Extend identity documentation to GCP #29
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ngineering to 'Helpful', from 'he'. Removed irrelevant links and updated design with enforced name of the GCP Org.
skuenzli
reviewed
Apr 8, 2020
|
|
||
| The DevOps team will provision two 'delivery' accounts for each project team: `dev` and `prod`. Teams will use the | ||
| `dev` account to develop their applications and test application deployments. Applications should be delivered | ||
| to the production account for operation and use by customers and end users. |
There was a problem hiding this comment.
qq: should each HE project get separate dev and prod accounts in GCP? what advantages does this have over a dev and prod GCP project within a single GCP account for the HE project?
I definitely think we should create strong isolation between environments and projects, just wondering what the right balance is. AFAIK, a GCP IAM principal:
- must be specifically granted access to resources in different projects
- may be granted permissions to call different API actions in different projects in a single account (is this true?)
skuenzli
reviewed
Apr 8, 2020
| The DevOps team will use [GCP Cloud Identity](https://cloud.google.com/identity/docs) | ||
| to provision both the shared and project accounts. Control Tower provides a simple account provisioning model that | ||
| provides a number of security and governance best practices out of the box. | ||
|
|
There was a problem hiding this comment.
Need to update/replace references to Service Control Policy and Control Tower.
skuenzli
reviewed
Apr 8, 2020
FreemanParks
requested changes
Apr 22, 2020
| ### UC2 - Provision Accounts | ||
|
|
||
| The HelpfulEng DevOps team will provision GCP accounts for both shared and project delivery accounts. The DevOps team | ||
| would like provision these accounts in a standardized way with low effort and simple adoption of Cloud security and |
There was a problem hiding this comment.
minor style/formatting
Suggested change
| would like provision these accounts in a standardized way with low effort and simple adoption of Cloud security and | |
| would like to provision these accounts in a standardized way with low effort and simple adoption of Cloud security and |
| * A trusted external repository such as Docker Hub. | ||
| * An internal repository such as a [Cloud Storage](https://cloud.google.com/storage/) bucket hosted within a project account as is the case for the Serverless Framework. | ||
|
|
||
| The DevOps team recommends that project teams adopt automated continuous delivery to deploy and configure applications. |
There was a problem hiding this comment.
Can we clarify the level of support the devops team will provide for this?
skuenzli
approved these changes
Apr 26, 2020
There was a problem hiding this comment.
Overall, this LGTM.
A couple of questions to consider prior to merging:
- are 'project' and 'account' used in the canonical way for GCP?
- we could use
he-instead ofhelpful-for account/project prefixes; if you've already provisioned ashelpful-I would leave it. usinghe-would align to AWS.
imonthercks
reviewed
May 30, 2020
Comment on lines
+50
to
+63
| helpfulengineering.org Org | ||
| └ Core | ||
| └ Log | ||
| └ Audit | ||
| └ Sandboxes | ||
| └ helpful-gcp-sandbox2 | ||
| └ Project Delivery | ||
| └ Monitoring O2 | ||
| └ helpful-project-monitoring-O2-dev | ||
| └ helpful-project-monitoring-O2-prod | ||
| └ <project name> | ||
| └ helpful-<project name>-dev | ||
| └ helpful-<project name>-prod | ||
| └ ... |
There was a problem hiding this comment.
Annotating the resource hierarchy to show what types of resources are at different levels. Not sure if this is accurate or helpful, so dispose of it if not.
Suggested change
| helpfulengineering.org Org | |
| └ Core | |
| └ Log | |
| └ Audit | |
| └ Sandboxes | |
| └ helpful-gcp-sandbox2 | |
| └ Project Delivery | |
| └ Monitoring O2 | |
| └ helpful-project-monitoring-O2-dev | |
| └ helpful-project-monitoring-O2-prod | |
| └ <project name> | |
| └ helpful-<project name>-dev | |
| └ helpful-<project name>-prod | |
| └ ... | |
| helpfulengineering.org (organization resource) | |
| └ Core (folder resource) | |
| └ Log (folder resource) | |
| └ Audit | |
| └ Sandboxes (folder resource) | |
| └ helpful-gcp-sandbox2 (project resource) | |
| └ Project Delivery (folder resource) | |
| └ Monitoring O2 (folder resource) | |
| └ helpful-project-monitoring-O2-dev (project resource) | |
| └ helpful-project-monitoring-O2-prod | |
| └ <project name> (folder resource) | |
| └ helpful-<project name>-dev (project resource) | |
| └ helpful-<project name>-prod | |
| └ ... |
imonthercks
approved these changes
May 30, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.