main.tf 11.4 KB
Newer Older
1
2
3
4
5
locals {
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))

    project_id_prefix = "${var.division}-audit-"
    project_id_customer = substr(local.short_mcomm,0,30-5-length(local.project_id_prefix))
Kenny Moore's avatar
Kenny Moore committed
6
    project_id = "${local.project_id_prefix}${local.project_id_customer}-${random_id.id[0].hex}"
7
8
9

    project_name = substr("${var.division} Audit ${local.short_mcomm}",0,30)

Kenny Moore's avatar
Kenny Moore committed
10
11
12
    security_contact = "security@umich.edu"
    # customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
    filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
13
    log_filter_list = [
Kenny Moore's avatar
Kenny Moore committed
14
15
16
17
18
19
20
      "log_id(\"cloudaudit.googleapis.com/activity\")",
      "log_id(\"externalaudit.googleapis.com/activity\")",
      "log_id(\"cloudaudit.googleapis.com/system_event\")", 
      "log_id(\"externalaudit.googleapis.com/system_event\")",
      "log_id(\"cloudaudit.googleapis.com/access_transparency\")",
      "log_id(\"externalaudit.googleapis.com/access_transparency\")",
      "log_id(\"cloudaudit.googleapis.com/data_access\")",
Kenny Moore's avatar
Kenny Moore committed
21
      "log_id(\"externalaudit.googleapis.com/data_access\")",
Kenny Moore's avatar
Kenny Moore committed
22
      "log_id(\"compute.googleapis.com/vpc_flows\")",
23
24
25
26
27
    ]
    log_filters = join(" OR ", local.log_filter_list)

    curl_body           = {
        kind               = "project"
Kenny Moore's avatar
Kenny Moore committed
28
        security_contact   = local.security_contact
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
        mcomm_group_email  = var.mcomm_group_email
        shortcode          = var.shortcode
        vpn                = false 
        dt_phi             = true
        dt_ferpa           = false
        dt_pii             = false
        dt_glba            = false
        dt_hsr             = false
        dt_ssn             = false
        dt_acp             = false
        dt_it_sec_info     = true
        dt_itar            = false
        dt_pci             = false
        dt_fisma           = false
        dt_other_data      = false
        dt_other_data_info = ""
    }
Kenny Moore's avatar
Kenny Moore committed
46
47
48
49
50
    log_export_project = split("/",local.log_export_destination[var.environment][var.division])[2]
    
    log_export_destination = {
        //dev = ""
        test = {
Kenny Moore's avatar
Kenny Moore committed
51
52
            its               = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
            campus            = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
Kenny Moore's avatar
Kenny Moore committed
53
54
            # michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
            mm                = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
Kenny Moore's avatar
Kenny Moore committed
55
56
57
            hipaa             = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/hipaa-logs-test"
            # "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
              
Kenny Moore's avatar
Kenny Moore committed
58
59
60
61
        } 
        prod = {
            its               = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
            campus            = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
Kenny Moore's avatar
Kenny Moore committed
62
63
            # michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
            mm                = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
Kenny Moore's avatar
Kenny Moore committed
64
            hipaa             = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-prod" # "pubsub.googleapis.com/projects/${var.division}-logs-${var.environment}" 
Kenny Moore's avatar
Kenny Moore committed
65
        }
Kenny Moore's avatar
Kenny Moore committed
66
    }
Kenny Moore's avatar
Kenny Moore committed
67
68
69
70
71
72

    big_query_enabled        = var.big_query ? 1 : 0
    gcs_enabled              = var.gcs ? 1 : 0
    big_query_or_gcs_enabled = var.gcs || var.big_query ? 1 : 0

    gcs_expiration_seconds   = (var.gcs_expiration_days - 1) * 24 * 60 * 60
73
74
75
}

resource "google_project" "gcp_project" {    
Kenny Moore's avatar
Kenny Moore committed
76
77
78
79
80
    count               = local.big_query_or_gcs_enabled
    name                = local.project_name
    project_id          = local.project_id
    folder_id           = var.folder_id
    billing_account     = var.billing_id
81
82
83
84
    auto_create_network = false
    labels = {
        "shortcode" = var.shortcode 
    }
85
86
87
88
89
90
    lifecycle {
    ignore_changes = [
      project_id, 
      name,
    ]
  }
91
92
}

Kenny Moore's avatar
Kenny Moore committed
93
module "log_export_bq" {
Kenny Moore's avatar
Kenny Moore committed
94
  count                  = local.big_query_enabled
Kenny Moore's avatar
Kenny Moore committed
95
96
  source                 = "terraform-google-modules/log-export/google"
  version                = "5.1.0"
Kenny Moore's avatar
Kenny Moore committed
97
  destination_uri        = module.destination_bq[0].destination_uri # "${module.destination_bq.destination_uri}"
Kenny Moore's avatar
Kenny Moore committed
98
99
100
101
102
103
104
105
106
  filter                 = local.log_filters
  log_sink_name          = "${var.division}-audit-bq"
  parent_resource_id     = var.folder_id
  parent_resource_type   = "folder"
  unique_writer_identity = true
  include_children       = true
}

module "destination_bq" {
Kenny Moore's avatar
Kenny Moore committed
107
  count                    = local.big_query_enabled
Kenny Moore's avatar
Kenny Moore committed
108
  source                   = "terraform-google-modules/log-export/google//modules/bigquery"
Kenny Moore's avatar
Kenny Moore committed
109
110
  project_id               = google_project.gcp_project[0].project_id
  dataset_name             = replace("${var.division}-audit-${local.short_mcomm}-${random_id.id[0].hex}", "-", "_")
Kenny Moore's avatar
Kenny Moore committed
111
  description              = "Aggregated Log Sink (folder) - ${var.division} Customer Logs"
Kenny Moore's avatar
Kenny Moore committed
112
  log_sink_writer_identity = module.log_export_bq[0].writer_identity # "${module.log_export_bq.writer_identity}"  
Kenny Moore's avatar
Kenny Moore committed
113
  location                 = "US"
Kenny Moore's avatar
Kenny Moore committed
114
  expiration_days          = var.big_query_retention
Kenny Moore's avatar
Kenny Moore committed
115
116
117
}

resource "google_bigquery_dataset_iam_binding" "bq_user" {
Kenny Moore's avatar
Kenny Moore committed
118
119
120
  count         = local.big_query_enabled
  project       = google_project.gcp_project[0].project_id
  dataset_id    = module.destination_bq[0].resource_name
Kenny Moore's avatar
Kenny Moore committed
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
  role          = "roles/bigquery.user"  
  members       = [
    # "user:kenmoore@umich.edu",
    "group:${var.audit_logs_access}",
    "group:${var.mcomm_group_email}"
  ]
}

# resource "google_bigquery_dataset_iam_binding" "job_user" {
#   project       = google_project.gcp_project.project_id
#   dataset_id    = module.destination_bq.resource_name
#   role          = "roles/bigquery.jobUser"

#   members       = [
#     "user:kenmoore@umich.edu",
#   ]
# }
138
139
140
141
142
143
data "google_service_account_id_token" "customer_db_token" {
    target_audience = var.database_function_url
}

resource "null_resource" "customer_database" {
    triggers = {
Kenny Moore's avatar
Kenny Moore committed
144
        security_contact = local.security_contact
145
146
147
148
149
150
151
152
153
154
155
        mcomm_group_email = var.mcomm_group_email
        shortcode = var.shortcode
    }

    provisioner "local-exec" {
        command = "curl ${var.database_function_url} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
    }
}


resource "google_project_iam_member" "project_iam" {
Kenny Moore's avatar
Kenny Moore committed
156
157
158
    count   = local.big_query_or_gcs_enabled
    project = google_project.gcp_project[0].project_id
    role    = "roles/viewer"
159
160
161
    member  = "group:${var.mcomm_group_email}"
}

Kenny Moore's avatar
Kenny Moore committed
162
# # Create logging config # # - use Google Module to create export to splunk
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

# module "gcp-at-um-project" {
#     count = var.division == "hipaa" ? 1 : 0
#     source = "/mnt/c/Users/kenmoore/Documents/code/projects/terraform-google-gcp-at-um-project"
#     project_name = "${var.division}-audit-${local.short_mcomm}"
#     # project_id = ""
#     folder_id = google_folder.customer_folder.id # "958858037302" # module.gcp-at-um-customer.google_folder.customer_folder.folder_id # need to get this from the customer module    
#     mcomm_group_email = "gcp.admins@umich.edu" # need a var for auditors for hipaa?
#     billing_id = "010AF9-D1F2C5-DCC86F" # should be from output - billing_account_id
#     security_contact = "mjsager@umich.edu"
#     egress_waiver = true
#     red_hat_byol = false
#     shortcode = "048843"
#     requestor = "kenmoore@umich.edu"      
#     vpn = false    
#     log_export_destination = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
# }

# working on lien on audit project
resource "google_resource_manager_lien" "project_lien" {
Kenny Moore's avatar
Kenny Moore committed
183
184
    count = local.big_query_or_gcs_enabled
    parent = "projects/${google_project.gcp_project[0].project_id}"
185
    restrictions = ["resourcemanager.projects.delete"]
Kenny Moore's avatar
Kenny Moore committed
186
187
    origin = "Prevent deletion of ${google_project.gcp_project[0].project_id}"
    reason = "${google_project.gcp_project[0].project_id} holds the audit logs for ${var.division} customer folder id ${var.folder_id}"
188
189
190
}

resource "random_id" "id" {
Kenny Moore's avatar
Kenny Moore committed
191
    count = local.big_query_or_gcs_enabled
192
193
194
    byte_length = 2
}

Kenny Moore's avatar
Kenny Moore committed
195
resource "google_logging_folder_sink" "customer_logs" {
Kenny Moore's avatar
Kenny Moore committed
196
197
    count       = local.gcs_enabled
    name        = "${var.division}-audit-${local.short_mcomm}"
Kenny Moore's avatar
Kenny Moore committed
198
    description = "Aggregated Log Sink - ${var.division} - ${local.short_mcomm} Customer Logs"
Kenny Moore's avatar
Kenny Moore committed
199
    folder      = var.folder_id
200
201
202
203
204
    
    # include logs from all projects in folder
    include_children = true

    # send to GCS bucket in audit project
Kenny Moore's avatar
Kenny Moore committed
205
    destination = "storage.googleapis.com/${google_storage_bucket.customer_logs[0].name}"
206
207
    
    filter = local.log_filters
208
209
210
211
212
    lifecycle {
    ignore_changes = [      
      name,
    ]
  }
213
214
}

Kenny Moore's avatar
Kenny Moore committed
215
resource "google_storage_bucket" "customer_logs" {
Kenny Moore's avatar
Kenny Moore committed
216
217
218
    count                       = local.gcs_enabled
    project                     = google_project.gcp_project[0].project_id
    name                        = "${var.division}-audit-${local.short_mcomm}-${random_id.id[0].hex}"
Kenny Moore's avatar
Kenny Moore committed
219
220
221
    location                    = "US-CENTRAL1"    
    force_destroy               = false
    uniform_bucket_level_access = true
Kenny Moore's avatar
Kenny Moore committed
222
    storage_class               = var.gcs_storage_class
223
224

    retention_policy {
Kenny Moore's avatar
Kenny Moore committed
225
        retention_period = local.gcs_expiration_seconds # just over 3 years ## <-- needs to be a local
226
227
228
229
230
231
232
233
234
235
236
237
    }
    
    lifecycle_rule {
        action {
          type = "SetStorageClass"
          storage_class = "ARCHIVE"
        }
        condition {
          age = 180
        }
    }

Kenny Moore's avatar
Kenny Moore committed
238
239
240
241
242
243
244
245
246
    dynamic "lifecycle_rule" {
        for_each = var.gcs_expiration_days == null ? [] : [ var.gcs_expiration_days ]
        content {
            action {
            type = "Delete"          
            }
            condition {
            age = var.gcs_expiration_days # just over 3 x 365 days = 3 years (slightly more than the retention policy)
            }
247
248
        }
    }
249
250
251
252
253
    lifecycle {
    ignore_changes = [
      name,
    ]
  }
254
255
}

Kenny Moore's avatar
Kenny Moore committed
256
resource "google_project_iam_binding" "customer_log_writer" {
Kenny Moore's avatar
Kenny Moore committed
257
258
    count   = local.gcs_enabled
    project = google_project.gcp_project[0].project_id
259
260
261
    role    = "roles/storage.objectCreator"

    members = [
Kenny Moore's avatar
Kenny Moore committed
262
      google_logging_folder_sink.customer_logs[0].writer_identity,
263
264
    ]
}
Kenny Moore's avatar
Kenny Moore committed
265

Kenny Moore's avatar
Kenny Moore committed
266
267
268
269
270
271
272
273
274
275
276
277
278
279
# resource "google_logging_project_sink" "log_export" {    
#     count       = local.big_query_or_gcs_enabled
#     project     = google_project.gcp_project.project_id
#     # name = "${google_project.gcp_project.project_id}-log-export"        
#     name        = "log-export-splunk"
#     destination = local.log_export_destination[var.environment][var.division]    
#     filter      = local.filter_string # if adding filter to match nothing; use in conjunction with aggregated log sink + exclusion filter    
#     exclusions {
#         name        = "Aggregated_Logs_Exclusion"
#         description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
#         filter      = local.log_filters
#     }
#     unique_writer_identity = true    
# }
Kenny Moore's avatar
Kenny Moore committed
280
281


Kenny Moore's avatar
Kenny Moore committed
282
283
284
285
286
287
288
# resource "google_pubsub_topic_iam_member" "publisher" {
#     count       = local.big_query_or_gcs_enabled
#     project     = local.log_export_project
#     topic       = local.log_export_destination[var.environment][var.division] 
#     role        = "roles/pubsub.publisher"
#     member      = google_logging_project_sink.log_export.writer_identity      
# }