Commit 5eb663b8 authored by Adam Robinson's avatar Adam Robinson
Browse files

Merge branch 'hipaa-audit-submodule' into 'master'

Hipaa audit submodule

See merge request !1
parents 4c64b57e ec185b13
......@@ -4,7 +4,6 @@ locals {
customer_service_account_suffix = "-${var.division}-tf"
customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
division_folder_ids = {
dev = {
//its = ""
......@@ -29,11 +28,23 @@ locals {
}
database_function_url = {
//dev = ""
//test = ""
test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
}
}
module "audit" {
count = var.division == "hipaa" ? 1: 0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = var.billing_account_id # REPLACE once billing resource pull request complete
folder_id = google_folder.customer_folder.id
mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode
environment = var.environment
}
resource "google_folder" "customer_folder" {
display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
parent = local.division_folder_ids[var.environment][var.division]
......@@ -56,11 +67,13 @@ data "google_iam_policy" "customer_folder_policy" {
dynamic "binding" {
for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
content {
role = binding
members = [
"group:${var.mcomm_group_email}",
]
}
}
binding {
role = "roles/resourcemanager.projectCreator"
......@@ -92,7 +105,7 @@ resource "google_storage_bucket" "customer_bucket" {
location = "US"
storage_class = "STANDARD"
bucket_policy_only = true
uniform_bucket_level_access = true
versioning {
enabled = true
......
# terraform {
# required_providers {
# bluecat = {
# source = "umich-vci/bluecat"
# version = "0.1.0"
# }
# }
# }
# provider "bluecat" {
# bluecat_endpoint = "bluecat.umnet.umich.edu"
# }
locals {
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
project_id_prefix = "${var.division}-audit-"
project_id_customer = substr(local.short_mcomm,0,30-5-length(local.project_id_prefix))
project_id = "${local.project_id_prefix}${local.project_id_customer}-${random_id.id.hex}"
project_name = substr("${var.division} Audit ${local.short_mcomm}",0,30)
security_contact = "security@umich.edu"
# customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
log_filter_list = [
"log_id(\"cloudaudit.googleapis.com/activity\")",
"log_id(\"externalaudit.googleapis.com/activity\")",
"log_id(\"cloudaudit.googleapis.com/system_event\")",
"log_id(\"externalaudit.googleapis.com/system_event\")",
"log_id(\"cloudaudit.googleapis.com/access_transparency\")",
"log_id(\"externalaudit.googleapis.com/access_transparency\")",
"log_id(\"cloudaudit.googleapis.com/data_access\")",
"log_id (\"externalaudit.googleapis.com/data_access\")",
"log_id(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
curl_body = {
kind = "project"
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = false
dt_phi = true
dt_ferpa = false
dt_pii = false
dt_glba = false
dt_hsr = false
dt_ssn = false
dt_acp = false
dt_it_sec_info = true
dt_itar = false
dt_pci = false
dt_fisma = false
dt_other_data = false
dt_other_data_info = ""
}
log_export_project = split("/",local.log_export_destination[var.environment][var.division])[2]
log_export_destination = {
//dev = ""
test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-prod" # "pubsub.googleapis.com/projects/${var.division}-logs-${var.environment}"
}
}
}
resource "google_project" "gcp_project" {
name = local.project_name
project_id = local.project_id
folder_id = var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
"shortcode" = var.shortcode
}
}
data "google_service_account_id_token" "customer_db_token" {
target_audience = var.database_function_url
}
resource "null_resource" "customer_database" {
triggers = {
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
provisioner "local-exec" {
command = "curl ${var.database_function_url} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
}
resource "google_project_iam_member" "project_iam" {
project = google_project.gcp_project.project_id
role = "roles/editor"
member = "group:${var.mcomm_group_email}"
}
# # Create logging config # # - use Google Module to create export to splunk
# module "gcp-at-um-project" {
# count = var.division == "hipaa" ? 1 : 0
# source = "/mnt/c/Users/kenmoore/Documents/code/projects/terraform-google-gcp-at-um-project"
# project_name = "${var.division}-audit-${local.short_mcomm}"
# # project_id = ""
# folder_id = google_folder.customer_folder.id # "958858037302" # module.gcp-at-um-customer.google_folder.customer_folder.folder_id # need to get this from the customer module
# mcomm_group_email = "gcp.admins@umich.edu" # need a var for auditors for hipaa?
# billing_id = "010AF9-D1F2C5-DCC86F" # should be from output - billing_account_id
# security_contact = "mjsager@umich.edu"
# egress_waiver = true
# red_hat_byol = false
# shortcode = "048843"
# requestor = "kenmoore@umich.edu"
# vpn = false
# log_export_destination = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
# }
# working on lien on audit project
resource "google_resource_manager_lien" "project_lien" {
parent = "projects/${google_project.gcp_project.project_id}"
restrictions = ["resourcemanager.projects.delete"]
origin = "Per HIPAA recommendation/requirements; Prevent deletion of ${google_project.gcp_project.project_id}"
reason = "${google_project.gcp_project.project_id} holds the audit logs for HIPAA customer folder id ${var.folder_id}"
}
resource "random_id" "id" {
byte_length = 2
}
resource "google_logging_folder_sink" "hipaa_customer_logs" {
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
folder = var.folder_id
# include logs from all projects in folder
include_children = true
# send to GCS bucket in audit project
destination = "storage.googleapis.com/${google_storage_bucket.hipaa_customer_logs.name}"
filter = local.log_filters
}
resource "google_storage_bucket" "hipaa_customer_logs" {
project = google_project.gcp_project.project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}"
location = "US-CENTRAL1"
force_destroy = false
uniform_bucket_level_access = true
storage_class = "COLDLINE"
retention_policy {
retention_period = "95000000" # just over 3 years
}
lifecycle_rule {
action {
type = "SetStorageClass"
storage_class = "ARCHIVE"
}
condition {
age = 180
}
}
lifecycle_rule {
action {
type = "Delete"
}
condition {
age = 1100 # just over 3 x 365 days = 3 years (slightly more than the retention policy)
}
}
}
resource "google_project_iam_binding" "hipaa_customer_log_writer" {
project = google_project.gcp_project.project_id
role = "roles/storage.objectCreator"
members = [
google_logging_folder_sink.hipaa_customer_logs.writer_identity,
]
}
resource "google_logging_project_sink" "log_export" {
project = google_project.gcp_project.project_id
# name = "${google_project.gcp_project.project_id}-log-export"
name = "log-export-splunk"
destination = local.log_export_destination[var.environment][var.division]
filter = local.filter_string # if adding filter to match nothing; use in conjunction with aggregated log sink + exclusion filter
exclusions {
name = "Aggregated_Logs_Exclusion"
description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
filter = local.log_filters
}
unique_writer_identity = true
}
resource "google_pubsub_topic_iam_member" "publisher" {
project = local.log_export_project
topic = local.log_export_destination[var.environment][var.division]
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
variable "billing_id" {
type = string
description = "The Billing Account ID of the customer's GCP at U-M billing account."
}
variable "division" {
type = string
description = "Must be one of \"campus\",\"its\", \"michigan_medicine\", or \"hipaa\""
validation {
condition = var.division == "campus" || var.division == "its" || var.division == "michigan_medicine" || var.division == "hipaa"
error_message = "The division value must be one of \"campus\",\"its\", \"michigan_medicine\", or \"hipaa\"."
}
}
variable "folder_id" {
type = string
description = "The Folder ID of the customer's GCP at U-M folder."
}
variable "mcomm_group_email" {
type = string
description = "The MCommunity Group of the GCP Customer Folder"
}
variable "database_function_url" {
type = string
}
variable "shortcode" {
type = string
description = "The default shortcode to associate with the billing subaccount"
}
variable "environment" {
type = string
description = "The environment the customer folder will be created in. Defaults to \"prod\""
validation {
condition = var.environment == "dev" || var.environment == "test" || var.environment == "prod"
error_message = "The environment value must be one of \"dev\",\"test\", or \"prod\"."
}
}
\ No newline at end of file
variable "billing_account_id" {
type = string
description = "Customer Billing Account ID - REPLACE SOON with billing subaccount resource"
}
variable "requestor" {
type = string
description = "The person that made the initial request for the GCP Customer Folder"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment