GR 12: Implement private catalog for marketplace reduction for Evidence ATO acceptance - Githubissues

canada-ca / accelerators_accelerateurs-gcp

[GCP] Tools and templates to accelerate GC service delivery. Outils et modèles pour accélérer la prestation de services du GC.

MIT License

10 stars 8 forks source link

GR 12: Implement private catalog for marketplace reduction for Evidence ATO acceptance #52

Closed fmichaelobrien closed 1 year ago

fmichaelobrien commented 1 year ago

We currently show how a manually added reduced IAM permissions (non-Billing Account Administrator) cannot purchase Google services that will incur billing to adhere to GR 12 evidence requirements. Remaining issue is working around the fact we need the marketplace to be up so GCP services themselves can be enabled as needed. A full manual workaround would be to create a private marketplace

This should be formalized in the repo readme manual instructions References https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#guardrails-evidence-package https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#12-configuration-of-cloud-marketplaces https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#marketplace-role-restricted

fmichaelobrien commented 1 year ago

Chris has mentioned the trusted images policy - this will lock us down for at least IaaS marketplace workloads

constraints/compute.trustedImageProjects
https://cloud.google.com/compute/docs/images/restricting-image-access
via https://console.cloud.google.com/iam-admin/orgpolicies/compute-trustedImageProjects

fmichaelobrien commented 1 year ago

constraints/commerceorggovernance.disablePublicMarketplace

Chris, you are Excellent!!! - right there on page 1 - didnt see that - but time for an exhaustive run through the 87 This should fix GR 12 - will test installing elastisearch. will go in both LZ's thanks for that

obriensystems commented 1 year ago

disablePublicMarketplace currently has no effect - investigating. We can still deploy free marketplace services - like elasticsearch without a subscription. Need to update GR 12 readme to include the validation step of verifying that non-Billing Account Administrator role users cannot purchase free marketplace services - to pass validation. The current docs only mention paid services https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/guardrail-details/12-market-place/marketplace.md#validation

obriensystems commented 1 year ago

testing

module "org-policy-mkt" {
  source  = "terraform-google-modules/org-policy/google"
  version = "~> 3.0.2"

  constraint        = "constraints/commerceorggovernance.disablePublicMarketplace"
  policy_type       = "boolean"
  organization_id   = var.org_id
  enforce           = true
  policy_for = "organization"
}

  # module.org-policy-mkt.google_organization_policy.org_policy_boolean[0] will be created
  + resource "google_organization_policy" "org_policy_boolean" {
      + constraint  = "constraints/commerceorggovernance.disablePublicMarketplace"
      + etag        = (known after apply)
      + id          = (known after apply)
      + org_id      = "22179561076"
      + update_time = (known after apply)
      + version     = (known after apply)

      + boolean_policy {
          + enforced = true
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

obriensystems commented 1 year ago

apply

  # module.org-policy-mkt.google_organization_policy.org_policy_boolean[0] will be created
  + resource "google_organization_policy" "org_policy_boolean" {
      + constraint  = "constraints/commerceorggovernance.disablePublicMarketplace"
      + etag        = (known after apply)
      + id          = (known after apply)
      + org_id      = "22179561076"
      + update_time = (known after apply)
      + version     = (known after apply)

      + boolean_policy {
          + enforced = true
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.org-policy-mkt.google_organization_policy.org_policy_boolean[0]: Creating...
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifying... [id=22179561076/constraints/gcp.resourceLocations]
module.org-policy-mkt.google_organization_policy.org_policy_boolean[0]: Creation complete after 1s [id=22179561076/constraints/commerceorggovernance.disablePublicMarketplace]
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Modifications complete after 1s [id=22179561076/constraints/gcp.resourceLocations]

Apply complete! Resources: 1 added, 1 changed, 0 destroyed.
root_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-sgz)$

Screen Shot 2022-11-22 at 20 38 11

obriensystems commented 1 year ago

PR ready for merge https://github.com/canada-ca/accelerators_accelerateurs-gcp/pull/60

obriensystems commented 1 year ago

Note - currently the flag has indeterminant effects on free MP services