-config.json
@@ -40,17 +40,17 @@
     "solutions/landing-zone-v2": {
       "package-name": "solutions/landing-zone-v2",
       "tag-separator": "/",
-      "prerelease": true  
+      "prerelease": true
     },
     "solutions/logging/client-experimentation": {
       "package-name": "solutions/logging/client-experimentation",
       "tag-separator": "/",
-      "prerelease": true  
+      "prerelease": true
     },
     "solutions/logging/core-experimentation": {
       "package-name": "solutions/logging/core-experimentation",
       "tag-separator": "/",
-      "prerelease": true  
+      "prerelease": true
     },
     "solutions/org-policies": {
       "package-name": "solutions/org-policies",
@@ -61,6 +61,11 @@
       "package-name": "solutions/project/project-experimentation",
       "tag-separator": "/",
       "prerelease": true
+    },
+    "solutions/project/hub-env": {
+      "package-name": "solutions/project/hub-env",
+      "tag-separator": "/",
+      "prerelease": true
     }
   }
 }
diff --git a/solutions/landing-zone-v2/namespaces/management-namespace.yaml b/solutions/landing-zone-v2/namespaces/management-namespace.yaml
@@ -0,0 +1,16 @@
+# Grant GCP role Organization Role Admin to GCP config-control-sa a.k.a yakima
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: config-control-sa-orgroleadmin-permissions
+  namespace: config-control # kpt-set: ${management-namespace}
+  annotations:
+    cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id}
+    cnrm.cloud.google.com/ignore-clusterless: "true"
+spec:
+  resourceRef:
+    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+    kind: Organization
+    external: "123456789012" # kpt-set: ${org-id}
+  role: roles/iam.organizationRoleAdmin
+  member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com
diff --git a/solutions/landing-zone-v2/setters.yaml b/solutions/landing-zone-v2/setters.yaml
@@ -45,11 +45,9 @@ data:
   # Cannot end with a hyphen.
   # Cannot be in use or previously used; this includes deleted projects.
   # Cannot contain restricted strings, such as google and ssl.
-  net-host-prj-nonprod-id: net-host-prj-nonprod-12345
-  net-host-prj-prod-id: net-host-prj-prod-12345
-  net-perimeter-prj-common-id: net-per-prj-common-12345
   audit-prj-id: audit-prj-id-12345
   guardrails-project-id: guardrails-project-12345
+  hub-project-id: hub-project-12345
   #############
   # Groups
   # Permissions will be assigned to the specified group email

diff --git a/solutions/org-policies/organization/compute-restrict-vpc-peering.yaml b/solutions/org-policies/organization/compute-restrict-vpc-peering.yaml
@@ -41,6 +41,6 @@ spec:
   listPolicy:
     allow:
       values: # kpt-set: ${allowed-vpc-peering}
-      - under:folders/FOLDER_ID
+      - under:organizations/ORGANIZATION_ID
   organizationRef:
     external: "0000000000" # kpt-set: ${org-id}
diff --git a/solutions/org-policies/organization/compute-trusted-image-projects.yaml b/solutions/org-policies/organization/compute-trusted-image-projects.yaml
@@ -38,6 +38,6 @@ spec:
   listPolicy:
     allow:
       values: # kpt-set: ${allowed-trusted-image-projects}
-        - "projects/cos-cloud"
+        - "projects/PROJECT-ID"
   organizationRef:
     external: "0000000000" # kpt-set: ${org-id}
diff --git a/solutions/org-policies/organization/compute-vm-can-ip-forward.yaml b/solutions/org-policies/organization/compute-vm-can-ip-forward.yaml
@@ -38,8 +38,7 @@ metadata:
 spec:
   constraint: "constraints/compute.vmCanIpForward"
   listPolicy:
-    allow:
-      values: # kpt-set: ${allowed-vm-can-ip-forward}
-        - projects/PROJECT_ID
+    deny:
+      all: true
   organizationRef:
     external: "0000000000" # kpt-set: ${org-id}
diff --git a/solutions/org-policies/setters.yaml b/solutions/org-policies/setters.yaml
@@ -46,12 +46,7 @@ data:
     - "DIRECTORY_CUSTOMER_ID"
   # a list of allowed projects, folders, networks for VPC peering, see YAML file for more info:
   # organization/compute-restrict-vpc-peering.yaml
-  # this setting MUST be changed to include the management project ID
+  # this setting MUST be changed to include the ORG ID
   allowed-vpc-peering: |
-    - "under:projects/MANAGEMENT_PROJECT_ID"
-  # a list of allowed projects, folders, networks where VMs can IP forward, see YAML file for more info:
-  # organization/compute-vm-can-ip-forward.yaml
-  # this setting MUST be changed to include the management project ID
-  allowed-vm-can-ip-forward: |
-    - "under:projects/MANAGEMENT_PROJECT_ID"
+    - "under:organizations/ORGANIZATION_ID"
   #############
diff --git a/solutions/project/hub-env/Kptfile b/solutions/project/hub-env/Kptfile
@@ -0,0 +1,17 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: hub-env
+  annotations:
+    config.kubernetes.io/local-config: "true"
+info:
+  description: |
+    Landing zone v2 subpackage.
+    A project that implements the Hub functionality from the Hub and Spoke network design.
+    This package is NOT required within an experimentation landing zone.
+pipeline:
+  mutators:
+    - image: gcr.io/kpt-fn/apply-setters:v0.2
+      configPath: setters.yaml
+    - image: gcr.io/kpt-fn/search-replace:v0.2.0
+      configPath: search-replace-config.yaml