# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### apiVersion: v1 kind: ConfigMap metadata: name: setters annotations: config.kubernetes.io/local-config: "true" data: ########################## # Instructions ########################## # # Follow instructions specific to each section. # Project IDs must follow the rules below, additionally, # if a gatekeeper policy is used to enforce specific naming conventions, refer to its documentation. # - All IDs should be universally unique. # - Must be 6 to 30 characters in length. # - Can only contain lowercase letters, numbers, and hyphens. # - Must start with a letter. # - Cannot end with a hyphen. # - Cannot be in use or previously used; this includes deleted projects. # - Cannot contain restricted strings, such as google and ssl. # ########################## # General Settings Values ########################## # # Use the same Google Cloud Organization ID that was used during the bootstrap procedure # customization: required org-id: "0000000000" # root folder to which the Landing Zone will be deployed into. This folder is created during the bootstrap procedure # customization: required lz-folder-id: '0000000000' # core-landing-zone billing id # customization: required billing-id: "AAAAAA-BBBBBB-CCCCCC" # ########################## # Management Project ########################## # # The management project is where the Landing Zone config controller instance is running, created during the bootstrap procedure. # The $PROJECT_ID (management-project-id) is defined during Initial Organization Configuration (https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration) # customization: required management-project-id: management-project-12345 # The management-project-number can be obtained from the Dashboard via https://console.cloud.google.com/home/dashboard?project=$PROJECT_ID # Alternatively, obtain the management-project-number from gcloud: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)' # customization: required management-project-number: "0000000000" # kubernetes namespace set to the default, config-control. # customization: Do not change this value. management-namespace: config-control # ########################## # Org Policies ########################## # # The following are Settings for some org policies # # a list of allowed trusted image projects, see YAML file for more info: # org/org-policies/compute-trusted-image-projects.yaml # customization: This setting can be left as default or modified as required allowed-trusted-image-projects: | - "projects/cos-cloud" # # a list of allowed essential contact domains, see YAML file for more info: # org/org-policies/essentialcontacts-allowed-contact-domains.yaml # customization: this setting MUST be changed to a domain in which you choose to allow to receive notifications from Google. allowed-contact-domains: | - "@example.com" # # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info: # org/org-policies/iam-allowed-policy-member-domains.yaml # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id # customization: # this setting MUST be changed to include the GCP org's directory customer ID and any other directory containing users that will need IAM roles assigned allowed-policy-domain-members: | - "DIRECTORY_CUSTOMER_ID" # # a list of allowed projects, folders, networks for VPC peering, see YAML file for more info: # org/org-policies/compute-restrict-vpc-peering.yaml # customization: this setting MUST be changed, replace ORGANIZATION_ID with the GCP organizations's ID allowed-vpc-peering: | - "under:organizations/ORGANIZATION_ID" # # a list of IP addresses that should be allowed to be VPN peers to the VPCs in the organization # by default, all IP's are denied. see YAML file for more info: org/org-policies/compute-restrict-vpn-peer-ips.yaml # If you need to allow/deny specific values, update org/org-policies/compute-restrict-vpn-peer-ips.yaml and set the below variable accordingly # ResourceManagerPolicy schema: https://cloud.google.com/config-connector/docs/reference/resource-docs/resourcemanager/resourcemanagerpolicy#schema # allowed-vpn-peering-ips: | # - string # ########################## # Logging ########################## # # Core landing Zone logging project, used by the logging packages # project id for the logging project to be created, following rules and conventions # customization: required logging-project-id: logging-project-12345 # # Storage buckets # Security incident log bucket # Bucket names must be globally unique across all of GCP # customization: required security-incident-log-bucket: security-incident-log-bucket-12345 # # Platform and Component Log Bucket # customization: required platform-and-component-log-bucket: platform-and-component-log-bucket-12345 # # Retention settings # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period # AU-9 PROTECTION OF AUDIT INFORMATION # AU-11 AUDIT RECORD RETENTION # customization: The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" retention-in-days: "1" # # Retention settings for Cloud Storage bucket to store logs related to security incidents # Events and logs associated with a security incident must be kept for at least 2 years # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period # AU-9 PROTECTION OF AUDIT INFORMATION # AU-11 AUDIT RECORD RETENTION # customization: The values below must be modified to locked: true and retentionSeconds: 63072000 (730 days) in a Production setting to implement above mentioned security controls. security-incident-log-bucket-retention-locking-policy: "false" security-incident-log-bucket-retention-in-seconds: "86400" # ########################## # DNS ########################## # # DNS project # # project id for the dns project to be created, following rules and conventions # customization: required core-dns-project-id: dns-project-12345 # # Core Landing Zone fqdn. The "dns-name" must end with a "." # dns-name needs needs to receive delegation from the upper level of the domain example.com. # customization: required dns-name: "example.com." # ########################## # Labels ########################## # Labels can be set on project using set-labels-project.yaml. Please make sure there is one pair of key-value pair otherwise render will fair ########################## # End of Configurations ##########################