Commit c7429583 authored by Kenny Moore's avatar Kenny Moore
Browse files

BQ_Audit_prior to modules


Co-authored-by: Adam Robinson's avatarRobinson, Adam <adarobin@umich.edu>
parent e620705b
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
#
# Never commit the tfvars files
*.tfvars
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Don't publish GCP service account creds
vci-dev-tf-admin-a9b805dc141e.json
# Ignore Mac junk
.DS_store
\ No newline at end of file
...@@ -50,7 +50,8 @@ module "audit" { ...@@ -50,7 +50,8 @@ module "audit" {
mcomm_group_email = var.mcomm_group_email mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment] database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode shortcode = var.shortcode
environment = var.environment environment = var.environment
audit_logs_access = var.audit_logs_access
} }
resource "google_folder" "customer_folder" { resource "google_folder" "customer_folder" {
......
...@@ -48,10 +48,12 @@ locals { ...@@ -48,10 +48,12 @@ locals {
log_export_destination = { log_export_destination = {
//dev = "" //dev = ""
test = { test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test" its = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test" campus = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-test" michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test" hipaa = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/hipaa-logs-test"
# "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
} }
prod = { prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod" its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
...@@ -73,6 +75,48 @@ resource "google_project" "gcp_project" { ...@@ -73,6 +75,48 @@ resource "google_project" "gcp_project" {
} }
} }
module "log_export_bq" {
source = "terraform-google-modules/log-export/google"
version = "5.1.0"
destination_uri = module.destination_bq.destination_uri # "${module.destination_bq.destination_uri}"
filter = local.log_filters
log_sink_name = "${var.division}-audit-bq"
parent_resource_id = var.folder_id
parent_resource_type = "folder"
unique_writer_identity = true
include_children = true
}
module "destination_bq" {
source = "terraform-google-modules/log-export/google//modules/bigquery"
project_id = google_project.gcp_project.project_id
dataset_name = replace("${var.division}-audit-${local.short_mcomm}-${random_id.id.hex}", "-", "_")
description = "Aggregated Log Sink (folder) - HIPAA Customer Logs"
log_sink_writer_identity = module.log_export_bq.writer_identity # "${module.log_export_bq.writer_identity}"
location = "US"
expiration_days = 14
}
resource "google_bigquery_dataset_iam_binding" "bq_user" {
project = google_project.gcp_project.project_id
dataset_id = module.destination_bq.resource_name
role = "roles/bigquery.user"
members = [
# "user:kenmoore@umich.edu",
"group:${var.audit_logs_access}",
"group:${var.mcomm_group_email}"
]
}
# resource "google_bigquery_dataset_iam_binding" "job_user" {
# project = google_project.gcp_project.project_id
# dataset_id = module.destination_bq.resource_name
# role = "roles/bigquery.jobUser"
# members = [
# "user:kenmoore@umich.edu",
# ]
# }
data "google_service_account_id_token" "customer_db_token" { data "google_service_account_id_token" "customer_db_token" {
target_audience = var.database_function_url target_audience = var.database_function_url
} }
......
...@@ -40,4 +40,14 @@ variable "environment" { ...@@ -40,4 +40,14 @@ variable "environment" {
condition = var.environment == "dev" || var.environment == "test" || var.environment == "prod" condition = var.environment == "dev" || var.environment == "test" || var.environment == "prod"
error_message = "The environment value must be one of \"dev\",\"test\", or \"prod\"." error_message = "The environment value must be one of \"dev\",\"test\", or \"prod\"."
} }
} }
\ No newline at end of file
variable "audit_logs_access" {
type = string
description = "MCommunity group that will be given permission to GCS bucket and/or BQ dataset"
}
# variable "big_query" {
# type = bool
# }
\ No newline at end of file
...@@ -75,3 +75,9 @@ variable "customer_is_shared_vpc_admin" { ...@@ -75,3 +75,9 @@ variable "customer_is_shared_vpc_admin" {
description = "Should the customer be given Shared VPC Admin permission to the customer folder. Defaults to false." description = "Should the customer be given Shared VPC Admin permission to the customer folder. Defaults to false."
default = false default = false
} }
variable "audit_logs_access" {
type = string
# default = "gcp.admins@umich.edu"
description = "MCommunity group that will be given permission to GCS bucket and/or BQ dataset"
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment