Commit 54a251a0 authored by Kenny Moore's avatar Kenny Moore
Browse files

Audit submodule

parent 107956a9
......@@ -4,7 +4,6 @@ locals {
customer_service_account_suffix = "-${var.division}-tf"
customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
division_folder_ids = {
dev = {
//its = ""
......@@ -29,9 +28,21 @@ locals {
}
database_function_url = {
//dev = ""
//test = ""
test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
}
}
}
module "audit" {
count = var.division == "hipaa" ? 1: 0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = var.billing_account_id # REPLACE once billing resource pull request complete
folder_id = google_folder.customer_folder.id
mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode
environment = var.environment
}
resource "google_folder" "customer_folder" {
......@@ -56,10 +67,12 @@ data "google_iam_policy" "customer_folder_policy" {
dynamic "binding" {
for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
role = binding
members = [
"group:${var.mcomm_group_email}",
]
content {
role = binding
members = [
"group:${var.mcomm_group_email}",
]
}
}
binding {
......@@ -92,7 +105,7 @@ resource "google_storage_bucket" "customer_bucket" {
location = "US"
storage_class = "STANDARD"
bucket_policy_only = true
uniform_bucket_level_access = true
versioning {
enabled = true
......
......@@ -15,28 +15,29 @@ locals {
project_id_prefix = "${var.division}-audit-"
project_id_customer = substr(local.short_mcomm,0,30-5-length(local.project_id_prefix))
project_id = "${project_id_prefix}${project_id_customer}-${random_id.id.hex}"
project_id = "${local.project_id_prefix}${local.project_id_customer}-${random_id.id.hex}"
project_name = substr("${var.division} Audit ${local.short_mcomm}",0,30)
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
security_contact = "security@umich.edu"
# customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
log_filter_list = [
"LOG_ID(\"cloudaudit.googleapis.com/activity\")",
"LOG_ID(\"externalaudit.googleapis.com/activity\")",
"LOG_ID(\"cloudaudit.googleapis.com/system_event\")",
"LOG_ID(\"externalaudit.googleapis.com/system_event\")",
"LOG_ID(\"cloudaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"cloudaudit.googleapis.com/data_access\")",
"LOG_ID (\"externalaudit.googleapis.com/data_access\")",
"LOG_ID(\"compute.googleapis.com/vpc_flows\")",
"log_id(\"cloudaudit.googleapis.com/activity\")",
"log_id(\"externalaudit.googleapis.com/activity\")",
"log_id(\"cloudaudit.googleapis.com/system_event\")",
"log_id(\"externalaudit.googleapis.com/system_event\")",
"log_id(\"cloudaudit.googleapis.com/access_transparency\")",
"log_id(\"externalaudit.googleapis.com/access_transparency\")",
"log_id(\"cloudaudit.googleapis.com/data_access\")",
"log_id (\"externalaudit.googleapis.com/data_access\")",
"log_id(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
curl_body = {
kind = "project"
security_contact = var.security_contact
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = false
......@@ -54,7 +55,23 @@ locals {
dt_other_data = false
dt_other_data_info = ""
}
log_export_project = split("/",local.log_export_destination[var.environment][var.division])[2]
log_export_destination = {
//dev = ""
test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-prod" # "pubsub.googleapis.com/projects/${var.division}-logs-${var.environment}"
}
}
}
resource "google_project" "gcp_project" {
......@@ -74,7 +91,7 @@ data "google_service_account_id_token" "customer_db_token" {
resource "null_resource" "customer_database" {
triggers = {
security_contact = var.security_contact
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
......@@ -91,6 +108,7 @@ resource "google_project_iam_member" "project_iam" {
member = "group:${var.mcomm_group_email}"
}
# # Create logging config # # - use Google Module to create export to splunk
# module "gcp-at-um-project" {
# count = var.division == "hipaa" ? 1 : 0
......@@ -124,7 +142,7 @@ resource "random_id" "id" {
resource "google_logging_folder_sink" "hipaa_customer_logs" {
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
folder = google_folder.customer_folder.name
folder = var.folder_id
# include logs from all projects in folder
include_children = true
......@@ -136,12 +154,12 @@ resource "google_logging_folder_sink" "hipaa_customer_logs" {
}
resource "google_storage_bucket" "hipaa_customer_logs" {
project = google_project.gcp_project.project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}"
location = "US-CENTRAL1"
force_destroy = false
bucket_policy_only = true
storage_class = "COLDLINE"
project = google_project.gcp_project.project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}"
location = "US-CENTRAL1"
force_destroy = false
uniform_bucket_level_access = true
storage_class = "COLDLINE"
retention_policy {
retention_period = "95000000" # just over 3 years
......@@ -175,3 +193,25 @@ resource "google_project_iam_binding" "hipaa_customer_log_writer" {
google_logging_folder_sink.hipaa_customer_logs.writer_identity,
]
}
resource "google_logging_project_sink" "log_export" {
project = google_project.gcp_project.project_id
# name = "${google_project.gcp_project.project_id}-log-export"
name = "log-export-splunk"
destination = local.log_export_destination[var.environment][var.division]
filter = local.filter_string # if adding filter to match nothing; use in conjunction with aggregated log sink + exclusion filter
exclusions {
name = "Aggregated_Logs_Exclusion"
description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
filter = local.log_filters
}
unique_writer_identity = true
}
resource "google_pubsub_topic_iam_member" "publisher" {
project = local.log_export_project
topic = local.log_export_destination[var.environment][var.division]
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
......@@ -25,4 +25,19 @@ variable "mcomm_group_email" {
variable "database_function_url" {
type = string
}
variable "shortcode" {
type = string
description = "The default shortcode to associate with the billing subaccount"
}
variable "environment" {
type = string
description = "The environment the customer folder will be created in. Defaults to \"prod\""
validation {
condition = var.environment == "dev" || var.environment == "test" || var.environment == "prod"
error_message = "The environment value must be one of \"dev\",\"test\", or \"prod\"."
}
}
\ No newline at end of file
variable "billing_account_id" {
type = string
description = "Customer Billing Account ID - REPLACE SOON with billing subaccount resource"
}
variable "requestor" {
type = string
description = "The person that made the initial request for the GCP Customer Folder"
......@@ -60,7 +64,11 @@ variable "folder_display_name" {
default = ""
validation {
<<<<<<< HEAD
condition = var.folder_display_name != "" ? length(var.folder_display_name) <= 30 : true
=======
condition = var.folder_display_name != "" ? length(var.folder_display_name) > 30 : true
>>>>>>> Audit submodule
error_message = "The folder_display_name must be less than or equal to 30 characters in length."
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment