project, vpc, subnet, nat, dnslogging

GoogleCloudPlatform · Jan 25, 2023 · a4a1cab · a4a1cab
1 parent 090908a
commit a4a1cab
Show file tree

Hide file tree

Showing 12 changed files with 467 additions and 0 deletions.
diff --git a/solutions/perimeter/Kptfile b/solutions/perimeter/Kptfile
@@ -0,0 +1,12 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: project-perimeter
+  annotations:
+    config.kubernetes.io/local-config: "true"
+info:
+  description: "A perimeter project that implements the Hub from the Hub and Spoke network design. \nThis package should NOT be deployed within a sandbox landing zone.\n"
+pipeline:
+  mutators:
+    - image: gcr.io/kpt-fn/apply-setters:v0.2
+      configPath: setters.yaml
diff --git a/solutions/perimeter/README.md b/solutions/perimeter/README.md
@@ -0,0 +1,6 @@
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->
diff --git a/solutions/perimeter/network/dns.yaml b/solutions/perimeter/network/dns.yaml
@@ -0,0 +1,81 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Enable DNS logging on External VPC
+apiVersion: dns.cnrm.cloud.google.com/v1beta1
+kind: DNSPolicy
+metadata:
+  name: project-id-external-logging-dnspolicy # kpt-set: ${project-id}-external-logging-dnspolicy
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-external-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-external-vpc
+spec:
+  resourceID: external-logging-dnspolicy
+  description: "DNS policy to enable logging on External VPC"
+  enableLogging: true
+  networks:
+    - networkRef:
+        name: project-id-global-external-vpc # kpt-set: ${project-id}-global-external-vpc
+---
+# Enable DNS logging on Internal VPC
+apiVersion: dns.cnrm.cloud.google.com/v1beta1
+kind: DNSPolicy
+metadata:
+  name: project-id-internal-logging-dnspolicy # kpt-set: ${project-id}-internal-logging-dnspolicy
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-internal-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-internal-vpc
+spec:
+  resourceID: internal-logging-dnspolicy
+  description: "DNS policy to enable logging on Internal VPC"
+  enableLogging: true
+  networks:
+    - networkRef:
+        name: project-id-global-internal-vpc # kpt-set: ${project-id}-global-internal-vpc
+---
+# Enable DNS logging on Management VPC
+apiVersion: dns.cnrm.cloud.google.com/v1beta1
+kind: DNSPolicy
+metadata:
+  name: project-id-mgmt-logging-dnspolicy # kpt-set: ${project-id}-mgmt-logging-dnspolicy
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-mgmt-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-mgmt-vpc
+spec:
+  resourceID: mgmt-logging-dnspolicy
+  description: "DNS policy to enable logging on Management VPC"
+  enableLogging: true
+  networks:
+    - networkRef:
+        name: project-id-global-mgmt-vpc # kpt-set: ${project-id}-global-mgmt-vpc
+---
+# Enable DNS logging on Transit VPC
+apiVersion: dns.cnrm.cloud.google.com/v1beta1
+kind: DNSPolicy
+metadata:
+  name: project-id-transit-logging-dnspolicy # kpt-set: ${project-id}-transit-logging-dnspolicy
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-transit-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-transit-vpc
+spec:
+  resourceID: transit-logging-dnspolicy
+  description: "DNS policy to enable logging on Transit VPC"
+  enableLogging: true
+  networks:
+    - networkRef:
+        name: project-id-global-transit-vpc # kpt-set: ${project-id}-global-transit-vpc
diff --git a/solutions/perimeter/network/nat.yaml b/solutions/perimeter/network/nat.yaml
@@ -0,0 +1,46 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Cloud NAT northamerica-northeast1
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeRouterNAT
+metadata:
+  name: project-id-nane1-external-nat # kpt-set: ${project-id}-nane1-external-nat
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeRouter/project-id-nane1-external-router # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeRouter/${project-id}-nane1-external-router
+spec:
+  resourceID: nane1-external-nat
+  natIpAllocateOption: AUTO_ONLY
+  region: northamerica-northeast1
+  routerRef:
+    name: project-id-nane1-external-router # kpt-set: ${project-id}-nane1-external-router
+  sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
+---
+# Cloud Router northamerica-northeast1
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeRouter
+metadata:
+  name: project-id-nane1-external-router # kpt-set: ${project-id}-nane1-external-router
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-external-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-external-vpc
+spec:
+  resourceID: nane1-external-router
+  description: northamerica-northeast1 External VPC router
+  networkRef:
+    name: project-id-global-external-vpc # kpt-set: ${project-id}-global-external-vpc
+  region: northamerica-northeast1
diff --git a/solutions/perimeter/network/route.yaml b/solutions/perimeter/network/route.yaml
@@ -0,0 +1,35 @@
+# # Copyright 2020 Google LLC
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# #     http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+
+# # A Route to the internet that requires that the resources attached to the network
+# # specify it's tag to access the internet
+# # SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION
+# apiVersion: compute.cnrm.cloud.google.com/v1beta1
+# kind: ComputeRoute
+# metadata:
+#   name: project-id-internet-egress-route # kpt-set: ${project-id}-internet-egress-route
+#   namespace: networking
+#   annotations:
+#     cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+#     config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-vpc1-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-vpc1-vpc
+# spec:
+#   resourceID: internet-egress-route
+#   description: "route to the internet"
+#   destRange: 0.0.0.0/0
+#   networkRef:
+#     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
+#   priority: 100
+#   nextHopGateway: default-internet-gateway
+#   tags:
+#     - internet-egress-route
diff --git a/solutions/perimeter/network/subnet.yaml b/solutions/perimeter/network/subnet.yaml
