Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit dcd7abbb authored by Kenny Moore's avatar Kenny Moore
Browse files

modular_auditing

parent e0edd426
......@@ -9,9 +9,9 @@ locals {
//its = ""
}
test = {
its = "folders/100600555387"
campus = "folders/549439339393"
mm = "folders/783942636538"
its = "folders/1065543734594"
campus = "folders/694924320608"
mm = "folders/841027711031"
hipaa = "folders/607376512236"
}
prod = {
......@@ -38,11 +38,21 @@ locals {
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
retain_logs = var.division == "hipaa" || var.audit_logs_access != "" ? true : false # if division is hipaa OR audit_logs_access is not an empty string enable audit logs access
retain_logs_bq = {
enable = var.division == "hipaa" ? true: var.retain_logs_bigquery["enable"]
retention_days = var.division == "hipaa" ? 14 : var.retain_logs_bigquery["retention_days"]
}
retain_logs_gcs = {
enable = var.division == "hipaa" ? true: var.retain_logs_gcs["enable"]
storage_class = var.division == "hipaa" ? "COLDLINE": var.retain_logs_gcs["storage_class"]
retention_days = var.division == "hipaa" ? 14 : var.retain_logs_gcs["retention_days"]
}
}
module "audit" {
count = var.division == "hipaa" ? 1: 0
# count = var.division == "hipaa" ? 1: 0
count = local.retain_logs ? 1:0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = google_billing_subaccount.customer_subaccount.billing_account_id
......@@ -52,11 +62,11 @@ module "audit" {
shortcode = var.shortcode
environment = var.environment
audit_logs_access = var.audit_logs_access
big_query = true
big_query_retention = 14
gcs = true
gcs_storage_class = "COLDLINE"
gcs_expiration_days = 1100
big_query = local.retain_logs_bq["enable"]
big_query_retention = local.retain_logs_bq["retention_days"]
gcs = local.retain_logs_gcs["enable"]
gcs_storage_class = local.retain_logs_gcs["storage_class"]
gcs_expiration_days = local.retain_logs_gcs["retention_days"]
}
resource "google_folder" "customer_folder" {
......
......@@ -106,7 +106,7 @@ module "destination_bq" {
source = "terraform-google-modules/log-export/google//modules/bigquery"
project_id = google_project.gcp_project[0].project_id
dataset_name = replace("${var.division}-audit-${local.short_mcomm}-${random_id.id[0].hex}", "-", "_")
description = "Aggregated Log Sink (folder) - HIPAA Customer Logs"
description = "Aggregated Log Sink (folder) - ${var.division} Customer Logs"
log_sink_writer_identity = module.log_export_bq[0].writer_identity # "${module.log_export_bq.writer_identity}"
location = "US"
expiration_days = var.big_query_retention
......@@ -181,8 +181,8 @@ resource "google_resource_manager_lien" "project_lien" {
count = local.big_query_or_gcs_enabled
parent = "projects/${google_project.gcp_project[0].project_id}"
restrictions = ["resourcemanager.projects.delete"]
origin = "Per HIPAA recommendation/requirements; Prevent deletion of ${google_project.gcp_project[0].project_id}"
reason = "${google_project.gcp_project[0].project_id} holds the audit logs for HIPAA customer folder id ${var.folder_id}"
origin = "Prevent deletion of ${google_project.gcp_project[0].project_id}"
reason = "${google_project.gcp_project[0].project_id} holds the audit logs for ${var.division} customer folder id ${var.folder_id}"
}
resource "random_id" "id" {
......@@ -190,17 +190,17 @@ resource "random_id" "id" {
byte_length = 2
}
resource "google_logging_folder_sink" "hipaa_customer_logs" {
resource "google_logging_folder_sink" "customer_logs" {
count = local.gcs_enabled
name = "${var.division}-audit-${local.short_mcomm}"
description = "Aggregated Log Sink - HIPAA Customer Logs"
description = "Aggregated Log Sink - ${var.division} - ${local.short_mcomm} Customer Logs"
folder = var.folder_id
# include logs from all projects in folder
include_children = true
# send to GCS bucket in audit project
destination = "storage.googleapis.com/${google_storage_bucket.hipaa_customer_logs[0].name}"
destination = "storage.googleapis.com/${google_storage_bucket.customer_logs[0].name}"
filter = local.log_filters
lifecycle {
......@@ -210,7 +210,7 @@ resource "google_logging_folder_sink" "hipaa_customer_logs" {
}
}
resource "google_storage_bucket" "hipaa_customer_logs" {
resource "google_storage_bucket" "customer_logs" {
count = local.gcs_enabled
project = google_project.gcp_project[0].project_id
name = "${var.division}-audit-${local.short_mcomm}-${random_id.id[0].hex}"
......@@ -251,13 +251,13 @@ resource "google_storage_bucket" "hipaa_customer_logs" {
}
}
resource "google_project_iam_binding" "hipaa_customer_log_writer" {
resource "google_project_iam_binding" "customer_log_writer" {
count = local.gcs_enabled
project = google_project.gcp_project[0].project_id
role = "roles/storage.objectCreator"
members = [
google_logging_folder_sink.hipaa_customer_logs[0].writer_identity,
google_logging_folder_sink.customer_logs[0].writer_identity,
]
}
......
......@@ -80,4 +80,29 @@ variable "audit_logs_access" {
type = string
# default = "gcp.admins@umich.edu"
description = "MCommunity group that will be given permission to GCS bucket and/or BQ dataset"
}
\ No newline at end of file
}
# variable "retain_customer_audit_logs" {
# type = bool
# default = false
# description = "Allow customer to retain logs in an audit project (created by module)"
# }
variable "retain_logs_bigquery" {
type = object({enable = bool, retention_days = number})
default = {
enable = false,
retention_days = 0,
}
description = "value"
}
variable "retain_logs_gcs" {
type = object({enable = bool, storage_class = string, retention_days = number})
default = {
enable = false,
storage_class = "COLDLINE"
retention_days = 0,
}
description = "value"
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment