Closed fmichaelobrien closed 1 year ago
Chris has mentioned the trusted images policy - this will lock us down for at least IaaS marketplace workloads
constraints/commerceorggovernance.disablePublicMarketplace
Chris, you are Excellent!!! - right there on page 1 - didnt see that - but time for an exhaustive run through the 87 This should fix GR 12 - will test installing elastisearch. will go in both LZ's thanks for that
disablePublicMarketplace currently has no effect - investigating. We can still deploy free marketplace services - like elasticsearch without a subscription. Need to update GR 12 readme to include the validation step of verifying that non-Billing Account Administrator role users cannot purchase free marketplace services - to pass validation. The current docs only mention paid services https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/guardrail-details/12-market-place/marketplace.md#validation
testing
module "org-policy-mkt" {
source = "terraform-google-modules/org-policy/google"
version = "~> 3.0.2"
constraint = "constraints/commerceorggovernance.disablePublicMarketplace"
policy_type = "boolean"
organization_id = var.org_id
enforce = true
policy_for = "organization"
}
# module.org-policy-mkt.google_organization_policy.org_policy_boolean[0] will be created
+ resource "google_organization_policy" "org_policy_boolean" {
+ constraint = "constraints/commerceorggovernance.disablePublicMarketplace"
+ etag = (known after apply)
+ id = (known after apply)
+ org_id = "22179561076"
+ update_time = (known after apply)
+ version = (known after apply)
+ boolean_policy {
+ enforced = true
}
}
Plan: 1 to add, 1 to change, 0 to destroy.
apply
# module.org-policy-mkt.google_organization_policy.org_policy_boolean[0] will be created
+ resource "google_organization_policy" "org_policy_boolean" {
+ constraint = "constraints/commerceorggovernance.disablePublicMarketplace"
+ etag = (known after apply)
+ id = (known after apply)
+ org_id = "22179561076"
+ update_time = (known after apply)
+ version = (known after apply)
+ boolean_policy {
+ enforced = true
}
}
Plan: 1 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
module.org-policy-mkt.google_organization_policy.org_policy_boolean[0]: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifying... [id=22179561076/constraints/gcp.resourceLocations]
module.org-policy-mkt.google_organization_policy.org_policy_boolean[0]: Creation complete after 1s [id=22179561076/constraints/commerceorggovernance.disablePublicMarketplace]
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifications complete after 1s [id=22179561076/constraints/gcp.resourceLocations]
Apply complete! Resources: 1 added, 1 changed, 0 destroyed.
root_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-sgz)$
PR ready for merge https://github.com/canada-ca/accelerators_accelerateurs-gcp/pull/60
Note - currently the flag has indeterminant effects on free MP services
We currently show how a manually added reduced IAM permissions (non-Billing Account Administrator) cannot purchase Google services that will incur billing to adhere to GR 12 evidence requirements. Remaining issue is working around the fact we need the marketplace to be up so GCP services themselves can be enabled as needed. A full manual workaround would be to create a private marketplace
This should be formalized in the repo readme manual instructions References https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#guardrails-evidence-package https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#12-configuration-of-cloud-marketplaces https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#marketplace-role-restricted