Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit 5eb663b8 authored by Adam Robinson's avatar Adam Robinson
Browse files

Merge branch 'hipaa-audit-submodule' into 'master'

Hipaa audit submodule

See merge request !1
parents 4c64b57e ec185b13
...@@ -4,7 +4,6 @@ locals { ...@@ -4,7 +4,6 @@ locals {
customer_service_account_suffix = "-${var.division}-tf" customer_service_account_suffix = "-${var.division}-tf"
customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix)) customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}" customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
division_folder_ids = { division_folder_ids = {
dev = { dev = {
//its = "" //its = ""
...@@ -29,9 +28,21 @@ locals { ...@@ -29,9 +28,21 @@ locals {
} }
database_function_url = { database_function_url = {
//dev = "" //dev = ""
//test = "" test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
} }
}
module "audit" {
count = var.division == "hipaa" ? 1: 0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = var.billing_account_id # REPLACE once billing resource pull request complete
folder_id = google_folder.customer_folder.id
mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode
environment = var.environment
} }
resource "google_folder" "customer_folder" { resource "google_folder" "customer_folder" {
...@@ -56,10 +67,12 @@ data "google_iam_policy" "customer_folder_policy" { ...@@ -56,10 +67,12 @@ data "google_iam_policy" "customer_folder_policy" {
dynamic "binding" { dynamic "binding" {
for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : [] for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
role = binding content {
members = [ role = binding
"group:${var.mcomm_group_email}", members = [
] "group:${var.mcomm_group_email}",
]
}
} }
binding { binding {
...@@ -92,7 +105,7 @@ resource "google_storage_bucket" "customer_bucket" { ...@@ -92,7 +105,7 @@ resource "google_storage_bucket" "customer_bucket" {
location = "US" location = "US"
storage_class = "STANDARD" storage_class = "STANDARD"
bucket_policy_only = true uniform_bucket_level_access = true
versioning { versioning {
enabled = true enabled = true
......
# terraform {
# required_providers {
# bluecat = {
# source = "umich-vci/bluecat"
# version = "0.1.0"
# }
# }
# }
# provider "bluecat" {
# bluecat_endpoint = "bluecat.umnet.umich.edu"
# }
locals {
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
project_id_prefix = "${var.division}-audit-"
project_id_customer = substr(local.short_mcomm,0,30-5-length(local.project_id_prefix))
project_id = "${local.project_id_prefix}${local.project_id_customer}-${random_id.id.hex}"
project_name = substr("${var.division} Audit ${local.short_mcomm}",0,30)
security_contact = "security@umich.edu"
# customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
log_filter_list = [
"log_id(\"cloudaudit.googleapis.com/activity\")",
"log_id(\"externalaudit.googleapis.com/activity\")",
"log_id(\"cloudaudit.googleapis.com/system_event\")",
"log_id(\"externalaudit.googleapis.com/system_event\")",
"log_id(\"cloudaudit.googleapis.com/access_transparency\")",
"log_id(\"externalaudit.googleapis.com/access_transparency\")",
"log_id(\"cloudaudit.googleapis.com/data_access\")",
"log_id (\"externalaudit.googleapis.com/data_access\")",
"log_id(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
curl_body = {
kind = "project"
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = false
dt_phi = true
dt_ferpa = false
dt_pii = false
dt_glba = false
dt_hsr = false
dt_ssn = false
dt_acp = false
dt_it_sec_info = true
dt_itar = false
dt_pci = false
dt_fisma = false
dt_other_data = false
dt_other_data_info = ""
}
log_export_project = split("/",local.log_export_destination[var.environment][var.division])[2]
log_export_destination = {
//dev = ""
test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-prod" # "pubsub.googleapis.com/projects/${var.division}-logs-${var.environment}"
}
}
}
resource "google_project" "gcp_project" {
name = local.project_name
project_id = local.project_id
folder_id = var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
"shortcode" = var.shortcode
}
}
data "google_service_account_id_token" "customer_db_token" {
target_audience = var.database_function_url
}
resource "null_resource" "customer_database" {
triggers = {
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
provisioner "local-exec" {
command = "curl ${var.database_function_url} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
}
resource "google_project_iam_member" "project_iam" {
project = google_project.gcp_project.project_id
role = "roles/editor"
member = "group:${var.mcomm_group_email}"
}
# # Create logging config # # - use Google Module to create export to splunk
# module "gcp-at-um-project" {
# count = var.division == "hipaa" ? 1 : 0
# source = "/mnt/c/Users/kenmoore/Documents/code/projects/terraform-google-gcp-at-um-project"
# project_name = "${var.division}-audit-${local.short_mcomm}"
# # project_id = ""
# folder_id = google_folder.customer_folder.id # "958858037302" # module.gcp-at-um-customer.google_folder.customer_folder.folder_id # need to get this from the customer module
# mcomm_group_email = "gcp.admins@umich.edu" # need a var for auditors for hipaa?
# billing_id = "010AF9-D1F2C5-DCC86F" # should be from output - billing_account_id
# security_contact = "mjsager@umich.edu"
# egress_waiver = true
# red_hat_byol = false
# shortcode = "048843"
# requestor = "kenmoore@umich.edu"
# vpn = false
# log_export_destination = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
# }
# working on lien on audit project
resource "google_resource_manager_lien" "project_lien" {
parent = "projects/${google_project.gcp_project.project_id}"
restrictions = ["resourcemanager.projects.delete"]
origin = "Per HIPAA recommendation/requirements; Prevent deletion of ${google_project.gcp_project.project_id}"
reason = "${google_project.gcp_project.project_id} holds the audit logs for HIPAA customer folder id ${var.folder_id}"
}
resource "random_id" "id" {
byte_length = 2
}
resource "google_logging_folder_sink" "hipaa_customer_logs" {
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
folder = var.folder_id
# include logs from all projects in folder
include_children = true
# send to GCS bucket in audit project
destination = "storage.googleapis.com/${google_storage_bucket.hipaa_customer_logs.name}"
filter = local.log_filters
}
resource "google_storage_bucket" "hipaa_customer_logs" {
project = google_project.gcp_project.project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}"
location = "US-CENTRAL1"
force_destroy = false
uniform_bucket_level_access = true
storage_class = "COLDLINE"
retention_policy {
retention_period = "95000000" # just over 3 years
}
lifecycle_rule {
action {
type = "SetStorageClass"
storage_class = "ARCHIVE"
}
condition {
age = 180
}
}
lifecycle_rule {
action {
type = "Delete"
}
condition {
age = 1100 # just over 3 x 365 days = 3 years (slightly more than the retention policy)
}
}
}
resource "google_project_iam_binding" "hipaa_customer_log_writer" {
project = google_project.gcp_project.project_id
role = "roles/storage.objectCreator"
members = [
google_logging_folder_sink.hipaa_customer_logs.writer_identity,
]
}
resource "google_logging_project_sink" "log_export" {
project = google_project.gcp_project.project_id
# name = "${google_project.gcp_project.project_id}-log-export"
name = "log-export-splunk"
destination = local.log_export_destination[var.environment][var.division]
filter = local.filter_string # if adding filter to match nothing; use in conjunction with aggregated log sink + exclusion filter
exclusions {
name = "Aggregated_Logs_Exclusion"
description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
filter = local.log_filters
}
unique_writer_identity = true
}
resource "google_pubsub_topic_iam_member" "publisher" {
project = local.log_export_project
topic = local.log_export_destination[var.environment][var.division]
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
variable "billing_id" {
type = string
description = "The Billing Account ID of the customer's GCP at U-M billing account."
}
variable "division" {
type = string
description = "Must be one of \"campus\",\"its\", \"michigan_medicine\", or \"hipaa\""
validation {
condition = var.division == "campus" || var.division == "its" || var.division == "michigan_medicine" || var.division == "hipaa"
error_message = "The division value must be one of \"campus\",\"its\", \"michigan_medicine\", or \"hipaa\"."
}
}
variable "folder_id" {
type = string
description = "The Folder ID of the customer's GCP at U-M folder."
}
variable "mcomm_group_email" {
type = string
description = "The MCommunity Group of the GCP Customer Folder"
}
variable "database_function_url" {
type = string
}
variable "shortcode" {
type = string
description = "The default shortcode to associate with the billing subaccount"
}
variable "environment" {
type = string
description = "The environment the customer folder will be created in. Defaults to \"prod\""
validation {
condition = var.environment == "dev" || var.environment == "test" || var.environment == "prod"
error_message = "The environment value must be one of \"dev\",\"test\", or \"prod\"."
}
}
\ No newline at end of file
variable "billing_account_id" {
type = string
description = "Customer Billing Account ID - REPLACE SOON with billing subaccount resource"
}
variable "requestor" { variable "requestor" {
type = string type = string
description = "The person that made the initial request for the GCP Customer Folder" description = "The person that made the initial request for the GCP Customer Folder"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment