From 5a5c0574cdd5ad7637d9087fa3225f1ef99eeea5 Mon Sep 17 00:00:00 2001 From: Michael OBrien Date: Fri, 12 Apr 2024 22:42:01 -0400 Subject: [PATCH 1/3] #377 - initial architecture.md --- docs/architecture.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 docs/architecture.md diff --git a/docs/architecture.md b/docs/architecture.md new file mode 100644 index 00000000..6adea4ce --- /dev/null +++ b/docs/architecture.md @@ -0,0 +1,2 @@ +# Landing Zone Architecture + From bf3196450eb6eb2e1f6c83fdd8634b341a172c22 Mon Sep 17 00:00:00 2001 From: Michael O'Brien Date: Tue, 23 Apr 2024 14:18:03 -0700 Subject: [PATCH 2/3] #377 - architecture sync from wiki --- docs/architecture.md | 138 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 1 deletion(-) diff --git a/docs/architecture.md b/docs/architecture.md index 6adea4ce..57d349b2 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -1,2 +1,138 @@ -# Landing Zone Architecture +# Architecture +Tracking Issue [377](https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/377) +The Public Sector Secure PBMM Landing Zone is a collection of modules that is a copy of the Security Foundations Blueprint - Terraform Example Foundation that together deploys a configurable set of production, non-production and development Shared VPCs around 1 or more business units. +- https://cloud.google.com/architecture/security-foundations/printable +- https://github.com/terraform-google-modules/terraform-example-foundation + +## Design Considerations +### Hub and Spoke +We are moving with the Hub and Spoke model with network appliances. See the following architectural review page https://cloud.google.com/architecture/landing-zones/decide-network-design#option-2, also see the TEF architecture page on [3-networks-hub-and-spoke](https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/3-networks-hub-and-spoke) via https://cloud.google.com/architecture/security-foundations/printable#hub-spoke-network-topology +See the GoC direction document for profile 1-6 https://wiki.gccollab.ca/images/7/75/GC_Cloud_Connection_Patterns.pdf - page 18/19 or https://wiki.gccollab.ca/images/9/9d/Network_Security_Zoning_Reference_Architecture.pdf +See also https://cloud.google.com/architecture/configure-networks-fedramp-dod-google-cloud + + +## Inventory +see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/wiki/Asset-Inventory + +## Dependencies + +## Micro-segmentation +There are two classifications in the LZ - restricted and base. +There are three environments - development, non-production, production. +There are two networking models - dual svpc (isolated environments) or hub-and-spoke (shared environments through NVA vms in the hub) + + + +## High Level Diagram - Default 3-networks-hub-and-spoke + +This diagram is [3-netoworks-hub-and-spoke](https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/3-networks-hub-and-spoke) centered - not [3-dual-svpc](https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/3-networks-dual-svpc) +At this point we will manage east-west traffic through the ngfw in the hub. + +### Architecture example around hub-spoke pattern +Options set are +- CSR and Cloud Build +- default 0-bootstrap +- default 1-org +- default 2-environments +- specific 3-networks-hub-and-spoke +- default 4-projects +### High Level Diagram - Development environment only +Screenshot 2024-04-17 at 12 15 17 + + +### High Level Diagram - All dev/nonprod/prod environments + +## Low Level Diagram - Default + + +follow +``` +serviceusage.Service,559 +compute.Route,141 +iam.ServiceAccount,108 +logging.LogSink,78 +logging.LogBucket,75 +cloudbilling.ProjectBillingInfo,51 +cloudresourcemanager.Project,51 +compute.Project,49 +compute.Subnetwork,39 +compute.Address,38 +dns.ManagedZone,33 +storage.Bucket,29 +orgpolicy.Policy,19 +cloudbuild.BuildTrigger,15 +compute.FirewallPolicy,15 +compute.Network,14 +compute.Router,12 +cloudresourcemanager.Folder,11 +dns.Policy,10 +compute.ForwardingRule,8 +iam.ServiceAccountKey,8 +servicedirectory.Endpoint,8 +servicedirectory.Namespace,8 +servicedirectory.Service,8 +identity.ServicePerimeter,7 +cloudkms.CryptoKey,6 +cloudkms.CryptoKeyVersion,6 +cloudkms.KeyRing,6 +cloudresourcemanager.TagValue,4 +identity.AccessLevel,4 +artifactregistry.DockerImage,3 +pubsub.Subscription,3 +pubsub.Topic,3 +artifactregistry.Repository,2 +bigquery.Dataset,2 +bigquery.Table,1 +cloudbilling.BillingAccount,1 +cloudbuild.WorkerPool,1 +cloudfunctions.Function,1 +cloudresourcemanager.Organization,1 +cloudresourcemanager.TagKey,1 +compute.Firewall,1 +eventarc.Trigger,1 +identity.AccessPolicy,1 +run.Revision,1 +run.Service,1 +workflows.Workflow,1 +``` + +## Architecture Extensions and Customization + + +## Repositories Structure +- CFT provides modules as copies to terraform-google-modules +- terraform-example-foundation references terraform-google-modules +- terraform executable references google-provider + +```mermaid +graph LR; + style Repos V3 fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5 + %% mapped and documented + cloud-foundation-toolkit-->terraform-google-modules + terraform-example-foundation-->terraform-google-modules + pbmm-on-gcp-onboarding-->terraform-example-foundation + terraform-->google-provider + +``` +[mermaid - diagrams as code](https://mermaid-js.github.io/mermaid/#/flowchart?id=graph) + + +### Fortinet NGFW +- https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/389 + +### Google Cloud NGFW +- https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/396 +- Video on Google NGFW from Ryan https://www.youtube.com/watch?v=OCqnf2E6zn0 +- https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-firewall-plus-with-intrusion-prevention + +### Repos of Interest +- https://github.com/terraform-google-modules/terraform-google-network/tree/master/modules/network-firewall-policy +- https://github.com/hashicorp/terraform-provider-google/issues/17030 + +## Landing Zone Documentation +- TEF V1 - https://cloud.google.com/blog/products/devops-sre/using-the-cloud-foundation-toolkit-with-terraform + +## Links +- https://www.theregister.com/2024/01/12/first_asiapacific_to_south_america/ +- https://cloud.google.com/architecture/best-practices-vpc-design#connecting_multiple_networks From fc4b948bb1f00164d3ff84decb30210dbaeba2d8 Mon Sep 17 00:00:00 2001 From: Michael O'Brien Date: Sat, 27 Apr 2024 21:25:24 -0400 Subject: [PATCH 3/3] #399 - Update root README.md for ADO --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 14efe5ba..cf679c94 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# terraform-example-foundation +# terraform-example-foundation - Canadian Public Sector - PBMM Fork This example repository shows how the CFT Terraform modules can build a secure Google Cloud foundation, following the [Google Cloud security foundations guide](https://cloud.google.com/architecture/security-foundations). The supplied structure and code is intended to form a starting point for building your own foundation with pragmatic defaults that you can customize to meet your own requirements. Currently, the step 0 is manually executed. @@ -29,6 +29,11 @@ The bootstrap step includes: - A Compute Engine instance configured as a Jenkins Agent - Custom service account to run Compute Engine instances for Jenkins Agents - VPN connection with on-prem (or wherever your Jenkins Controller is located) + - If using Azure DevOps, the following items: + - Azure Devops source repositories + - Azure Devops pipelines with default azure or local agents + - Azure Container Registry repository and pipeline - https://azure.microsoft.com/en-ca/products/container-registry + - (Optional default is a DockerHub prebuilt image under https://hub.docker.com/repository/docker/obrienlabs/terraform-example-foundation-ado/tags ) It is a best practice to separate concerns by having two projects here: one for the Terraform state and one for the CI/CD tool. - The `prj-b-seed` project stores Terraform state and has the service accounts that can create or modify infrastructure.