@@ -0,0 +1,110 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##################################
+# All subnets have :
+# - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs
+# - private google access enabled https://cloud.google.com/vpc/docs/private-google-access
+##################################
+# VPC External - Subnet PAZ northamerica-northeast1
+# SC-7 BOUNDARY PROTECTION
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeSubnetwork
+metadata:
+  name: project-id-nane1-external-paz-snet # kpt-set: ${project-id}-nane1-external-paz-snet
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-external-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-external-vpc
+spec:
+  resourceID: nane1-external-paz-snet
+  ipCidrRange: 172.31.200.0/24
+  region: northamerica-northeast1
+  description: northamerica-northeast1 PAZ subnet
+  privateIpGoogleAccess: true
+  networkRef:
+    name: project-id-global-external-vpc # kpt-set: ${project-id}-global-external-vpc
+  logConfig:
+    aggregationInterval: INTERVAL_5_SEC
+    flowSampling: 0.5
+    metadata: INCLUDE_ALL_METADATA
+---
+# VPC Internal - Subnet PAZ northamerica-northeast1
+# SC-7 BOUNDARY PROTECTION
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeSubnetwork
+metadata:
+  name: project-id-nane1-internal-paz-snet # kpt-set: ${project-id}-nane1-internal-paz-snet
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-internal-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-internal-vpc
+spec:
+  resourceID: nane1-internal-paz-snet
+  ipCidrRange: 172.31.201.0/24
+  region: northamerica-northeast1
+  description: northamerica-northeast1 PAZ subnet
+  privateIpGoogleAccess: true
+  networkRef:
+    name: project-id-global-internal-vpc # kpt-set: ${project-id}-global-internal-vpc
+  logConfig:
+    aggregationInterval: INTERVAL_5_SEC
+    flowSampling: 0.5
+    metadata: INCLUDE_ALL_METADATA
+---
+# VPC Management - Subnet RZ northamerica-northeast1
+# SC-7 BOUNDARY PROTECTION
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeSubnetwork
+metadata:
+  name: project-id-nane1-mgmt-rz-snet # kpt-set: ${project-id}-nane1-mgmt-rz-snet
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-mgmt-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-mgmt-vpc
+spec:
+  resourceID: nane1-mgmt-rz-snet
+  ipCidrRange: 172.31.202.0/24
+  region: northamerica-northeast1
+  description: northamerica-northeast1 RZ subnet
+  privateIpGoogleAccess: true
+  networkRef:
+    name: project-id-global-mgmt-vpc # kpt-set: ${project-id}-global-mgmt-vpc
+  logConfig:
+    aggregationInterval: INTERVAL_5_SEC
+    flowSampling: 0.5
+    metadata: INCLUDE_ALL_METADATA
+---
+# VPC Transit - Subnet PAZ northamerica-northeast1
+# SC-7 BOUNDARY PROTECTION
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeSubnetwork
+metadata:
+  name: project-id-nane1-transit-paz-snet # kpt-set: ${project-id}-nane1-transit-paz-snet
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/project-id-global-transit-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/${project-id}-global-transit-vpc
+spec:
+  resourceID: nane1-transit-paz-snet
+  ipCidrRange: 172.31.203.0/24
+  region: northamerica-northeast1
+  description: northamerica-northeast1 PAZ subnet
+  privateIpGoogleAccess: true
+  networkRef:
+    name: project-id-global-transit-vpc # kpt-set: ${project-id}-global-transit-vpc
+  logConfig:
+    aggregationInterval: INTERVAL_5_SEC
+    flowSampling: 0.5
+    metadata: INCLUDE_ALL_METADATA
diff --git a/solutions/perimeter/network/vpc.yaml b/solutions/perimeter/network/vpc.yaml
@@ -0,0 +1,77 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# VPC - External
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeNetwork
+metadata:
+  name: project-id-global-external-vpc # kpt-set: ${project-id}-global-external-vpc
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/project-id-compute # kpt-set: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/${project-id}-compute
+spec:
+  resourceID: global-external-vpc
+  description: External VPC
+  routingMode: GLOBAL
+  autoCreateSubnetworks: false # SC-7
+  deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
+---
+# VPC - Internal
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeNetwork
+metadata:
+  name: project-id-global-internal-vpc # kpt-set: ${project-id}-global-internal-vpc
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/project-id-compute # kpt-set: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/${project-id}-compute
+spec:
+  resourceID: global-internal-vpc
+  description: Internal VPC
+  routingMode: GLOBAL
+  autoCreateSubnetworks: false # SC-7
+  deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
+---
+# VPC - Management
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeNetwork
+metadata:
+  name: project-id-global-mgmt-vpc # kpt-set: ${project-id}-global-mgmt-vpc
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/project-id-compute # kpt-set: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/${project-id}-compute
+spec:
+  resourceID: global-mgmt-vpc
+  description: Management VPC
+  routingMode: GLOBAL
+  autoCreateSubnetworks: false # SC-7
+  deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
+---
+# VPC - Transit
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeNetwork
+metadata:
+  name: project-id-global-transit-vpc # kpt-set: ${project-id}-global-transit-vpc
+  namespace: networking
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+    config.kubernetes.io/depends-on: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/project-id-compute # kpt-set: serviceusage.cnrm.cloud.google.com/namespaces/projects/Service/${project-id}-compute
+spec:
+  resourceID: global-transit-vpc
+  description: Transit VPC
+  routingMode: GLOBAL
+  autoCreateSubnetworks: false # SC-7
+  deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
diff --git a/solutions/perimeter/project-iam.yaml b/solutions/perimeter/project-iam.yaml
@@ -0,0 +1 @@
+TODO: