• refactor dir structure #39
• Investigate removing helm charts' default template helpers
• Rename/remove references to "old" in configmaps and deployments in the fluentd helm charts

Currently, deploy-app.sh includes a section that configures Istio to use Istio supplied certificates:

It would be helpful to add steps that facilitate creating and using self-generated certificates.

As described in https://cloud.google.com/vpc/docs/packet-mirroring

• Where applicable, like where there are long service account names, use locals.

The project is currently using Legacy Stackdriver. (See Which Stackdriver support does my cluster use? )

More precisely, GKE data is visible in Stackdriver's Legacy Kubernetes dashboard as a result of Stackdriver Monitoring being set to Enabled ) ( and not v2(beta) ). Stackdriver Logging is disabled due to the fluentd customizations in place (centralized logging, and DLP API filtering).

In order to upgrade to "Stackdriver Kubernetes Engine Monitoring," the recommended method is to enable both Stackdriver Monitoring and Stackdriver Logging, in order to choose "Enabled v2(beta)". This is undesirable because that will then cause the stock fluentd to be installed, which would then cause logs to go direct to Stackdriver Logs and bypass the DLP API filter.

The most viable option is to package the v2(beta) configurations, and customize them as needed, while leaving the stock GKE Monitoring and Logging settings disabled.

Is it possible to connect to DLP API over a private endpoint?

From code review tasks #50

Add a reference to the cluster resource in the node pool resource so the order of node pool and cluster is determined correctly.

For example, here, in the in-scope cluster, as well as the out-of-scope cluster.

kustomize appears to be built for the use case of customizing Kubernetes configurations, in a style that will likely allow for the simplification of the current shell generate-config.sh which uses sed on "template-like" files to then create Kubernetes configs.

• See: https://youtu.be/ahMIBxufNR0?t=300
• https://github.com/kubernetes-sigs/kustomize/blob/master/docs/eschewedFeatures.md#build-time-side-effects-from-cli-args-or-env-variables Although listed as an eschewed feature, the style to be adopted is to have bash set with the necessary variables, run kustoimize edit ..., and apply.

• We're affected by this terraform / GCP bug tracked here: hashicorp/terraform-provider-google#3369

When running : ./_helpers/forseti_admin_permissions.sh I get:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.organizations.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/serviceusage.serviceAccountAdmin is not supported for this resource.

The link in the shell script is no longer valid. <https://forsetisecurity.org/docs/v2.0/concepts/service-accounts.html#permissions

Which set of permissions from here https://forsetisecurity.org/docs/latest/concepts/service-accounts.html should we be setting?

Maybe @morgante or someone from his team can do a code review.

The addition of the Dockerfile that builds a custom fluentd-gcp container is based on the Dockerfile in google-fluentd. The cleanup section (beginning at line 20) of that file should be tested and added back in.

When running ./_helpers/build-infra.sh I get:

Downloading modules/core_project_factory for project_network.project-factory...
Downloading terraform-google-modules/network/google 0.6.0 for vpc_pci...

• vpc_pci in .terraform/modules/vpc_pci/terraform-google-modules-terraform-google-network-1d3242b

Error: Module not found

The module address "modules/gsuite_group" could not be resolved.

If you intended this as a path relative to the current module, use
"./modules/gsuite_group" instead. The "./" prefix indicates that the address
is a relative filesystem path.

I am using terraform 0.12

I looks like it is related to terraform-google-modules/terraform-google-project-factory#214

• Call out that environment (prod v non-prod) are not considered in this demo
• Consider creating a “Known Issues” / “Gotcha” section in documentation. ie. That Forseti needs to be created before some variables can be set and re-applied

When trying to deploy the components infrastructure you currently run into the error "Master version "1.14.8-gke.12" is unsupported. This value needs to be upgraded to at least 1.14.10-gke.27.

Add a section that defines how we are meeting different PCI requirements with this project.

Stackdriver logs were getting populated with errors relating to the fact that the Debug API was not enabled, but data was being sent.

it would be nice to highlight config validator with the PCI terraform

I would like myself, Ian and Zeal to review everything right before we release and give a LGTM comment here.

• update terraform to include additional required permissions in the destination project

The Cloud Debug API is enable onthe projects, and some of the services are sending data, but additional configuration is required. See GoogleCloudPlatform/microservices-demo#87 for more details.

Currently, grpc_ssl_verify is set to off on checkoutservice's Nginx's grpc proxy. It should be possible to set this to on.

If we choose not to do this, let's make a note of it in the readme.

Upgrade guide here: https://www.terraform.io/upgrade-guides/0-12.html

• Notably, the bash style guide here: https://google.github.io/styleguide/shell.xml

• Call out that environment (prod v non-prod) are not considered in this demo #61
• Consider creating a “Known Issues” / “Gotcha” section in documentation. ie. That forsetti needs to be created before some variables can be set and re-applied #61
• Review for consistency with Google’s internal terraform standards guide #62
• in shared.tf, separate out variables and locals into separate files
• where applicable, like where there are long service account names, use locals. Example #63
• Ensure commented descriptions on all IAM bindings #55
• Migrate to use CFT log-export module #54
• Remove unused cluster outputs #53

Let's create one or two scripts that will build all the infrastructure and then deploy the applications.

There's an error stating that the NAT isn't created on first run because subnetwork isn't in "ready" state.

This project is currently on v1.3.3 of Istio, and 1.5 is current.

Instructions on how to tear down the demo infrastructure

Since the changes in #24 included provisioning the Kubernetes scheduler with the custom role "Firewall Admin", and the re-arrangement of the frontend to the in-scope cluster, some of the firewall rules that are in place are likely superfluous or incorrect.
Additionally, we need to add a rule to block port 80 to the frontend IP address entirely. See also kubernetes/ingress-gce#290:

apiVersion: extensions/v1beta1
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"

Setting the above doesn't close port 80 on the http/s LB, it disables that Ingress rule from serving content on port 80.

The instructions at https://github.com/GoogleCloudPlatform/terraform-pci-starter/blob/master/README.md#helm-installation-and-setup will most likely want to be modified to follow the guidance here: https://helm.sh/docs/using_helm/#using-ssl-between-helm-and-tiller to better protect the Tiller gRPC endpoint from malicious pods being able to access Tiller directly and install a privileged chart.

/cc @binamov

From code review follow up tasks #50

Currently, in-scope logs (application, audit, etc.) are sent to the in-scope project's Stackdriver logs, and the out-of-scope's are going to the out-of-scope project's. This means that logs are not viewable/ searchable across clusters. We'd probably want to change things so that they're both going to a single Stackdriver logging target.

This will require a PR/Issue with the Microservices Demo project: https://github.com/GoogleCloudPlatform/microservices-demo

From code review tasks #50

The terraform code should be refactored based on IAM, Network, IP, Projects, and Components so that users can be able to separate those categories into separate repositories if desired. Doing so would help to prevent a wide blast radius of an error/misconfiguration in a single terraform run. This is true especially as a preparation in moving to a CI/CD pipeline.