Create New "Security Department" Top-Level Folder in GCP

The Security Department would like to have a fresh start in the GitLab.com GCP organization:

• Create the below folder structure, dev & live subfolders, and initial projects with terraform, in a new repo
• Stretch Goal: Provide access for a Security Department/ owner's group to manage projects within the Security Department/ hierarchy

GCP Resource Hierarchy

• Security Department/ Folder
  • Groups
    • Security Admins (gcp-security-admin-sg@gitlab.com) - owner access
    • Security Developers (gcp-security-dev-sg@gitlab.com) - app user access
    • Security User (gcp-security-user-sg@gitlab.com) - app user access
  • Folders
    • Security Department/dev Folder
      • Groups
        • Security Admins (gcp-security-admin-sg@gitlab.com) - full owner access
        • Security Developers (gcp-security-dev-sg@gitlab.com) - full admin access changes
        • Security User (gcp-security-user-sg@gitlab.com) - app user access
      • Projects
        • Security Department/dev/automation
    • Security Department/live Folder
      • Groups
        • Security Admins (gcp-security-admin-sg@gitlab.com) - full owner access
        • Security Developers (gcp-security-dev-sg@gitlab.com) - app user access inherits
        • Security User (gcp-security-user-sg@gitlab.com) - app user access
      • Projects
        • Security Department/live/automation
          • Security Automation Admins (gcp-secauto-admin-sg@gitlab.com) - full admin access

Security

Provide a list of data and the corresponding classification that will be used in this project and how it will be accessed.

Group Project Access Checklist

Make sure the following criteria is met and understood by the project administrator.

• If the gitlab.com database is copied, that data has been processed by the pseudonymization script.
• Regular security updates are applied to all nodes in the project.
• Unused instances will be removed in a timely manner
• The Project Administrator is responsible for any users or additional administrators that they add to the project
• The Project Administrator is responsible for justifying any cloud spend within the project.
• Group Projects are intended for development, test, or demo work. Everything in these projects is considered temporary.

Infrastructure Tasks

• Create a new branch that is not the same as the group name and is less than 25 characters long. For example, add-telemetry-group.
• Create file in https://ops.gitlab.net/gitlab-com/group-projects named environments/(group name from above).tfvars by copying an existing file and changing the Administrator and Group Name variables
• Once the pipeline succeeds, review the changes are correct and stop the review by activating the stop_review job
• Merge the change to master
• Create a branch from master named (group name from above) and push
• Verify that the pipeline completed successfully at https://ops.gitlab.net/gitlab-com/group-projects/pipelines
• (Optional) If the group does not start with group-* or gitlab-qa-*k, add the newly created branch as a protected branch.