fix: YAML comments cleanup (#564)

* edit setters comments for gatekeeper-policies naming-rules * edit setters instructions for client-setup pkg * edit setters comments and security control comments for core-landing-zone pkg * fix linting errors and typos * add config sync details, fix typos * address comments * add gatekeeper-policies security controls comments
GoogleCloudPlatform · Oct 24, 2023 · a9dbcf1 · a9dbcf1
1 parent 4c88231
commit a9dbcf1
Show file tree

Hide file tree

Showing 36 changed files with 511 additions and 131 deletions.
diff --git a/solutions/client-setup/setters.yaml b/solutions/client-setup/setters.yaml
@@ -38,53 +38,76 @@ data:
   # General Settings Values
   ##########################
   #
+  # Use the same Google Cloud Organization ID that was used when deploying the core-landing-zone package
+  # customization: required
   org-id: "0000000000"
+  #
   # The environment (dev, preprod, prod), used in the client folder display name
+  # customization: required
   environment: env
   #
   ##########################
   # Management Project
   ##########################
   #
-  # This is the project where the config controller instance is running
-  # Values can be viewed in the Project Dashboard
+  # The management project is where the Landing Zone config controller instance is running.
+  # management-project-id is the same value as defined in the core-landing-zone package
+  # customization: required
   management-project-id: management-project-12345
+  #
+  # management-project-number is the same value as defined in the core-landing-zone package
+  # customization: required
   management-project-number: "0000000000"
+  #
+  # kubernetes namespace set to the default, config-control.
+  # customization: Do not change this value.
   management-namespace: config-control
   #
   ##########################
   # Client
   ##########################
   #
-  # Name for the client, lowercase only
+  # Name for the client, lowercase only.
+  # customization: required
   client-name: 'client1'
-  # Billing Account ID to associate with the client's managment project, the projects-sa will need billing user permission
-  # alternatively, it can be set to the core landing zone billing id, the client management project contains very limited resources
+  #
+  # Client's Billing Account ID to associate with the client's management project. The projects-sa will need billing user role permission granted.
+  # alternatively, because the client management project contains very limited resources, it could be set to the core-landing-zone billing id (the projects-sa should already have permissions set during initial post deployment configurations)
+  # customization: required
   client-billing-id: "AAAAAA-BBBBBB-CCCCCC"
+  #
   # project id for the client management project to be created, following rules and conventions
+  # customization: required
   client-management-project-id: client-management-project-12345
   #
   ##########################
   # Config Sync
   ##########################
   #
   # Used for the client root sync external git repo (GitHub, Azure DevOps, etc.)
+  # The repo stores client packages configs, i.e., one 'client-landing-zone', one/many 'client-project-setup', etc.
   # To disable this option, delete the 'root-sync-git/' directory
   #
   # the git repo URL, for example
   # https://github.com/GITHUB-ORG/REPO-NAME
   # https://[email protected]/AZDO-ORG/AZDO-PROJECT/_git/REPO-NAME
+  # customization: required
   repo-url: git-repo-to-observe
+  #
   # the branch to check out (usually main)
+  # customization: optional
   repo-branch: main
+  #
   # the directory to observe for YAML manifests
+  # customization: optional
   repo-dir: csync/deploy/env
   #
   ##########################
   # DNS
   ##########################
   #
-  # dns project id created in core-landing-zone
+  # dns project id created during core-landing-zone package deployment
+  # customization: required, obtain value from the core-landing-zone setters.yaml
   dns-project-id: dns-project-12345
   #
   ##########################

diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml
@@ -14,7 +14,8 @@
 ######
 # Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs
 # Logs are routed using a log sink to a central logging project into a dedicated log bucket
-# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
+# AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of 365 days and IAM Policy that defines who has access to the bucket (AU-9)
+# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogBucket
 metadata:
@@ -23,17 +24,19 @@ metadata:
   annotations:
     config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
 spec:
+  # AU-4(1), AU-6(4), AU-9(2)
   projectRef:
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
   location: northamerica-northeast1
   description: Cloud Logging bucket for Security logs
-  # Implement retention policy and retention locking policy
-  # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
+  # Implement retention locking policy and number of retention days
+  # AU-7, AU-9
   locked: false # kpt-set: ${retention-locking-policy}
   retentionDays: 1 # kpt-set: ${retention-in-days}
 ---
 # Cloud Logging bucket for Platform and Component logs
+# Logs are routed using a log sink to a central logging project into a dedicated log bucket
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogBucket
 metadata:
@@ -42,12 +45,13 @@ metadata:
   annotations:
     config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
 spec:
+  # AU-4(1), AU-6(4), AU-9(2)
   projectRef:
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
   location: northamerica-northeast1
   description: Cloud Logging bucket for Platform and Component logs
-  # Implement retention policy and retention locking policy
-  # AU-9, AU-11
+  # Implement retention locking policy and number of retention days
+  # AU-7, AU-9
   locked: false # kpt-set: ${retention-locking-policy}
   retentionDays: 1 # kpt-set: ${retention-in-days}
diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml
@@ -13,7 +13,8 @@
 # limitations under the License.
 ######
 # Logs Bucket writer IAM permissions for security log sink
-# Binds the generated writer identity from the LoggingLogSink to the logging project
+# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
+# AU-9, AC-3 - IAM Policy that assigns the dynamically created service account with the LoggingLogSink to the logging bucket writer role
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
 metadata:
@@ -26,7 +27,7 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
+  # AU-9, AC-3
   bindings:
     - role: roles/logging.bucketWriter
       members:
@@ -36,8 +37,7 @@ spec:
               namespace: logging
 ---
 # Logs Bucket writer IAM permissions for the platform and component log sinks
-# Binds the generated writer identity from the LoggingLogSink to the logging project
-# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
+# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
 metadata:
@@ -50,7 +50,7 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
+  # AU-9, AC-3
   bindings:
     - role: roles/logging.bucketWriter
       members:
@@ -60,8 +60,7 @@ spec:
               namespace: logging
 ---
 # Logs Bucket writer IAM permissions for the platform and component services log sinks
-# Binds the generated writer identity from the LoggingLogSink to the logging project
-# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
+# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
 metadata:
@@ -74,7 +73,7 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
+  # AU-9, AC-3
   bindings:
     - role: roles/logging.bucketWriter
       members:
@@ -84,7 +83,7 @@ spec:
               namespace: logging
 ---
 # Logs Bucket writer IAM permissions for the platform and component log sink
-# Binds the generated writer identity from the LoggingLogSink to the logging project
+# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
 metadata:
@@ -97,7 +96,7 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3(7)
+  # AU-9, AC-3
   bindings:
     - role: roles/logging.bucketWriter
       members:
@@ -116,6 +115,7 @@ metadata:
     config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
 spec:
   service: allServices
+  # AU-9, AC-3
   auditLogConfigs:
     - logType: ADMIN_READ
     - logType: DATA_READ

diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/project.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/project.yaml
@@ -26,6 +26,7 @@ metadata:
     cnrm.cloud.google.com/auto-create-network: 'false'
 spec:
   name: logging-project-id # kpt-set: ${logging-project-id}
+  # AU-4(1), AU-9(2)
   folderRef:
     name: audits
     namespace: hierarchy

diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md b/solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md
diff --git a/solutions/core-landing-zone/lz-folder/services-infrastructure/dns-project/dns.yaml b/solutions/core-landing-zone/lz-folder/services-infrastructure/dns-project/dns.yaml
@@ -13,7 +13,8 @@
 # limitations under the License.
 #########
 # Public Core DNS zone
-# SC-22
+# SC-20 - This is Parent zone and purely related to core landing zone only. Supports DNSSEC from spoofing attacks
+# Client applications will be using sub zones created under parent zone, however, their configuration will be application specific and will require seperate assessment
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSManagedZone
 metadata:
@@ -27,6 +28,7 @@ spec:
   resourceID: standard-core-public-dns
   dnsName: "dns-name" # kpt-set: ${dns-name}
   visibility: public
+  # SC-20
   dnssecConfig:
     state: "on"
   cloudLoggingConfig:

diff --git a/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml b/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml
@@ -14,6 +14,9 @@
 ######
 # Folder sink for Platform and Component logs of Services Resources
 # Destination: Cloud Logging bucket hosted inside logging project
+# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
+# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
+# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogSink
 metadata:
@@ -27,12 +30,13 @@ spec:
     namespace: hierarchy
   includeChildren: true
   destination:
+    # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
     loggingLogBucketRef:
       # destination.loggingLogBucketRef
       # Only `external` field is supported to configure the reference.
       external: platform-and-component-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket}
   description: Folder sink for Platform and Component logs of services Resources
-  # AU-2, AU-12(A), AU-12(C)
+  # AU-12, AU-12(1)
   # No inclusion filter. Includes all Platform and Component logs
   # Google Cloud platform logs are service-specific logs
   # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs

diff --git a/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml b/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml
@@ -14,6 +14,9 @@
 ######
 # Folder sink for Platform and Component logs of Services Resources
 # Destination: Cloud Logging bucket hosted inside logging project
+# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
+# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
+# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogSink
 metadata:
@@ -27,12 +30,13 @@ spec:
     namespace: hierarchy
   includeChildren: true
   destination:
+    # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
     loggingLogBucketRef:
       # destination.loggingLogBucketRef
       # Only `external` field is supported to configure the reference.
       external: platform-and-component-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket}
   description: Folder sink for Platform and Component logs of services Resources
-  # AU-2, AU-12(A), AU-12(C)
+  # AU-12, AU-12(1)
   # No inclusion filter. Includes all Platform and Component logs
   # Google Cloud platform logs are service-specific logs
   # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs

diff --git a/solutions/core-landing-zone/mgmt-project/project-sink.yaml b/solutions/core-landing-zone/mgmt-project/project-sink.yaml
@@ -14,6 +14,9 @@
 ######
 # Project sink for the Platform and Component logs of the Landing Zone Management Cluster
 # Destination: Cloud Logging bucket hosted inside logging project
+# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
+# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
+# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogSink
 metadata:
@@ -25,13 +28,14 @@ spec:
   projectRef:
     external: management-project-12345 # kpt-set: ${management-project-id}
   destination:
+    # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
     loggingLogBucketRef:
       external: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket} # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket}
   # The following setting is required
   # You must set unique_writer_identity to true if you wish to publish logs across projects
   uniqueWriterIdentity: true
   description: Project sink for Platform and Component logs of the Landing Zone Management Cluster
-  # AU-2, AU-12(A), AU-12(C)
+  # AU-12, AU-12(1)
   # No inclusion filter. Includes all Platform and Component logs
   # Google Cloud platform logs are service-specific logs
   # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs
@@ -74,6 +78,7 @@ spec:
   destination:
     # destination.loggingLogBucketRef
     # Only `external` field is supported to configure the reference.
+    # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
     loggingLogBucketRef:
       external: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/_Default # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/_Default
   resourceID: _Default