hunfabric/fast/stages/3-secops-dev

SecOps Stage

This stage allows automated configuration of SecOps instance at both infrastructure and application level.

The following diagram illustrates the high-level design of SecOps instance configuration in both GCP and SecOps instance, which can be adapted to specific requirements via variables.

• Design overview and choices
• How to run this stage
  • Resource management configuration
  • Provider and Terraform variables
  • Impersonating the automation service account
  • Variable configuration
  • Running the stage
• Customizations
  • Data RBAC
  • SecOps rules and reference list management
  • Google Workspace integration
• Files
• Variables
• Outputs

Design overview and choices

The general idea behind this stage is to configure a single SecOps instance for a specific environment with configurations both on SecOps leveraging terraform resources (where available) and restful_resource for interacting with the new SecOps APIs.

Some high level features of the current version of the stage are:

• API/Services enablement
• Data RBAC configuration with labels and scopes
• IAM setup for the SecOps instance based on groups from Cloud Identity or WIF (with supports for Data RBAC)
• Detection Rules and reference lists management via terraform (leveraging secops-rules module)
• API Key setup for Webhook feeds
• Integration with Workspace for alerts and logs ingestion via SecOps Feeds

How to run this stage

This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, secops stages.

It's of course possible to run this stage in isolation, refer to the Running in isolation section below for details.

Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration.

Resource management configuration

Some configuration changes are needed in resource management before this stage can be run.

Make sure the stage 3 is enabled in the data/stage-3 folder in the resource management stage. As an example, this YAML definition saved as secops-dev.yaml enables this stage 3 for the development environment:

# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json

short_name: secops
environment: dev
folder_config:
  name: Development
  parent_id: secops

Make sure the stage 3 definitions are aligned with the environments you would like to setup for SecOps and coherent with the environments definitions in the stage 2 2-secops in order to have a dedicated stage 3 for SecOps for each environment (dev and prod as an example).

Provider and Terraform variables

As all other FAST stages, the mechanism used to pass variable values and pre-built provider files from one stage to the next is also leveraged here.

The commands to link or copy the provider and terraform variable files can be easily derived from the fast-links.sh script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run.

../fast-links.sh ~/fast-config

# File linking commands for GKE (dev) stage

# provider file
ln -s ~/fast-config/providers/3-secops-dev-providers.tf ./

# input files from other stages
ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/2-secops.auto.tfvars.json ./

# conventional place for stage tfvars (manually created)
ln -s ~/fast-config/3-secops-dev.auto.tfvars ./

../fast-links.sh gs://xxx-prod-iac-core-outputs-0

# File linking commands for GKE (dev) stage

# provider file
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-secops-dev-providers.tf ./

# input files from other stages
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-secops.auto.tfvars.json ./

# conventional place for stage tfvars (manually created)
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/3-secops-dev.auto.tfvars ./

Impersonating the automation service account

The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The gcp-devops and organization-admins groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups.

Variable configuration

Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets:

• variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the 0-globals.auto.tfvars.json file linked or copied above
• variables which refer to resources managed by previous stage, which are prepopulated here via the *.auto.tfvars.json files linked or copied above
• and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom terraform.tfvars file

The latter set is explained in the Customization sections below, and the full list can be found in the Variables table at the bottom of this document.

Running the stage

Once provider and variable values are in place and the correct user is configured, the stage can be run:

terraform init
terraform apply

Customizations

This stage is designed with few basic integrations provided out of the box which can be customized as per the following sections.

Data RBAC

This stage supports configuration of SecOps Data RBAC using two separate variables:

• secops_data_rbac_config: specifies Data RBAC label and scopes in Google SecOps
• secops_iam: defines SecOps IAM configuration in {PRINCIPAL => {roles => [ROLES], scopes => [SCOPES]}} format referencing previously defined scopes. When scope is populated a IAM condition restrict access to those scopes.

Example of a Data RBAC configuration is reported below.

secops_data_rbac_config = {
  labels = {
    google = {
      description = "Google logs"
      label_id    = "google"
      udm_query   = "principal.hostname=\"google.com\""
    }
  }
  scopes = {
    google = {
      description = "Google logs"
      scope_id    = "gscope"
      allowed_data_access_labels = [{
        data_access_label = "google"
      }]
    }
  }
}
secops_iam = {
  "user:bruzzechesse@google.com" = {
    roles  = ["roles/chronicle.editor"]
    scopes = ["gscope"]
  }
}
# tftest skip

SecOps rules and reference list management

This stage leverages the secops-rules for automated SecOps rules and reference list deployment via Terraform.

By default, the stage will try to deploy sample rule and reference list available in the rules and reference_lists folders according to the configuration files secops_rules.yaml and secops_reference_lists.yaml.

The configuration can be updated via the factory_config variable as per the secops-rules module README.md.

Google Workspace integration

The stage supports automatic integration of Google Workspace as a SecOps source leveraging SecOps Feeds integration.

Integration is enabled via the workspace_integration_config variable as per the following sample:

workspace_integration_config = {
  delegated_user        = "secops-feed@..."
  workspace_customer_id = "CXXXXXXX"
}
# tftest skip

Where delegated_user should be the email of the user created in Cloud Identity following the configuration instructions available here.

Please be aware the Service Account Client ID needed during domain wide delegation setup is available in the key of the service account stored in Secret Manager.

Files

name	description	modules	resources
main.tf	Module-level locals and resources.	project · secops-rules	google_apikeys_key
outputs.tf	Module outputs.		google_storage_bucket_object
providers-override.tf	None
secops-providers.tf	None
secops.tf	None		google_chronicle_data_access_label · google_chronicle_data_access_scope
secrets.tf	None	secret-manager
variables-fast.tf	None
variables.tf	Module variables.
workspace.tf	None	iam-service-account	google_service_account_key · restful_resource

Variables

name	description	type	required	default	producer
automation	Automation resources created by the bootstrap stage.	object({…})	✓		0-bootstrap
tenant_config	SecOps Tenant configuration.	object({…})	✓
billing_account	Billing account id. If billing account is not part of the same org set is_org_level to false.	object({…})		{}	0-bootstrap
data_rbac_config	SecOps Data RBAC scope and labels config.	object({…})		{}
factories_config	Paths to YAML config expected in 'rules' and 'reference_lists'. Path to folders containing rules definitions (yaral files) and reference lists content (txt files) for the corresponding _defs keys.	object({…})		{…}
folder_ids	Folder name => id mappings.	map(string)		{}	1-resman
iam	SecOps IAM configuration in {PRINCIPAL => {roles => [ROLES], scopes => [SCOPES]}} format.	map(object({…}))		{}
iam_default	Groups ID in IdP assigned to SecOps admins, editors, viewers roles.	object({…})		{}
project_id	Project id that references existing SecOps project. Use this variable when running this stage in isolation.	string		null
project_reuse	Whether to use an existing project, leave default for FAST deployment.	map(string)		{}
region	Google Cloud region definition for resources.	string		"europe-west8"
secops_project_ids	SecOps Project IDs for each environment.	map(string)		null	2-secops
stage_config	FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management.	object({…})		{…}
workspace_integration_config	SecOps Feeds configuration for Workspace logs and entities ingestion.	object({…})		null

Outputs

name	description	sensitive	consumers
project_id	SecOps project id.