diff --git a/solutions/experimentation/admin-folder/setters.yaml b/solutions/experimentation/admin-folder/setters.yaml index 0ec008c97..08c0edb3d 100644 --- a/solutions/experimentation/admin-folder/setters.yaml +++ b/solutions/experimentation/admin-folder/setters.yaml @@ -24,8 +24,10 @@ data: ########################## # # Name for the Admin, lowercase only + # customization: required admin-name: 'admin1' # Group or User to grant permission on admin folder + # customization: required admin-owner: 'user:admin1@example.com' # ########################## diff --git a/solutions/experimentation/client-landing-zone/setters.yaml b/solutions/experimentation/client-landing-zone/setters.yaml index 72b167bf0..9d54dd667 100644 --- a/solutions/experimentation/client-landing-zone/setters.yaml +++ b/solutions/experimentation/client-landing-zone/setters.yaml @@ -39,8 +39,11 @@ data: ########################## # # Name for the client, lowercase only + # customization: required client-name: 'client1' + # # group to grant viewer permission on client folder + # customization: required client-folderviewer: 'group:client1@example.com' # ########################## @@ -48,14 +51,19 @@ data: ########################## # # logging project id created in core-landing-zone + # customization: required logging-project-id: logging-project-12345 # # LoggingLogBucket retention settings # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. + # The values below must be modified to retention-locking-policy: true in a Production setting to implement above mentioned security controls. + # customization: required retention-locking-policy: "false" + # + # The values below must be modified to retention-in-days: 365 in a Production setting to implement above mentioned security controls. + # customization: required retention-in-days: "1" # ########################## diff --git a/solutions/experimentation/client-project/setters.yaml b/solutions/experimentation/client-project/setters.yaml index 9fe74c52d..8fae72338 100644 --- a/solutions/experimentation/client-project/setters.yaml +++ b/solutions/experimentation/client-project/setters.yaml @@ -39,12 +39,16 @@ data: ########################## # # Billing Account ID to be associated with this project + # customization: required project-billing-id: "AAAAAA-BBBBBB-CCCCCC" # GCP folder to use as parent to this project, lowercase K8S resource name + # customization: required project-parent-folder: project-parent-folder # user, group or serviceAccount with editor role at project level + # customization: required project-editor: "group:team1@example.com" # project id for the client project to be created, following rules and conventions + # customization: required project-id: xxemu-team1-projectname # ########################## diff --git a/solutions/experimentation/core-landing-zone/setters.yaml b/solutions/experimentation/core-landing-zone/setters.yaml index 7f137f484..68ee890cf 100644 --- a/solutions/experimentation/core-landing-zone/setters.yaml +++ b/solutions/experimentation/core-landing-zone/setters.yaml @@ -38,18 +38,30 @@ data: # General Settings Values ########################## # + # Use the same Google Cloud Organization ID that was used during the bootstrap procedure + # customization: required org-id: "0000000000" + # root folder to which the Landing Zone will be deployed into. This folder is created during the bootstrap procedure + # customization: required lz-folder-id: '0000000000' + # core-landing-zone billing id + # customization: required billing-id: "AAAAAA-BBBBBB-CCCCCC" # ########################## # Management Project ########################## # - # This is the project where the config controller instance is running - # Values can be viewed in the Project Dashboard + # The management project is where the Landing Zone config controller instance is running, created during the bootstrap procedure. + # The $PROJECT_ID (management-project-id) is defined during Initial Organization Configuration (https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration) + # customization: required management-project-id: management-project-12345 + # The management-project-number can be obtained from the Dashboard via https://console.cloud.google.com/home/dashboard?project=$PROJECT_ID + # Alternatively, obtain the management-project-number from gcloud: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)' + # customization: required management-project-number: "0000000000" + # kubernetes namespace set to the default, config-control. + # customization: Do not change this value. management-namespace: config-control # ########################## @@ -60,20 +72,31 @@ data: # # a list of allowed essential contact domains, see YAML file for more info: # org/org-policies/essentialcontacts-allowed-contact-domains.yaml - # this setting MUST be changed + # customization: this setting MUST be changed to a domain in which you choose to allow to receive notifications from Google. allowed-contact-domains: | - "@example.com" # # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info: # org/org-policies/iam-allowed-policy-member-domains.yaml - # this setting MUST be changed to include the GCP org's directory ID and any other directory containing users that will need IAM roles assigned + # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id + # customization: # this setting MUST be changed to include the GCP org's directory customer ID and any other directory containing users that will need IAM roles assigned allowed-policy-domain-members: | - "DIRECTORY_CUSTOMER_ID" # + # a list of IP addresses that should be allowed to be VPN peers to the VPCs in the organization + # by default, all IP's are denied. see YAML file for more info: org/org-policies/compute-restrict-vpn-peer-ips.yaml + # If you need to allow/deny specific values, update org/org-policies/compute-restrict-vpn-peer-ips.yaml and set the below variable accordingly + # ResourceManagerPolicy schema: https://cloud.google.com/config-connector/docs/reference/resource-docs/resourcemanager/resourcemanagerpolicy#schema + # allowed-vpn-peering-ips: | + # - string + # ########################## # Logging ########################## # + # Core landing Zone logging project, used by the logging packages + # project id for the logging project to be created, following rules and conventions + # customization: required logging-project-id: logging-project-12345 # # Storage buckets @@ -82,12 +105,16 @@ data: # customization: required security-incident-log-bucket: security-incident-log-bucket-12345 # + # Platform and Component Log Bucket + # customization: required + platform-and-component-log-bucket: platform-and-component-log-bucket-12345 + # + # # Retention settings # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # - # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. + # customization: The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" retention-in-days: "1" #