solutions/experimentation/core-landing-zone/setters.yaml

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#########
apiVersion: v1
kind: ConfigMap
metadata:
  name: setters
  annotations:
    config.kubernetes.io/local-config: "true"
data:
  ##########################
  # Instructions
  ##########################
  #
  # Follow instructions specific to each section.
  # Project IDs must follow the rules below, additionally,
  # if a gatekeeper policy is used to enforce specific naming conventions, refer to its documentation.
  #   - All IDs should be universally unique.
  #   - Must be 6 to 30 characters in length.
  #   - Can only contain lowercase letters, numbers, and hyphens.
  #   - Must start with a letter.
  #   - Cannot end with a hyphen.
  #   - Cannot be in use or previously used; this includes deleted projects.
  #   - Cannot contain restricted strings, such as google and ssl.
  #
  ##########################
  # General Settings Values
  ##########################
  #
  # Use the same Google Cloud Organization ID that was used during the bootstrap procedure
  # customization: required
  org-id: "0000000000"
  # root folder to which the Landing Zone will be deployed into. This folder is created during the bootstrap procedure
  # customization: required
  lz-folder-id: '0000000000'
  # core-landing-zone billing id
  # customization: required
  billing-id: "AAAAAA-BBBBBB-CCCCCC"
  #
  ##########################
  # Management Project
  ##########################
  #
  # The management project is where the Landing Zone config controller instance is running, created during the bootstrap procedure.
  # The $PROJECT_ID (management-project-id) is defined during Initial Organization Configuration (https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration)
  # customization: required
  management-project-id: management-project-12345
  # The management-project-number can be obtained from the Dashboard via https://console.cloud.google.com/home/dashboard?project=$PROJECT_ID
  # Alternatively, obtain the management-project-number from gcloud: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)'
  # customization: required
  management-project-number: "0000000000"
  # kubernetes namespace set to the default, config-control.
  # customization: Do not change this value.
  management-namespace: config-control
  #
  ##########################
  # Org Policies
  ##########################
  #
  # The following are Settings for some org policies
  #
  # a list of allowed essential contact domains, see YAML file for more info:
  # org/org-policies/essentialcontacts-allowed-contact-domains.yaml
  # customization: this setting MUST be changed to a domain in which you choose to allow to receive notifications from Google.
  allowed-contact-domains: |
    - "@example.com"
  #
  # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info:
  # org/org-policies/iam-allowed-policy-member-domains.yaml
  # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id
  # customization: # this setting MUST be changed to include the GCP org's directory customer ID and any other directory containing users that will need IAM roles assigned
  allowed-policy-domain-members: |
    - "DIRECTORY_CUSTOMER_ID"
  #
  ##########################
  # Logging
  ##########################
  #
  # Core landing Zone logging project, used by the logging packages
  # project id for the logging project to be created, following rules and conventions
  # customization: required
  logging-project-id: logging-project-12345
  #
  # Storage buckets
  # Security incident log bucket
  # Bucket names must be globally unique across all of GCP
  # customization: required
  security-incident-log-bucket: security-incident-log-bucket-12345
  #
  # Platform and Component Log Bucket
  # customization: required
  platform-and-component-log-bucket: platform-and-component-log-bucket-12345
  #
  #
  # Retention settings
  # Set the number of days to retain logs in Cloud Logging buckets
  # Set the lock mechanism on the bucket to: true or false
  # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
  # customization: The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls.
  retention-locking-policy: "false"
  retention-in-days: "1"
  #
  # Retention settings for Cloud Storage bucket to store logs related to security incidents
  # Events and logs associated with a security incident must be kept for at least 2 years
  # Set the lock mechanism on the bucket to: true or false
  # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
  # customization: The values below must be modified to locked: true and retentionSeconds: 63072000 (730 days) in a Production setting to implement above mentioned security controls.
  security-incident-log-bucket-retention-locking-policy: "false"
  security-incident-log-bucket-retention-in-seconds: "86400"
  #
  ##########################
  # End of Configurations
  ##########################