WIP: Adding hardened datasets for preventive and detective Compliance Controls #3410
Conversation
vannicktrinquier
force-pushed
the
fast-fsi-dev
branch
2 times, most recently
from
daacdc0 to
4c345e7
Compare
…rols in stage 0 and stage 1 VPC-SC
vannicktrinquier
force-pushed
the
fast-fsi-dev
branch
from
06dab41 to
e680ae9
Compare
| org_policy_custom_constraints = "${local.paths.organization}/custom-constraints" | ||
| custom_roles = "${local.paths.organization}/custom-roles" | ||
| tags = "${local.paths.organization}/tags" | ||
| scc_sha_custom_modules = "${local.paths.organization}/scc-sha-custom-modules" |
There was a problem hiding this comment.
Adding support for scc_custom_sha. If not present those will not be deployed (needed for non SCC/P or SCC/E organization)
| monitoring_logging_bucket_name = module.factory.projects["log-0"]["log_buckets"]["log-0/audit-logs"] | ||
| } | ||
|
|
||
| module "monitoring-alerts-project" { |
There was a problem hiding this comment.
New module added to deploy if present in /observability foder monitoring alerts and log based metrics. For now, only a small samples is provided. But it will be increases across time
|
|
||
| # yaml-language-server: $schema=../../schemas/perimeter.schema.json | ||
|
|
||
| status: |
There was a problem hiding this comment.
Enforce VPC-SC (not dry-run anymore as in classic/ folder)
| iam_by_principals = { | ||
| for k, v in each.value.project_config.iam_by_principals : | ||
| lookup(var.factories_config.context.iam_principals, k, k) => v | ||
| for principal, roles_list in { |
There was a problem hiding this comment.
Minor fix to allow having same groups to be reused across.
For example:
factories_config = {
context = {
iam_principals = {
data-consumer-bi = "group:[email protected]"
data-domain-0 = "group:[email protected]"
data-platform = "group:[email protected]"
....
}
}
}
Without this, it will fails because of non unique key
|
|
||
| Just like before, we manually remove several resources (GCS buckets and BQ datasets). Note that `terrafom destroy` will fail. This is expected; just continue with the rest of the steps. | ||
|
|
||
| Also, you can't create a custom constraint with the same name than a previously deleted custom constraint. To avoid issues during next future reprovisionning, *it is recommended to remove from Terraform state custom constraints*. |
There was a problem hiding this comment.
See datasets/hardened/README.md for more details but a custom constraint deleted can be recreated with the same name. To avoid this, it is recommended to not delete them until a fix is released
| } | ||
| enablement_state = each.value.enablement_state | ||
|
|
||
| depends_on = [ |
There was a problem hiding this comment.
Ensure bindings done before deploying.
1 participant
This PR is adding:
A set of controls stored in folder /datasets/hardened is provided. This set of controls is based of various library built in PSO Public repositories. Those libraries have been build in such as a way to set of controls can be exported to Cloud Foundation Fabric Terraform Format
This PR contains changed to
datasets/hardenedI applicable, I acknowledge that I have:
terraform fmton all modified filestools/tfdoc.py