{"id":13510472,"url":"https://github.com/google/devops-governance","last_synced_at":"2025-03-30T16:33:39.599Z","repository":{"id":39887223,"uuid":"479047066","full_name":"google/devops-governance","owner":"google","description":"A CI/CD Approach \u0026 Framework for infrastructure that can be used in governance heavy organizations and is intended to give the developers as much autonomy as possible to do their work following DevOps \u0026 GitOps principles.","archived":false,"fork":false,"pushed_at":"2024-04-15T14:44:47.000Z","size":349,"stargazers_count":73,"open_issues_count":2,"forks_count":21,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-07-31T09:37:04.618Z","etag":null,"topics":["cloud","devops","devops-enablement","devops-pipeline","devops-team","devops-tech-enablement","devops-tools","devops-workflow","devsecops","devsecops-best-practices","gitops","gitops-framework"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-04-07T15:37:57.000Z","updated_at":"2024-06-08T21:11:03.000Z","dependencies_parsed_at":"2024-01-13T19:26:44.743Z","dependency_job_id":"3405cc0c-3333-4e58-a7e1-f6bccdd7ee71","html_url":"https://github.com/google/devops-governance","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fdevops-governance","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fdevops-governance/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fdevops-governance/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fdevops-governance/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/devops-governance/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222566739,"owners_count":17004237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","devops","devops-enablement","devops-pipeline","devops-team","devops-tech-enablement","devops-tools","devops-workflow","devsecops","devsecops-best-practices","gitops","gitops-framework"],"created_at":"2024-08-01T02:01:40.432Z","updated_at":"2024-11-01T11:30:21.629Z","avatar_url":"https://github.com/google.png","language":null,"readme":"# DevOps Governance\n\nA **CI/CD Approach \u0026 Framework** for infrastructure that can be used in governance heavy organizations and is intended to give the developers as much autonomy as possible to do their work following **DevOps \u0026 GitOps** principles.\n\n![DevOps-Governance](https://user-images.githubusercontent.com/94000358/165718961-d794fa0e-7f0e-4b45-87e8-124e95ce692a.png)\n\nThe DevOps Governance framework is an **opinionated**  **developer centric approach to infrastructure CI/CD** with the **enterprise governance** taken into account.\n\nIn order to reduce friction in enterprise adoption it makes sense to look at the main stakeholders of a CI/CD system which are developers. The worst pain for developers is being blocked by bureaucratic processes and approvals. To create a certain level of agility in enterprise environments developers need to be enabled and autonomous as possible (DevOps principles).\n\nOne of these approaches to create this agility is to utilize a system like Gitlab or Github, which allows developers to define their pipelines in code and take ownership of their DevOps infrastructure pipelines. In enterprise environments we are however faced with regulations (NIST, ISO) and therefore need to also work with the security teams to make sure that we align on governance requirements.\n\nBy making use of Gitlab or Github (or any other tools that offer protected branches \u0026 pipeline as code), Workload Identity Federation, Gitflow we are able to cover the security teams requirements whilst at the same time giving the developers the required autonomy to do their work. \n\nDevOps governance will give infrastructure teams the required flexibility whilst still adhering to security requirements with “guardrails”.\n\n## Guardrail \u0026 pipeline examples for individual workloads\n\nTo demonstrate how to enforce guardrails and pipelines for Google Cloud we provide the \"Guardrail Examples\". The purpose of these examples is demonstrate how to provision access \u0026 guardrails to new workloads with IaC. We provide you with the following 3 different components:\n\n\u003cimg width=\"996\" alt=\"Guardrail Examples\" src=\"https://user-images.githubusercontent.com/94000358/224197342-95270909-49b2-43b4-acb3-fe01a5fe579b.png\"\u003e\n\n-   The *Folder Factory* creates folders and sets guardrails in the form of organisational policies on folders.\n\n-   The *Project Factory* sets up projects for teams. For this it creates a deployment service account, links this to a Github repository and defines the roles and permissions that the deployment service account has. \n\nThe Folder Factory and the Project Factory are usually maintained centrally (by a cloud platform team) and used to manage the individual workloads. \n\n-   The *Skunkworks - IaC Kickstarter* is a template that can be used to give any new teams a functioning IaC deployment pipeline and repository structure.\n\nThis template is based on an \"ideal\" initial pipeline which is as follows:\n\n![Ideal Pipeline Generic](https://user-images.githubusercontent.com/94000358/224196745-4ce7e761-82d4-4eba-b0b2-2912ca73eccb.png)\n\nA video tutorial covering how to set up the guardrails for Github can be found here: https://www.youtube.com/watch?v=bbUNsjk6G7I\n\nThe instructions above set out how to implement the Guardrail Examples for Github. We do however also provide support for other platforms.\n\n\n## Workload Identity federation\n\nTraditionally, applications running outside Google Cloud (like CICD tools) can use service account keys to access Google Cloud resources. However, service account keys are powerful credentials, and can present a security risk if they are not managed correctly.\n\nWith identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles, including the ability to impersonate service accounts. This approach eliminates the maintenance and security burden associated with service account keys.\n\nWorkload identity federation enables applications running outside of Google Cloud to replace long-lived service account keys with short-lived access tokens. \nThis is achieved by configuring Google Cloud to trust an external identity provider, so applications can use the credentials issued by the external identity provider to impersonate a service account. \n\nThe WIF strategy that we employ in our pipelining is to create environment branches for which we then map to service accounts.\n\n![Service Account Example](https://user-images.githubusercontent.com/94000358/224196168-bdab699d-4457-46b0-8e3a-68cfc1e9c3d7.png)\n\nIf you do require additional assitance to setup Workload Identity Federation have a look at: https://www.youtube.com/watch?v=BuyoENMmtVw\n\n### High Level Process\n* GCP\n  - Create a Workload Identity Pool\n  - Create a Workload Identity Provider\n  - Create a Service Account and grant permissions\n \n* CICD tool\n  - Specify where the pipeline configuration file resides\n  - Configure variables to pass relevant information to GCP to genrate short-lived tokens\n\n[examples/guardrails](/examples/guardrails) section covers different CICD tools and how to leverage Workload Identity Federation. \n\n## Supported Platforms\n\n  - [Bitbucket](/examples/guardrails/bitbucket) \n  - [Cloudbuild](/examples/guardrails/cloudbuild) \n  - [Github](/examples/guardrails/github) \n  - [Gitlab](/examples/guardrails/gitlab) \n  - [Jenkins](/examples/guardrails/jenkins) \n  - [Terraform-Cloud](/examples/guardrails/terraform-cloud) \n  \n## Disclaimer\n\nThis is not an officially supported Google product.\n","funding_links":[],"categories":["Others","cloud"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fdevops-governance","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fdevops-governance","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fdevops-governance/lists"}