Skip to content
This repository has been archived by the owner on Jan 4, 2023. It is now read-only.

PCI on GKE Blueprint: PCI Deployable Architecture on Google Cloud and GKE

License

Notifications You must be signed in to change notification settings

GoogleCloudPlatform/pci-gke-blueprint

Repository files navigation

PCI on GKE Blueprint

high level project view

This is the companion repository to the PCI on GKE Security Blueprint for the Google Cloud Platform. It contains a set of Terraform configurations and scripts to help demonstrate how to bootstrap a PCI environment in GCP. When appropriate, we also showcase GCP services, tools, or projects we think might be useful to start your own GCP PCI environment or as samples for any other purposes.

Here are the projects/services we make use of in this Blueprint:

Documentation

Quickstart

We recommend you read through the documentation in Building the Infrastructure and Deploying the Application but if you just want to get started:

  1. Follow the steps in Prerequisites
  2. Set-up the workstation.env file Workstation Configuration
  3. Run ./_helpers/build-infra.sh
  4. Run ./_helpers/deploy-app.sh

Prerequisites

Before starting, we need to make sure that our local environment is configured correctly. We need to make sure we have the correct tools and a GCP account with the correct permissions.

Installation Dependencies

GCP IAM Requirements

In order to execute this module you will need access to a Google Cloud Organization, with Organization Admin and Folder Admin permissions.

Authenticate to gcloud

  • Once the gcloud SDK is installed, run gcloud auth login to authenticate with your Google Account.

Workstation Configuration

This project comes with a workstation.env.example file that is intended to be copied and customized for your environment.

cp workstation.env.example workstation.env

You can find the values for YOUR_ORG_ID and YOUR_BILLING_ACCOUNT_ID using the following commands:

gcloud organizations list
gcloud beta billing accounts list

To create a folder follow these instructions.

Most variables can be left as-is, this is a list of the ones that are required to be set, see the comments in-line for details:

  • TF_VAR_org_id
  • TF_VAR_gsuite_id
  • TF_VAR_billing_account
  • TF_VAR_folder_id
  • TF_ADMIN_BUCKET
  • TF_VAR_frontend_zone_dns_name
  • GOOGLE_GROUPS_DOMAIN
  • SRC_PATH
  • REPOSITORY_NAME

You'll need to source your workstaion.env file before executing any of the steps in this Blueprint:

source workstation.env
  • At this point, your workstation is ready. Continue from here by either running ./_helpers/build-infra.sh, or following the stepwise instructions for that script in Building the Infrastructure.

Known Issues and Limitations

  • If your GCP Organization is shared between other users or teams, consult your Organization Admins before building the Blueprint.
  • This Blueprint does not implement a multi-environment setup. There is no "pre-prod", "staging", or "production" differentiation. However, there is no reason that this Blueprint couldn't be expanded to accommodate such a setup if you so choose.
  • This Blueprint is meant to showcase various GCP features and act as a starting point to build a security-focused environment focused on PCI compliance. This Blueprint has been reviewed by Coalfire but deploying an application into this environment does not qualify as being PCI-DSS compliant.
  • As currently designed, http:// requests are redirected to https:// via HTTP header inspection by the frontend microservice. More details in HTTP to HTTPS redirection

Helpful Links