Commit 107956a9 authored by Adam Robinson's avatar Adam Robinson Committed by Kenny Moore
Browse files

start reworking HIPAA audit project to submodule

parent 4c64b57e
# terraform {
# required_providers {
# bluecat = {
# source = "umich-vci/bluecat"
# version = "0.1.0"
# }
# }
# }
# provider "bluecat" {
# bluecat_endpoint = "bluecat.umnet.umich.edu"
# }
locals {
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
project_id_prefix = "${var.division}-audit-"
project_id_customer = substr(local.short_mcomm,0,30-5-length(local.project_id_prefix))
project_id = "${project_id_prefix}${project_id_customer}-${random_id.id.hex}"
project_name = substr("${var.division} Audit ${local.short_mcomm}",0,30)
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
log_filter_list = [
"LOG_ID(\"cloudaudit.googleapis.com/activity\")",
"LOG_ID(\"externalaudit.googleapis.com/activity\")",
"LOG_ID(\"cloudaudit.googleapis.com/system_event\")",
"LOG_ID(\"externalaudit.googleapis.com/system_event\")",
"LOG_ID(\"cloudaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"cloudaudit.googleapis.com/data_access\")",
"LOG_ID (\"externalaudit.googleapis.com/data_access\")",
"LOG_ID(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
curl_body = {
kind = "project"
security_contact = var.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = false
dt_phi = true
dt_ferpa = false
dt_pii = false
dt_glba = false
dt_hsr = false
dt_ssn = false
dt_acp = false
dt_it_sec_info = true
dt_itar = false
dt_pci = false
dt_fisma = false
dt_other_data = false
dt_other_data_info = ""
}
}
resource "google_project" "gcp_project" {
name = local.project_name
project_id = local.project_id
folder_id = var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
"shortcode" = var.shortcode
}
}
data "google_service_account_id_token" "customer_db_token" {
target_audience = var.database_function_url
}
resource "null_resource" "customer_database" {
triggers = {
security_contact = var.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
provisioner "local-exec" {
command = "curl ${var.database_function_url} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
}
resource "google_project_iam_member" "project_iam" {
project = google_project.gcp_project.project_id
role = "roles/editor"
member = "group:${var.mcomm_group_email}"
}
# module "gcp-at-um-project" {
# count = var.division == "hipaa" ? 1 : 0
# source = "/mnt/c/Users/kenmoore/Documents/code/projects/terraform-google-gcp-at-um-project"
# project_name = "${var.division}-audit-${local.short_mcomm}"
# # project_id = ""
# folder_id = google_folder.customer_folder.id # "958858037302" # module.gcp-at-um-customer.google_folder.customer_folder.folder_id # need to get this from the customer module
# mcomm_group_email = "gcp.admins@umich.edu" # need a var for auditors for hipaa?
# billing_id = "010AF9-D1F2C5-DCC86F" # should be from output - billing_account_id
# security_contact = "mjsager@umich.edu"
# egress_waiver = true
# red_hat_byol = false
# shortcode = "048843"
# requestor = "kenmoore@umich.edu"
# vpn = false
# log_export_destination = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
# }
# working on lien on audit project
resource "google_resource_manager_lien" "project_lien" {
parent = "projects/${google_project.gcp_project.project_id}"
restrictions = ["resourcemanager.projects.delete"]
origin = "Per HIPAA recommendation/requirements; Prevent deletion of ${google_project.gcp_project.project_id}"
reason = "${google_project.gcp_project.project_id} holds the audit logs for HIPAA customer folder id ${var.folder_id}"
}
resource "random_id" "id" {
byte_length = 2
}
resource "google_logging_folder_sink" "hipaa_customer_logs" {
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
folder = google_folder.customer_folder.name
# include logs from all projects in folder
include_children = true
# send to GCS bucket in audit project
destination = "storage.googleapis.com/${google_storage_bucket.hipaa_customer_logs.name}"
filter = local.log_filters
}
resource "google_storage_bucket" "hipaa_customer_logs" {
project = google_project.gcp_project.project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}"
location = "US-CENTRAL1"
force_destroy = false
bucket_policy_only = true
storage_class = "COLDLINE"
retention_policy {
retention_period = "95000000" # just over 3 years
}
lifecycle_rule {
action {
type = "SetStorageClass"
storage_class = "ARCHIVE"
}
condition {
age = 180
}
}
lifecycle_rule {
action {
type = "Delete"
}
condition {
age = 1100 # just over 3 x 365 days = 3 years (slightly more than the retention policy)
}
}
}
resource "google_project_iam_binding" "hipaa_customer_log_writer" {
project = google_project.gcp_project.project_id
role = "roles/storage.objectCreator"
members = [
google_logging_folder_sink.hipaa_customer_logs.writer_identity,
]
}
variable "billing_id" {
type = string
description = "The Billing Account ID of the customer's GCP at U-M billing account."
}
variable "division" {
type = string
description = "Must be one of \"campus\",\"its\", \"michigan_medicine\", or \"hipaa\""
validation {
condition = var.division == "campus" || var.division == "its" || var.division == "michigan_medicine" || var.division == "hipaa"
error_message = "The division value must be one of \"campus\",\"its\", \"michigan_medicine\", or \"hipaa\"."
}
}
variable "folder_id" {
type = string
description = "The Folder ID of the customer's GCP at U-M folder."
}
variable "mcomm_group_email" {
type = string
description = "The MCommunity Group of the GCP Customer Folder"
}
variable "database_function_url" {
type = string
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment