Infrastructure as Code/Data for non-k8s infrastructure

[Stephen-ONeil]

TODO:

• [x] determine choice of IAC/IAD tooling. KCC?
  • don't have to get it right the first time, just pick one that everyone at least agrees on in theory
  • going with config connector
• [ ] convert the remaining infrastructure represented by deploy/gcloud_init_setup.sh
  • [x] DNS managed zone
  • [x] Artifact registry for app server images
  • [ ] Cloud storage for test coverage reports
  • [ ] Cloud build IAM (read/write to the test coverage bucket)
  • [ ] GitHub trigger, although that's tricky. The repository connection needs to made first, and may not be something we can automate
  • [x] Cloud trace (well, all we need is for the API to be enabled, but this needs to be captured for cold starts in new GCP projects)
  • [ ] Uptime monitoring. This one's already Pulumi, we might be able to generate the k8s yaml , although note the caveats
• [ ] try to identify and capture any other pieces of necessary infrastructure which were click ops-ed in to the current project

[Stephen-ONeil]

Additional, newer, infrastructure to capture:

• [x] ensure that all relevant security APIs are enabled
• [x] GKE autopilot cluster (+ bootstrapping?)
• [x] service account for cert manager (DNS solver)
• [x] service account and storage bucket for CloudnativePG backups
• [x] service account for SOPS

Infrastructure not currently found in the experimental project, but planned/anticipated for prod:

• [x] custom VPC with limited subnets
• [ ] logging:
  • [ ] set appropriate retention window (default might be fine, but setting it explicitly will make it easier to document enforcement)
  • [ ] create sinks to copy audit level logs (GCP audit logs, logs about flux changes, new app images, app-level audit logs, etc) to a bucket with a longer retention window. May need to also send these logs to a DTB logging endpoint, TBD
  • [ ] might be worth implementing these suggestions in general
• [x] if we want Cloud Armor's WAF capabilities:
  • [x] a regional external application load balancer (+ certificate, although it could use the cluster cert I believe)
  • [x] Cloud Armor Security Policy with WAF rules
• [ ] Identity aware proxy configured for HC's AD