Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit ad4f1974 authored by Kenny Moore's avatar Kenny Moore
Browse files

Pre-reconfigure for HIPAA customer


Co-authored-by: Adam Robinson's avatarRobinson, Adam <adarobin@umich.edu>
parent 2f0e051e
# create audit project for hipaa logs
terraform {
required_providers {
bluecat = {
source = "umich-vci/bluecat"
version = "0.1.0"
}
}
}
provider "bluecat" {
bluecat_endpoint = "bluecat.umnet.umich.edu"
}
module "gcp-at-um-project" {
count = var.division == "hipaa" ? 1 : 0
source = "/mnt/c/Users/kenmoore/Documents/code/projects/terraform-google-gcp-at-um-project"
project_name = "${var.division}-audit-${local.short_mcomm}"
# project_id = ""
folder_id = google_folder.customer_folder.id # "958858037302" # module.gcp-at-um-customer.google_folder.customer_folder.folder_id # need to get this from the customer module
mcomm_group_email = "gcp.admins@umich.edu" # need a var for auditors for hipaa?
billing_id = "010AF9-D1F2C5-DCC86F" # should be from output - billing_account_id
security_contact = "mjsager@umich.edu"
egress_waiver = true
red_hat_byol = false
shortcode = "048843"
requestor = "kenmoore@umich.edu"
vpn = false
log_export_destination = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
# working on lien on audit project
resource "google_resource_manager_lien" "project_lien" {
# for_each = { for v in local.projects_with_lien : v => v }
parent = "projects/${module.gcp-at-um-project[0].project_id}"
restrictions = ["resourcemanager.projects.delete"]
origin = "Per HIPAA recommendation/requirements; Prevent deletion of ${module.gcp-at-um-project[0].project_id}"
reason = "${module.gcp-at-um-project[0].project_id} holds the audit logs for HIPAA customer (folder) - ${google_folder.customer_folder.display_name}"
}
resource "random_id" "id" {
byte_length = 2
}
resource "google_logging_folder_sink" "hipaa_customer_logs" {
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
folder = google_folder.customer_folder.name
# include logs from all projects in folder
include_children = true
# send to GCS bucket in audit project
destination = "storage.googleapis.com/${google_storage_bucket.hipaa_customer_logs.name}"
filter = local.log_filters
}
resource "google_storage_bucket" "hipaa_customer_logs" {
project = module.gcp-at-um-project[0].project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}"
location = "US-CENTRAL1"
force_destroy = false
bucket_policy_only = true
storage_class = "COLDLINE"
retention_policy {
retention_period = "95000000" # just over 3 years
}
lifecycle_rule {
action {
type = "SetStorageClass"
storage_class = "ARCHIVE"
}
condition {
age = 180
}
}
lifecycle_rule {
action {
type = "Delete"
}
condition {
age = 1100 # just over 3 x 365 days = 3 years (slightly more than the retention policy)
}
}
}
resource "google_project_iam_binding" "hipaa_customer_log_writer" {
project = module.gcp-at-um-project[0].project_id
role = "roles/storage.objectCreator"
members = [
google_logging_folder_sink.hipaa_customer_logs.writer_identity,
]
}
# Reference customer hipaa folder
# resource "google_folder" "my-folder" {
# display_name = "My folder"
# parent = "organizations/123456"
# }
# module "log_export" {
# source = "terraform-google-modules/log-export/google"
# destination_uri = module.destination.destination_uri
# # filter = var.filter_logging_filter
# filter = local.required_filters
# # log_sink_name = "pubsub_folder_${random_string.suffix.result}"
# log_sink_name = local.log_export_topic
# # parent_resource_id = var.parent_resource_id
# parent_resource_id = data.google_folder.hipaa.id
# parent_resource_type = "folder"
# unique_writer_identity = true
# include_children = true
# }
# # needs to be GCS
# module "destination" {
# source = "terraform-google-modules/log-export/google//modules/pubsub"
# project_id = var.folder_logging_destination_project
# topic_name = local.log_export_topic
# log_sink_writer_identity = "${module.log_export.writer_identity}"
# create_subscriber = true
# topic_labels = {
# data_type = var.compliance_effort,
# env = terraform.workspace
# } # Working here - not seeing it as an update?
# }
locals {
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
short_mcomm = substr(lower(replace(split("@", var.mcomm_group_email)[0],".","-")),0,21)
division_folder_ids = {
dev = {
//its = ""
......@@ -24,13 +24,26 @@ locals {
}
database_function_url = {
//dev = ""
//test = ""
test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # NEED TO CREATE THIS
prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
}
log_filter_list = [
"LOG_ID(\"cloudaudit.googleapis.com/activity\")",
"LOG_ID(\"externalaudit.googleapis.com/activity\")",
"LOG_ID(\"cloudaudit.googleapis.com/system_event\")",
"LOG_ID(\"externalaudit.googleapis.com/system_event\")",
"LOG_ID(\"cloudaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"cloudaudit.googleapis.com/data_access\")",
"LOG_ID (\"externalaudit.googleapis.com/data_access\")",
"LOG_ID(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
}
resource "google_folder" "customer_folder" {
display_name = local.short_mcomm
# display_name = local.short_mcomm
display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
parent = local.division_folder_ids[var.environment][var.division]
}
......@@ -43,12 +56,19 @@ data "google_iam_policy" "customer_folder_policy" {
}
binding {
role = "roles/resourcemanager.folderViewer"
role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
members = [
"group:${var.mcomm_group_email}",
]
}
# binding {
# role = "roles/resourcemanager.folderViewer"
# members = [
# "group:${var.mcomm_group_email}",
# ]
# }
binding {
role = "roles/resourcemanager.projectCreator"
members = [
......@@ -79,7 +99,7 @@ resource "google_storage_bucket" "customer_bucket" {
location = "US"
storage_class = "STANDARD"
bucket_policy_only = true
uniform_bucket_level_access = true
versioning {
enabled = true
......@@ -88,7 +108,7 @@ resource "google_storage_bucket" "customer_bucket" {
resource "google_service_account" "customer_service_account" {
project = var.customer_service_account_project_id
account_id = "${local.short_mcomm}-tf"
account_id = "${local.short_mcomm}-${var.division}-tf"
description = "${local.short_mcomm} Terraform Service Account"
}
......@@ -124,25 +144,27 @@ data "google_iam_policy" "customer_bucket_policy" {
}
resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
bucket = google_storage_bucket.customer_bucket.name
bucket = google_storage_bucket.customer_bucket.name
policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}
data "google_service_account_id_token" "customer_db_token" {
target_audience = local.database_function_url[var.environment]
}
# data "google_service_account_id_token" "customer_db_token" {
# target_audience = local.database_function_url[var.environment]
# }
# resource "null_resource" "customer_database" {
# triggers = {
# billing_contact = var.billing_contact
# mcomm_group_email = var.mcomm_group_email
# shortcode = var.shortcode
# }
# provisioner "local-exec" {
# command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '{\"kind\": \"billing\", \"billingAccountId\": \"asdf\"}'"
# }
# }
resource "null_resource" "customer_database" {
triggers = {
billing_contact = var.billing_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
provisioner "local-exec" {
command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '{\"kind\": \"billing\", \"billingAccountId\": \"asdf\"}'"
}
}
// Need to make a customer Git repo
......
......@@ -53,3 +53,9 @@ variable "provisioning_service_account_email" {
type = string
description = "The email of the service account used to provision customers"
}
variable "folder_display_name" {
type = string
description = "Override display name of customer folder (default = mcomm group)"
default = ""
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment