Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infrastructure as Code/Data for non-k8s infrastructure #135

Open
4 of 10 tasks
Stephen-ONeil opened this issue Oct 6, 2023 · 1 comment
Open
4 of 10 tasks

Infrastructure as Code/Data for non-k8s infrastructure #135

Stephen-ONeil opened this issue Oct 6, 2023 · 1 comment
Labels
dev ops CI/CD, infrastructure, etc k8s

Comments

@Stephen-ONeil
Copy link
Contributor

Stephen-ONeil commented Oct 6, 2023
edited
Loading

TODO:

  • determine choice of IAC/IAD tooling. KCC?
    • don't have to get it right the first time, just pick one that everyone at least agrees on in theory
    • going with config connector
  • convert the remaining infrastructure represented by deploy/gcloud_init_setup.sh
    • DNS managed zone
    • Artifact registry for app server images
    • Cloud storage for test coverage reports
    • Cloud build IAM (read/write to the test coverage bucket)
    • GitHub trigger, although that's tricky. The repository connection needs to made first, and may not be something we can automate
    • Cloud trace (well, all we need is for the API to be enabled, but this needs to be captured for cold starts in new GCP projects)
    • Uptime monitoring. This one's already Pulumi, we might be able to generate the k8s yaml , although note the caveats
  • try to identify and capture any other pieces of necessary infrastructure which were click ops-ed in to the current project
@Stephen-ONeil Stephen-ONeil added dev ops CI/CD, infrastructure, etc k8s labels Oct 6, 2023
@vedantthapa vedantthapa mentioned this issue Nov 8, 2023
Closed
@Stephen-ONeil
Copy link
Contributor Author

Stephen-ONeil commented Dec 18, 2023
edited
Loading

Additional, newer, infrastructure to capture:

  • ensure that all relevant security APIs are enabled
  • GKE autopilot cluster (+ bootstrapping?)
  • service account for cert manager (DNS solver)
  • service account and storage bucket for CloudnativePG backups
  • service account for SOPS

Infrastructure not currently found in the experimental project, but planned/anticipated for prod:

  • custom VPC with limited subnets
  • logging:
    • set appropriate retention window (default might be fine, but setting it explicitly will make it easier to document enforcement)
    • create sinks to copy audit level logs (GCP audit logs, logs about flux changes, new app images, app-level audit logs, etc) to a bucket with a longer retention window. May need to also send these logs to a DTB logging endpoint, TBD
    • might be worth implementing these suggestions in general
  • if we want Cloud Armor's WAF capabilities:
    • a regional external application load balancer (+ certificate, although it could use the cluster cert I believe)
    • Cloud Armor Security Policy with WAF rules
  • Identity aware proxy configured for HC's AD

@vedantthapa vedantthapa mentioned this issue Feb 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dev ops CI/CD, infrastructure, etc k8s
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Configure KCC and add resources PHACDataHub/cpho-phase2
1 participant
@Stephen-ONeil