Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit 4b46b520 authored by Kenny Moore's avatar Kenny Moore
Browse files

Project_create_plus_log_exclusion


Co-authored-by: Adam Robinson's avatarRobinson, Adam <adarobin@umich.edu>
parent f54fc630
......@@ -7,14 +7,44 @@ resource "random_id" "id" {
}
locals{
project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25)
filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
default_cidr = "10.255.0.0/16"
default_subnets = {for x in var.vpc_regions : x => cidrsubnet(local.default_cidr,4,index(var.vpc_regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in var.vpc_regions : x => cidrsubnet(local.pods_cidr,3,index(var.vpc_regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in var.vpc_regions : x => cidrsubnet(local.services_cidr,3,index(var.vpc_regions, x))}
project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25)
# filter_string = "logName=\"projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity\""
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
default_cidr = "10.255.0.0/16"
default_subnets = {for x in var.regions : x => cidrsubnet(local.default_cidr,4,index(var.regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in var.regions : x => cidrsubnet(local.pods_cidr,3,index(var.regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in var.regions : x => cidrsubnet(local.services_cidr,3,index(var.regions, x))}
curl_body = {
kind = "project"
security_contact = var.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = var.vpn
dt_phi = var.dt_phi
dt_ferpa = var.dt_ferpa
dt_pii = var.dt_pii
dt_glba = var.dt_glba
dt_hsr = var.dt_hsr
dt_ssn = var.dt_ssn
dt_acp = var.dt_acp
dt_it_sec_info = var.dt_it_sec_info
dt_itar = var.dt_itar
dt_pci = var.dt_pci
dt_fisma = var.dt_fisma
dt_other_data = var.dt_other_data
dt_other_data_info = var.dt_other_data_info
}
log_filter_list = [
"LOG_ID(\"cloudaudit.googleapis.com/activity\")",
"LOG_ID(\"externalaudit.googleapis.com/activity\")",
"LOG_ID(\"cloudaudit.googleapis.com/system_event\")",
"LOG_ID(\"externalaudit.googleapis.com/system_event\")",
"LOG_ID(\"cloudaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
]
log_filters = join(" OR ", local.log_filter_list)
}
resource "google_project" "gcp_project" {
......@@ -44,12 +74,44 @@ resource "google_project_service" "pubsub_api" {
service = "pubsub.googleapis.com"
}
resource "google_logging_project_sink" "log_export" {
project = google_project.gcp_project.project_id
name = "${google_project.gcp_project.project_id}-log-export"
# module "log_export" {
# source = "terraform-google-modules/log-export/google"
# destination_uri = module.destination.destination_uri
# filter = local.filter_string
# # filter = local.required_filters
# log_sink_name = var.logging_destination_topic
# # log_sink_name = local.log_export_name
# # parent_resource_id = var.parent_resource_id
# parent_resource_id = module.gcp-at-um-project.google_project.gcp_project.project_id
# parent_resource_type = "project"
# unique_writer_identity = true
# # include_children = true
# }
# module "destination" {
# source = "terraform-google-modules/log-export/google//modules/pubsub"
# project_id = var.logging_destination_project
# topic_name = var.logging_destination_topic
# log_sink_writer_identity = "${module.log_export.writer_identity}"
# create_subscriber = false
# # topic_labels = {
# # data_type = var.compliance_effort,
# # env = terraform.workspace
# } # Working here - not seeing it as an update?
# }
resource "google_logging_project_sink" "log_export" {
destination = var.log_export_destination
# filter = "projects/${google_project.gcp_project.project_id}/logs/cloudaudit.googleapis.com%2Factivity" # Need this
project = google_project.gcp_project.project_id
name = "${google_project.gcp_project.project_id}-log-export"
filter = local.filter_string
# filter = local.log_filters
exclusions {
name = "Aggregated_Logs_Exclusion"
description = "Excluding logs already captured by aggregated log sink (at folder)"
filter = local.log_filters
}
unique_writer_identity = true
}
......@@ -61,6 +123,8 @@ resource "google_pubsub_topic_iam_member" "publisher" {
member = google_logging_project_sink.log_export.writer_identity
}
resource "google_compute_network" "default_vpc" {
project = google_project.gcp_project.project_id
name = "${var.vpc_prefix}-default-vpc"
......@@ -83,10 +147,41 @@ module "vpn" {
count = var.vpn == true ? 1 : 0
project_id = google_project.gcp_project.project_id
regions = var.vpc_regions
regions = var.regions
vpc_prefix = var.vpc_prefix
network_size = var.vpn_network_size
bgp_network = var.vpn_bgp_network
cloud_asn = var.vpn_cloud_asn
um_vpn_endpoint = var.um_vpn_endpoint
# um_vpn_endpoint = var.um_vpn_endpoint
}
# ## Receiving 404 error ##
# data "google_service_account_id_token" "customer_db_token" {
# target_audience = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
# }
# resource "null_resource" "customer_database" {
# triggers = {
# security_contact = var.security_contact
# mcomm_group_email = var.mcomm_group_email
# shortcode = var.shortcode
# vpn = var.vpn
# dt_phi = var.dt_phi
# dt_ferpa = var.dt_ferpa
# dt_pii = var.dt_pii
# dt_glba = var.dt_glba
# dt_hsr = var.dt_hsr
# dt_ssn = var.dt_ssn
# dt_acp = var.dt_acp
# dt_it_sec_info = var.dt_it_sec_info
# dt_itar = var.dt_itar
# dt_pci = var.dt_pci
# dt_fisma = var.dt_fisma
# dt_other_data = var.dt_other_data
# dt_other_data_info = var.dt_other_data_info
# }
# provisioner "local-exec" {
# command = "curl https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
# }
# }
\ No newline at end of file
terraform {
required_providers {
bluecat = {
source = "umich-vci/bluecat"
version = "0.1.0"
}
}
}
# calculate subnet information; rounds up based on the number regions provided (divided by 2)
locals{
subnets = {for x in var.regions : x => cidrsubnet(bluecat_ip4_network.gcp_network.cidr, ceil(length(var.regions)/2), index(var.regions, x))}
......@@ -43,7 +52,7 @@ resource "google_compute_subnetwork" "vpn_subnet" {
# # create vpn gateway
resource "google_compute_vpn_gateway" "vpn_gw" {
name = "${var.prefix}-bgp-vpn-gateway"
name = "${var.vpc_prefix}-bgp-vpn-gateway"
project = var.project_id
network = google_compute_network.vpn_vpc.self_link
region = var.regions[0]
......@@ -87,7 +96,7 @@ resource "google_compute_forwarding_rule" "fr_udp4500" {
}
resource "google_compute_router" "vpn_router" {
name = "${var.prefix}-bgp-vpn-router"
name = "${var.vpc_prefix}-bgp-vpn-router"
project = var.project_id
network = google_compute_network.vpn_vpc.self_link
region = var.regions[0]
......@@ -109,7 +118,7 @@ resource "google_compute_router_interface" "bgp_interface" {
resource "google_compute_router_peer" "bgp_peer" {
count = length(var.bgp_network)
name = "${var.prefix}-bgp-peer${count.index}"
name = "${var.vpc_prefix}-bgp-peer${count.index}"
project = var.project_id
router = google_compute_router.vpn_router.name
region = var.regions[0]
......
......@@ -9,10 +9,12 @@ variable "network_size" {
variable "bgp_network" {
type = list(string)
default = [] # look up with NetBox
}
variable "cloud_asn" {
type = string
default = "" # look up with NetBox
}
variable "project_id" {
......@@ -24,6 +26,7 @@ variable "vpc_prefix" {
}
variable "um_vpn_endpoint" {
default = []
type = list(object({
ip = string
asn = string
......
......@@ -2,9 +2,9 @@ output "project_id" {
value = google_project.gcp_project.project_id
}
output "prefix" {
value = var.prefix
}
# output "prefix" {
# value = var.prefix
# }
output "billing_id" {
value = var.billing_id
......
......@@ -47,6 +47,16 @@ variable "log_export_destination" {
default = "pubsub.googleapis.com/projects/vci-mcloud-service/topics/vci-service-project-logs-export"
}
# variable "logging_destination_project" {
# type = string
# description = "Log export destination project"
# }
# variable "logging_destination_topic" {
# type = string
# description = "Log export Pub/Sub topic in destination logging destination project"
# }
variable "requestor" {
type = string
description = "The person that made the initial request for the GCP Project"
......@@ -72,21 +82,23 @@ variable "vpn_network_size" {
variable "vpn_bgp_network" {
type = list(string)
description = "The /30 BGP network allocated from UMnet. This is from NetBox (and should go away as a var at some point)."
default = [] # FROM NETBOX
}
variable "vpn_cloud_asn" {
type = string
description = "The ASN number allocated from UMnet. This is from NetBox (and should go away as a var at some point)."
default = "" # From NETBOX
}
variable "um_vpn_endpoint" {
type = list(object({
ip = string
asn = string
}))
# variable "um_vpn_endpoint" {
# type = list(object({
# ip = string
# asn = string
# }))
description = "The UMnet VPN endpoints."
}
# description = "The UMnet VPN endpoints."
# }
variable "gke_vpc_ranges" {
type = bool
......@@ -96,11 +108,11 @@ variable "gke_vpc_ranges" {
variable "vpc_prefix" {
type = string
default = "um-"
default = "um"
}
variable "region" {
type = string
variable "regions" {
type = list(string)
description = "Google regions to provision VPC resources in. Defaults to [ \"us-central1\", \"us-east1\", \"us-east4\", \"us-west1\" ]."
default = [
"us-central1",
......@@ -186,4 +198,4 @@ variable "dt_other_data_info" {
type = string
description = "A description of the Other Sensitive Data"
default = ""
}
}
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment