kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
hunfabric/fast/stages
History

README.md

FAST stages

Each of the folders contained here is a separate "stage", or Terraform root module.

Each stage can be run in isolation (for example to only bring up a hub and spoke VPC in an existing environment), but when combined together they form a modular setup that allows top-down configuration of a whole GCP organization.

When deploying as part of a whole organization setup, each stage provides information on its resources to the following stages via predefined contracts, and each stage can pick and choose what to leverage from the preceding ones.

This has two important consequences:

  • any stage can be swapped out and replaced by different code as long as it respects the contract, by providing a predefined set of outputs and optionally accepting a predefined set of variables
  • data flow between stages can be partially automated (see stage 0 documentation on output files), reducing the effort and pain required to compile variables by hand

One important assumption is that the flow of data is always forward looking (or sideways for optional components), so no stage needs to depend on outputs generated further down the chain. This greatly simplifies both the logic and the implementation, and allows stages to be effectively independent.

To achieve this, we rely on specific GCP functionality like delegated role grants to allow controlled delegation of responsibilities, and conditional access via tags to constrain scope for organization-level roles or when specific resources are managed lower in the chain than IAM bindings.

Refer to each stage's documentation for a detailed description of its purpose, the architectural choices made in its design, and how it can be configured and wired together to terraform a whole GCP organization. The following is a brief overview of each stage.

Stages encapsulate core designs and functionality that is common in most type of GCP organization set-ups. Specialized designs or additional configurations that add specific functionality on top of stages to meet very specific use cases are defined via add-ons.

To destroy a previous FAST deployment follow the instructions detailed in cleanup.

Organization (0)

  • Organization Setup This stage bootstraps the organization and resource management, allowing easy configuration of all related resources via factories. Its flexibility supports any type of organizational design, while still supporting traditional FAST stages like VPC Service Controls, security, networking, and any stage 3.

VPC Service Controls (1)

Shared resources (2)

  • Security Manages centralized security configurations in a separate stage, and is typically owned by the security team. This stage creates projects to host centralized KMS keys and Certificate Authority Service (CAS) instances used by the whole organization. It's meant to be easily extended to include other security-related resources which are required, like Secret Manager.
    Exports: KMS key ids, CA ids
  • Networking Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage provides several different design as YaML datasets, including hub-and-spoke with VPC Peerings, VPNs, NVAs and NCC. Exports: host project ids and numbers, vpc self links
  • Project Factory YAML-based factory to create and configure application or team-level projects. Configuration includes VPC-level settings for Shared VPC, service-level configuration for CMEK encryption via centralized keys, and service account creation for workloads and applications. This stage can be cloned if an org-wide or dedicated per-environment factories are needed.

Applications and operations (3)

  • SecOps Setup Configures a Google SecOps instance at both infrastructure and application level. High level features of this stage include Data RBAC, IAM, Detection Rules, reference lists, API keys, and Google Workspace integrations.

Importing existing setup into FAST

For brownfield implementations you may need to import existing setting in the organization, folders, etc. These snippets can help you add existing settings into the YAML file

Scripts below require yq in at least version 4. It was tested using yq v4.47.2.

IAM bindings

To create iam: part of the factory YAML file, you can use following snippet:

gcloud <resource> get-iam-policy <resource name> | yq '.bindings | map({"key": .role, "value": .members}) | from_entries'

For example use following code, to get IAM bindings on organization level to be used in 0-org-setup/dataset/.../organization/.config.yaml

gcloud organizations get-iam-policy 12345 | yq '.bindings | map({"key": .role, "value": .members}) | from_entries'

To create iam_by_principals: part of the factory YAML file, you can use following snippet:

gcloud <resource> get-iam-policy <resource name> |  yq '
[.bindings | .[] | .members[] as $member | { "member": $member, "role": .role}] |
group_by(.member) | sort_by(.[0].member) | .[] | { .[0].member: map(.role)}
'