search

GoogleCloudPlatform / pbmm-on-gcp-onboarding

GCP Canadian Public Sector Landing Zone overlay on top of the TEF via CFT modules - a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
38 stars 55 forks source link

Refactor for multiple landing zone installs - Currently only 1 LZ can be installed per org until we refactor org level collisions #240

Open obriensystems opened 1 year ago

obriensystems commented 1 year ago

Currently only 1 LZ can be installed per org until we refactor org level collisions

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#security---access-context-manager

Access Context Manager - Access Level and VPC Service Control - Access Policy https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#security---vpc-service-controls

common

module.net-private-perimeter-firewall.google_compute_firewall.custom["allow-egress-internet-pr"]: Creation complete after 13s [id=projects/tzpe-tlz-tlz-perim/global/firewalls/tzpefwl-allow-egress-internet-pr-fwr]
module.net-private-perimeter-firewall.google_compute_firewall.custom["allow-ssh-ingress"]: Creation complete after 13s [id=projects/tzpe-tlz-tlz-perim/global/firewalls/tzpefwl-allow-ssh-ingress-fwr]
╷
│ Warning: Experimental feature "module_variable_optional_attrs" is active
│ 
│   on terraform.tf line 19, in terraform:
│   19:   experiments = [module_variable_optional_attrs]
│ 
│ Experimental features are subject to breaking changes in future minor or
│ patch releases, based on feedback.
│ 
│ If you have feedback on the design of this feature, please open a GitHub
│ issue to discuss it.
│ 
│ (and 23 more similar warnings elsewhere)
╵
╷
│ Error: Error creating AccessPolicy: googleapi: Error 409: Policy already exists with parent organizations/131880894992
│ 
│   with module.access-context-manager.google_access_context_manager_access_policy.access_policy[0],
│   on ../../modules/vpc-service-controls/main.tf line 19, in resource "google_access_context_manager_access_policy" "access_policy":
│   19: resource "google_access_context_manager_access_policy" "access_policy" {
│
obriensystems commented 1 year ago
Screen Shot 2023-01-31 at 11 55 55
obriensystems commented 1 year ago

Remove Access Context Manager Policy

Screen Shot 2023-01-31 at 12 06 44 
Display name
[tspevsc_tlsacm_vsc](https://console.cloud.google.com/#)
Resource type
identity.accesscontextmanager.googleapis.com/AccessPolicy
Name
[//accesscontextmanager.googleapis.com/accessPolicies/1021375921638](https://console.cloud.google.com/#)
Organization
[organizations/131880894992](https://console.cloud.google.com/#)
Parent asset type
[cloudresourcemanager.googleapis.com/Organization](https://console.cloud.google.com/#)
Parent full resource name
[//cloudresourcemanager.googleapis.com/organizations/131880894992](https://console.cloud.google.com/#)
obriensystems commented 1 year ago

Created an ACM at the org level on another org to compare - console does not see the TF created one - but the console created one is there

Screen Shot 2023-02-01 at 11 46 16 Screen Shot 2023-02-01 at 11 46 56

checking delete API

obriensystems commented 1 year ago

Actually it is an access policy not an access level

Screen Shot 2023-02-01 at 11 52 26
obriensystems commented 1 year ago

A VPC Service Control - access policy

Screen Shot 2023-02-01 at 11 55 07

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#security---vpc-service-controls

obriensystems commented 1 year ago

delete vpc sc

Screen Shot 2023-02-01 at 12 00 06

add IAM role https://cloud.google.com/access-context-manager/docs/manage-access-policy#delete

get ID from asset inventory under identity.AccessPolicy

Display name
[tspevsc_tlsacm_vsc](https://console.cloud.google.com/#)
Resource type
identity.accesscontextmanager.googleapis.com/AccessPolicy
Name
[//accesscontextmanager.googleapis.com/accessPolicies/1021375921638](https://console.cloud.google.com/#)
Organization
[organizations/131880894992](https://console.cloud.google.com/#)
Parent asset type
[cloudresourcemanager.googleapis.com/Organization](https://console.cloud.google.com/#)
Parent full resource name
[//cloudresourcemanager.googleapis.com/organizations/131880894992](https://console.cloud.google.com/#)

enable role, delete vpc sc


root_@cloudshell:~ (lz-tls)$ gcloud access-context-manager policies delete accessPolicies/1021375921638
You are about to delete policy [1021375921638]

Do you want to continue (Y/n)?  y
API [accesscontextmanager.googleapis.com] not enabled on project [308673020059]. Would you like to enable and retry (this will take a few minutes)? (y/N)?  y

Enabling service [accesscontextmanager.googleapis.com] on project [308673020059]...
Operation "operations/acat.p2-308673020059-bb01eee4-4f53-469f-987f-5179f0c8f6c6" finished successfully.
Deleted policy [1021375921638].
obriensystems commented 1 year ago

common ok

Screen Shot 2023-02-01 at 12 20 26

rerunning non-prod (2_folders is up now) prod ok

Screen Shot 2023-02-01 at 12 56 04
obriensystems commented 1 year ago
Screen Shot 2023-02-01 at 13 25 33

prod - need to rename project - as deleted 30 day project still up after billing quota error earlier

Step #4 - "tf apply": │ Error: error creating project tzpe-tlz-tlzprod-host2 (TzPe-tlz-tlzprod-host2): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission
Step #4 - "tf apply": │ 
Step #4 - "tf apply": │   with module.net-host-prj.module.project.google_project.project,
Step #4 - "tf apply": │   on ../../modules/project/main.tf line 19, in resource "google_project" "project":
Step #4 - "tf apply": │   19: resource "google_project" "project" {

fix

prod_host_net = {
  user_defined_string            = "tlzprod" # Must be globally unique. Used to create project name
  additional_user_defined_string = "host3"#"host2"

root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git status
On branch main
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   environments/prod/prod-network.auto.tfvars

no changes added to commit (use "git add" and/or "git commit -a")
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git add environments/
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git commit -m "new proj name for prod"
[main 6da67af] new proj name for prod
 1 file changed, 1 insertion(+), 1 deletion(-)
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git push csr main
Screen Shot 2023-02-01 at 13 33 31

prod ok

fmichaelobrien commented 2 months ago

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4