Skip to content

GoogleCloudPlatform/assured-workloads-terraform

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

About

Assured Workloads provides Google Cloud users with the ability to apply controls to a folder in support of regulatory, regional, or sovereign requirements. Assured Workloads provides control packages to support the creation of compliant boundaries in Google Cloud. A control package is a set of controls that, when combined together, supports the regulatory baseline for a compliance statute or regulation. These controls include mechanisms to enforce data residency, data sovereignty, personnel access, and more.

Control packages are organized into control package families according to the type of controls they provide:

  1. Regional controls provide data residency with optional personnel controls and regional support.

  2. Sovereign controls provide data residency, personnel controls, regional support, and enhanced controls for data sovereignty such as Cloud External Key Manager (Cloud EKM), Cloud HSM, and Key Access Justifications. Additional partner-managed control packages are available through Sovereign Controls by Partners.

  3. Regulatory controls provide certified controls tailored to meet specific regulatory and compliance statute requirements.

  4. This page provides more information about each control package and control package available in Assured Workloads, which are available in two pricing tiers: Free and Premium. See Assured Workloads pricing for more information about these tiers.

Before proceeding, it is important to understand that Assured Workloads is comprised of two tiers: Free and Premium. More information is available on the Assured Worklods pricing page

Prerequisites

To create an Assured Workloads folder, you must be granted the Assured Workloads Administrator (roles/assuredworkloads.admin) role, which contains the minimum IAM permissions to create and manage Assured Workloads folders.

To launch a Premium Platform Control, you must Enable Access Transparency

Recommendations

Many Google Cloud services send out notifications to share important information with Google Cloud users. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts. This is important because different individuals and teams within your organization care about different types of notifications. To reduce the impact of personnel changes, we recommend adding groups as contacts, then managing the membership of those groups to determine who receives notifications. This practice helps ensure that notifications always go to active employees.

  1. Enable the Essential Contacts API
  2. Visit the Essential Contacts page
  3. Ensure the Google Cloud Organization is selected
  4. Add an Essential Contact for Legal

We recommend adding three Contacts for the Legal category: representatives from your Legal, Compliance, and Security departments. This group will receive notifications of compliance violations, so this will ensure that Legal and Compliance remain informed, and acts as an immediate notification to Security for remediation actions. We also recommend that you enact a plan of action for addressing these alerts.

Tips

We also strongly recommend that you do not nest an Assured Workloads folder within another Assured Workloads folder - even if they are the same compliance framework - as this will cause errors. You can, however, nest Assured Workloads folders and non-Assured Workloads folders with each other.

Walkthrough

  1. Download source

    git clone https://github.com/GoogleCloudPlatform/assured-workloads-terraform.git
    cd assured-workloads-terraform
  2. Configure gcloud

    gcloud auth login
    gcloud auth application-default login
    gcloud config set project [project name]
  3. Configure environment per requirements in [variables.tf(https://github.com/googlestaging/assured-workloads-terraform/blob/main/variables.tf)

    Variable Description Default Need update?
    organization_ID Google Cloud Organization ID <> Yes
    billing_account Google Cloud Billing Account <> Yes
    dependency_project_id Project ID to create a new Project <> Yes
    compliance_regime Assured Workloads Control Package <> Yes
    sovereignty Required for Sovereign Control Packages Only <> Optional
    display_name Display Name for the Assured Workloads Folder <> Yes
    location Location for the Assured Workloads Folder and underlying resoureces <> Yes

    Save changes in the variables.tf file

     terraform init
     terraform plan
     terraform apply

    Validate: Terraform finishes successfully.

    terraform apply
    Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages