Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit c7429583 authored by Kenny Moore's avatar Kenny Moore
Browse files

BQ_Audit_prior to modules


Co-authored-by: Adam Robinson's avatarRobinson, Adam <adarobin@umich.edu>
parent e620705b
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
#
# Never commit the tfvars files
*.tfvars
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Don't publish GCP service account creds
vci-dev-tf-admin-a9b805dc141e.json
# Ignore Mac junk
.DS_store
\ No newline at end of file
......@@ -50,7 +50,8 @@ module "audit" {
mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode
environment = var.environment
environment = var.environment
audit_logs_access = var.audit_logs_access
}
resource "google_folder" "customer_folder" {
......
......@@ -48,10 +48,12 @@ locals {
log_export_destination = {
//dev = ""
test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
its = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/hipaa-logs-test"
# "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
......@@ -73,6 +75,48 @@ resource "google_project" "gcp_project" {
}
}
module "log_export_bq" {
source = "terraform-google-modules/log-export/google"
version = "5.1.0"
destination_uri = module.destination_bq.destination_uri # "${module.destination_bq.destination_uri}"
filter = local.log_filters
log_sink_name = "${var.division}-audit-bq"
parent_resource_id = var.folder_id
parent_resource_type = "folder"
unique_writer_identity = true
include_children = true
}
module "destination_bq" {
source = "terraform-google-modules/log-export/google//modules/bigquery"
project_id = google_project.gcp_project.project_id
dataset_name = replace("${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}", "-", "_")
description = "Aggregated Log Sink (folder) - HIPAA Customer Logs"
log_sink_writer_identity = module.log_export_bq.writer_identity # "${module.log_export_bq.writer_identity}"
location = "US"
expiration_days = 14
}
resource "google_bigquery_dataset_iam_binding" "bq_user" {
project = google_project.gcp_project.project_id
dataset_id = module.destination_bq.resource_name
role = "roles/bigquery.user"
members = [
# "user:kenmoore@umich.edu",
"group:${var.audit_logs_access}",
"group:${var.mcomm_group_email}"
]
}
# resource "google_bigquery_dataset_iam_binding" "job_user" {
# project = google_project.gcp_project.project_id
# dataset_id = module.destination_bq.resource_name
# role = "roles/bigquery.jobUser"
# members = [
# "user:kenmoore@umich.edu",
# ]
# }
data "google_service_account_id_token" "customer_db_token" {
target_audience = var.database_function_url
}
......
......@@ -40,4 +40,14 @@ variable "environment" {
condition = var.environment == "dev" || var.environment == "test" || var.environment == "prod"
error_message = "The environment value must be one of \"dev\",\"test\", or \"prod\"."
}
}
\ No newline at end of file
}
variable "audit_logs_access" {
type = string
description = "MCommunity group that will be given permission to GCS bucket and/or BQ dataset"
}
# variable "big_query" {
# type = bool
# }
\ No newline at end of file
......@@ -75,3 +75,9 @@ variable "customer_is_shared_vpc_admin" {
description = "Should the customer be given Shared VPC Admin permission to the customer folder. Defaults to false."
default = false
}
variable "audit_logs_access" {
type = string
# default = "gcp.admins@umich.edu"
description = "MCommunity group that will be given permission to GCS bucket and/or BQ dataset"
}
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment