Commit 78d139f0 authored by Kenny Moore's avatar Kenny Moore
Browse files

Merge branch 'Audit_module_for_any_customer' into 'master'

Audit module for any customer

See merge request !15
parents 32ab1508 dcd7abbb
......@@ -9,9 +9,9 @@ locals {
//its = ""
}
test = {
its = "folders/100600555387"
campus = "folders/549439339393"
mm = "folders/783942636538"
its = "folders/1065543734594"
campus = "folders/694924320608"
mm = "folders/841027711031"
hipaa = "folders/607376512236"
}
prod = {
......@@ -38,11 +38,21 @@ locals {
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
retain_logs = var.division == "hipaa" || var.audit_logs_access != "" ? true : false # if division is hipaa OR audit_logs_access is not an empty string enable audit logs access
retain_logs_bq = {
enable = var.division == "hipaa" ? true: var.retain_logs_bigquery["enable"]
retention_days = var.division == "hipaa" ? 14 : var.retain_logs_bigquery["retention_days"]
}
retain_logs_gcs = {
enable = var.division == "hipaa" ? true: var.retain_logs_gcs["enable"]
storage_class = var.division == "hipaa" ? "COLDLINE": var.retain_logs_gcs["storage_class"]
retention_days = var.division == "hipaa" ? 14 : var.retain_logs_gcs["retention_days"]
}
}
module "audit" {
count = var.division == "hipaa" ? 1: 0
# count = var.division == "hipaa" ? 1: 0
count = local.retain_logs ? 1:0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = google_billing_subaccount.customer_subaccount.billing_account_id
......@@ -52,11 +62,11 @@ module "audit" {
shortcode = var.shortcode
environment = var.environment
audit_logs_access = var.audit_logs_access
big_query = true
big_query_retention = 14
gcs = true
gcs_storage_class = "COLDLINE"
gcs_expiration_days = 1100
big_query = local.retain_logs_bq["enable"]
big_query_retention = local.retain_logs_bq["retention_days"]
gcs = local.retain_logs_gcs["enable"]
gcs_storage_class = local.retain_logs_gcs["storage_class"]
gcs_expiration_days = local.retain_logs_gcs["retention_days"]
}
resource "google_folder" "customer_folder" {
......
......@@ -80,6 +80,12 @@ resource "google_project" "gcp_project" {
labels = {
"shortcode" = var.shortcode
}
lifecycle {
ignore_changes = [
project_id,
name,
]
}
}
module "log_export_bq" {
......@@ -100,7 +106,7 @@ module "destination_bq" {
source = "terraform-google-modules/log-export/google//modules/bigquery"
project_id = google_project.gcp_project[0].project_id
dataset_name = replace("${var.division}-audit-${local.short_mcomm}-${random_id.id[0].hex}", "-", "_")
description = "Aggregated Log Sink (folder) - HIPAA Customer Logs"
description = "Aggregated Log Sink (folder) - ${var.division} Customer Logs"
log_sink_writer_identity = module.log_export_bq[0].writer_identity # "${module.log_export_bq.writer_identity}"
location = "US"
expiration_days = var.big_query_retention
......@@ -175,8 +181,8 @@ resource "google_resource_manager_lien" "project_lien" {
count = local.big_query_or_gcs_enabled
parent = "projects/${google_project.gcp_project[0].project_id}"
restrictions = ["resourcemanager.projects.delete"]
origin = "Per HIPAA recommendation/requirements; Prevent deletion of ${google_project.gcp_project[0].project_id}"
reason = "${google_project.gcp_project[0].project_id} holds the audit logs for HIPAA customer folder id ${var.folder_id}"
origin = "Prevent deletion of ${google_project.gcp_project[0].project_id}"
reason = "${google_project.gcp_project[0].project_id} holds the audit logs for ${var.division} customer folder id ${var.folder_id}"
}
resource "random_id" "id" {
......@@ -184,22 +190,27 @@ resource "random_id" "id" {
byte_length = 2
}
resource "google_logging_folder_sink" "hipaa_customer_logs" {
resource "google_logging_folder_sink" "customer_logs" {
count = local.gcs_enabled
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
description = "Aggregated Log Sink - ${var.division} - ${local.short_mcomm} Customer Logs"
folder = var.folder_id
# include logs from all projects in folder
include_children = true
# send to GCS bucket in audit project
destination = "storage.googleapis.com/${google_storage_bucket.hipaa_customer_logs[0].name}"
destination = "storage.googleapis.com/${google_storage_bucket.customer_logs[0].name}"
filter = local.log_filters
lifecycle {
ignore_changes = [
name,
]
}
}
resource "google_storage_bucket" "hipaa_customer_logs" {
resource "google_storage_bucket" "customer_logs" {
count = local.gcs_enabled
project = google_project.gcp_project[0].project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id[0].hex}"
......@@ -233,15 +244,20 @@ resource "google_storage_bucket" "hipaa_customer_logs" {
}
}
}
lifecycle {
ignore_changes = [
name,
]
}
}
resource "google_project_iam_binding" "hipaa_customer_log_writer" {
resource "google_project_iam_binding" "customer_log_writer" {
count = local.gcs_enabled
project = google_project.gcp_project[0].project_id
role = "roles/storage.objectCreator"
members = [
google_logging_folder_sink.hipaa_customer_logs[0].writer_identity,
google_logging_folder_sink.customer_logs[0].writer_identity,
]
}
......
......@@ -80,4 +80,29 @@ variable "audit_logs_access" {
type = string
# default = "gcp.admins@umich.edu"
description = "MCommunity group that will be given permission to GCS bucket and/or BQ dataset"
}
\ No newline at end of file
}
# variable "retain_customer_audit_logs" {
# type = bool
# default = false
# description = "Allow customer to retain logs in an audit project (created by module)"
# }
variable "retain_logs_bigquery" {
type = object({enable = bool, retention_days = number})
default = {
enable = false,
retention_days = 0,
}
description = "value"
}
variable "retain_logs_gcs" {
type = object({enable = bool, storage_class = string, retention_days = number})
default = {
enable = false,
storage_class = "COLDLINE"
retention_days = 0,
}
description = "value"
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment