-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathcommit_msg.txt
More file actions
85 lines (74 loc) · 8.16 KB
/
commit_msg.txt
File metadata and controls
85 lines (74 loc) · 8.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
chore(security): Address comprehensive ATP Security Review findings (Medium/Low/Informational)
This commit addresses the Comprehensive ATP Security Review findings for the Stellar Engine repository, prioritizing Medium to Informational severities. It introduces deep, structural security remediations across all architecture layers—IAM, Storage, Compute, Networking, Logging, and Project structure—while also excising deprecated and experimental code to reduce attack surface.
Detailed breakdown of changes by category and file:
1. Identity & Access Management (IAM)
- Removed service account key generation capabilities to enforce `iam.disableServiceAccountKeyCreation` organization policy constraints:
- `modules/iam-service-account/main.tf`: Deleted `google_service_account_key` resource block entirely.
- `modules/iam-service-account/outputs.tf`: Stripped output entries exposing sensitive key material (`key`, `keys`).
- `modules/iam-service-account/variables.tf`: Completely removed the `generate_key` boolean variable to seal the loophole.
- Addressed legacy `roles/owner` security vulnerability risks:
- `fast/stages-aw/0-bootstrap/organization-iam.tf`: Exchanged `roles/owner` privileges for Google-recommended administrative roles (`roles/resourcemanager.organizationAdmin`, `roles/billing.admin`, `roles/resourcemanager.folderAdmin`, `roles/resourcemanager.projectCreator`).
- Hardened default service account usage across Blueprints:
- Provisioned dedicated service accounts (disallowing the heavily privileged default Compute SA) for GKE node pools, Vertex MLOps pipelines, Dataflow jobs, and Cloud Functions.
- Executed these targeted least-privilege SA bindings in:
- `blueprints/fedramp-high/cloud-functions/main.tf`
- `blueprints/fedramp-high/vertex-mlops/vertex.tf`
- `blueprints/fedramp-high/vertex-mlops/main.tf`
- `blueprints/il5/dataflow/main.tf`
2. Storage Data-at-Rest Protection & CMEK Enforcement
- Enforced Customer-Managed Encryption Key (CMEK) implementation for all active Document AI deployments in compliance with `gcp.restrictNonCmekServices`:
- `blueprints/fedramp-high/document-ai/variables.tf`: Introduced mandatory `kms_key_name` string variable.
- `blueprints/fedramp-high/document-ai/main.tf`: Passed `kms_key_name` argument dynamically to the `google_document_ai_processor` resource block.
- Solidified Database Deletion Protection for stateful and managed services:
- `modules/spanner-instance/main.tf`: Added robust conditional logic `deletion_protection = var.deletion_protection != null ? var.deletion_protection : true` to the `google_spanner_instance` block for implicit protection.
- `modules/spanner-instance-se/main.tf`: Mirrored the strict deletion protection strategy and related structural map variables.
- `blueprints/il5/postgresql/main.tf`: Defaulted DB options to prevent catastrophic accidental drops.
3. Compute Hardening & Continuity Mechanisms
- Mandated explicit database encryption blocks for all standard GKE Blueprint implementations:
- Added strict KMS key integrations within `blueprints/il5/gke/main.tf` & `blueprints/il5/gke-hardened/main.tf`.
- Added imperative bindings for `google_kms_crypto_key_iam_member` to explicitly verify GKE system accounts possess immediate CryptoKey Encrypter/Decrypter permissions prior to cluster API bootstrapping.
- Re-architected organizational requirements around Virtual Machines:
- `fast/stages-aw/0-bootstrap/data/org-policies/compute_policy.yaml`: Actively declared constraints/compute.requireShieldedVm to guarantee tamper-proof hardware provisioning.
- Validated pass-through logic mapping enabling Shielded configurations in `blueprints/il5/shielded-vm-project/main.tf`.
- Enshrined Compute Engine Backup Orchestration models across deployments:
- Deployed `google_compute_resource_policy` configurations governing exact automated snapshot schedules (retention policy, backup window) for connected zonal disks.
- Connected snapshot logic definitively within instance configurations spanning:
- `blueprints/il5/compute-engine/main.tf`
- `blueprints/il5/bastion-pattern/main.tf`
- `blueprints/fedramp-high/cnap/compute_engine.tf`
- `blueprints/fedramp-high/dataproc-cluster/main.tf`
4. Networking Segregation & Organizational Guardrails
- Imposed rigorous global VPC traffic control primitives:
- `fast/stages-aw/0-bootstrap/data/org-policies/networking_policy.yaml`: Configured explicit denials using `constraints/compute.restrictVpcPeering` to lock down network cross-talk and enabled `constraints/compute.requireVpcFlowLogs` to mandate systemic network telemetry.
5. Global Network Firewall & Enterprise Audit Logging
- Defaulted VPC Firewall Logging mechanisms to fully ENABLED for advanced troubleshooting and auditing:
- `modules/net-vpc-firewall/default-rules.tf`: Manually inserted `log_config { metadata = "INCLUDE_ALL_METADATA" }` directly inside standard `google_compute_firewall` templates (`allow-admins` and `allow-tag-http`).
- `modules/net-vpc-firewall/main.tf`: Intercepted user-supplied custom firewall rule definitions and statically injected resilient `log_config` metadata properties mapping directly to ALL custom iterations.
- Elevated overall Cloud Audit posture and Access validations:
- `fast/stages-aw/0-bootstrap/data/org-policies/platform_policy.yaml`: Explicitly required implementation of `constraints/gcp.detailedAuditLoggingMode` to enforce expanded data transparency, supplemented precisely by `constraints/gcp.accessTransparency.enforcement`.
6. Infrastructure Safeguards (Resource Manager Liens)
- Applied Project-Level Protective Liens across critical structural tiers:
- Supplied explicit `lien_reason = "Protected by default as a core project."` configuration declarations throughout the deployment ecosystem effectively shielding core infrastructure against irreversible GUI and API tear-downs.
- Remediated components comprehensively:
- `fast/stages-aw/0-bootstrap/automation.tf` (automation-project module)
- `fast/stages-aw/0-bootstrap/log-export.tf` (log-export-project module)
- `fast/stages-aw/2-networking-a-fedramp-high/net-vdss.tf` (vdss-host-project module)
- `fast/stages-aw/2-networking-b-il5-ngfw/net-vdss.tf` (vdss-host-project module)
- `fast/stages-aw/2-networking-a-fedramp-high/branch-net-envs.tf` (env-spoke-projects module)
- `fast/stages-aw/2-networking-b-il5-ngfw/branch-net-envs.tf` (env-spoke-projects module)
7. Flapping State Resolution (Shared VPC / IAM Application Loop Issue Fix)
- Corrected cyclic Terraform apply behaviors identified against `google_compute_subnetwork_iam_member` structures attached within networking layers:
- Addressed customer bug report (University of Louisville) triggering continuous ID replacements.
- Eliminated flawed syntax anchoring permissions improperly against service projects, converting logic to leverage robust host project outputs via `module.env-spoke-projects.project_id`.
- Re-mapped syntax meticulously inside `branch-net-envs.tf` supporting both A (FedRamp High) and B (IL5 NGFW) structural variants.
8. Technical Housekeeping, Attack Surface Reduction & Documentation Enhancements
- Purged experimental, unmaintained, deprecated, and highly vulnerable structural prototyping branches directly targeted by ATP feedback:
- Terminated `experimental/` parent directory structure holistically (safely preserving and migrating tested bash scripts into unified `scripts/` directory).
- Wiped `modules/__experimental_deprecated/` directories housing unsafe BigQuery, Net NEG, and AlloyDB logic.
- Cleared `modules/cloud-config-container/__need_fixing/` implementations preventing un-validated local ingress points.
- Normalized operational readability and Terraform module standards across disjointed components:
- Deployed standard Fabric documentation patterns featuring header descriptions, internal Table of Contents (TOC), structural "Basic Usage" configurations, and auto-compiling `BEGIN_TF_DOCS` elements inside:
- `modules/cis-log-alerts/README.md`
- `modules/cis-log-metrics/README.md`
- `modules/intrusion-detection-system/README.md`
All architectural adaptations executed successfully and have been locally validated via `terraform validate` targeting baseline syntactical conformity.