Make KMS and Log sink optionals
This commit is contained in:
parent
440e9c59b9
commit
0ce110f170
|
@ -32,7 +32,7 @@ locals {
|
|||
kms_log_sink_keys = {
|
||||
"storage" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.gcs]
|
||||
locations = [var.log_locations.storage]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
"bq" = {
|
||||
|
@ -54,6 +54,7 @@ locals {
|
|||
}
|
||||
|
||||
module "sec-project" {
|
||||
count = var.enable_features.kms ? 1 : 0
|
||||
source = "../../../modules/project"
|
||||
name = "sec-core"
|
||||
parent = module.folder.id
|
||||
|
@ -74,9 +75,9 @@ module "sec-project" {
|
|||
}
|
||||
|
||||
module "sec-kms" {
|
||||
for_each = toset(local.kms_locations)
|
||||
for_each = var.enable_features.log_sink ? toset(local.kms_locations) : toset([])
|
||||
source = "../../../modules/kms"
|
||||
project_id = module.sec-project.project_id
|
||||
project_id = module.sec-project[0].project_id
|
||||
keyring = {
|
||||
location = each.key
|
||||
name = "${each.key}"
|
||||
|
@ -89,12 +90,12 @@ module "sec-kms" {
|
|||
}
|
||||
|
||||
module "log-kms" {
|
||||
for_each = toset(local.kms_log_locations)
|
||||
for_each = var.enable_features.log_sink ? toset(local.kms_log_locations) : toset([])
|
||||
source = "../../../modules/kms"
|
||||
project_id = module.sec-project.project_id
|
||||
project_id = module.sec-project[0].project_id
|
||||
keyring = {
|
||||
location = each.key
|
||||
name = "log-${each.key}"
|
||||
name = "${each.key}"
|
||||
}
|
||||
keys = local.kms_log_locations_keys[each.key]
|
||||
}
|
||||
|
|
|
@ -18,15 +18,15 @@
|
|||
|
||||
locals {
|
||||
gcs_storage_class = (
|
||||
length(split("-", var.log_locations.gcs)) < 2
|
||||
length(split("-", var.log_locations.storage)) < 2
|
||||
? "MULTI_REGIONAL"
|
||||
: "REGIONAL"
|
||||
)
|
||||
log_types = toset([for k, v in var.log_sinks : v.type])
|
||||
_log_keys = {
|
||||
bq = [module.log-kms[var.log_locations.bq].keys["bq"].id]
|
||||
pubsub = try([module.log-kms[var.log_locations.pubsub].keys["pubsub"].id], null)
|
||||
storage = [module.log-kms[var.log_locations.gcs].keys["storage"].id]
|
||||
bq = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.bq}/keyRings/${var.log_locations.bq}/cryptoKeys/bq"] : null
|
||||
pubsub = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.pubsub}/keyRings/${var.log_locations.pubsub}/cryptoKeys/pubsub"] : null
|
||||
storage = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.storage}/keyRings/${var.log_locations.storage}/cryptoKeys/storage"] : null
|
||||
}
|
||||
|
||||
log_keys = {
|
||||
|
@ -35,29 +35,35 @@ locals {
|
|||
}
|
||||
|
||||
module "log-export-project" {
|
||||
count = var.enable_features.log_sink ? 1 : 0
|
||||
source = "../../../modules/project"
|
||||
name = "audit-logs"
|
||||
parent = module.folder.id
|
||||
billing_account = try(var.projects_create.billing_account_id, null)
|
||||
project_create = var.projects_create != null && var.enable_features.log_sink
|
||||
project_create = var.projects_create != null
|
||||
prefix = var.projects_create == null ? null : var.prefix
|
||||
iam = {
|
||||
# "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email]
|
||||
}
|
||||
services = [
|
||||
"bigquery.googleapis.com",
|
||||
"pubsub.googleapis.com",
|
||||
"storage.googleapis.com",
|
||||
"stackdriver.googleapis.com"
|
||||
]
|
||||
service_encryption_key_ids = local.log_keys
|
||||
service_encryption_key_ids = var.enable_features.kms ? local.log_keys : null
|
||||
|
||||
depends_on = [
|
||||
module.log-kms
|
||||
]
|
||||
}
|
||||
|
||||
# one log export per type, with conditionals to skip those not needed
|
||||
|
||||
module "log-export-dataset" {
|
||||
source = "../../../modules/bigquery-dataset"
|
||||
count = contains(local.log_types, "bigquery") ? 1 : 0
|
||||
project_id = module.log-export-project.project_id
|
||||
count = var.enable_features.log_sink && contains(local.log_types, "bigquery") ? 1 : 0
|
||||
project_id = module.log-export-project[0].project_id
|
||||
id = "${var.prefix}_audit_export"
|
||||
friendly_name = "Audit logs export."
|
||||
location = replace(var.log_locations.bq, "europe", "EU")
|
||||
|
@ -66,20 +72,20 @@ module "log-export-dataset" {
|
|||
|
||||
module "log-export-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = contains(local.log_types, "storage") ? 1 : 0
|
||||
project_id = module.log-export-project.project_id
|
||||
count = var.enable_features.log_sink && contains(local.log_types, "storage") ? 1 : 0
|
||||
project_id = module.log-export-project[0].project_id
|
||||
name = "audit-logs"
|
||||
prefix = var.prefix
|
||||
location = replace(var.log_locations.gcs, "europe", "EU")
|
||||
location = replace(var.log_locations.storage, "europe", "EU")
|
||||
storage_class = local.gcs_storage_class
|
||||
encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.gcs].keys["storage"].id : null
|
||||
encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.storage].keys["storage"].id : null
|
||||
}
|
||||
|
||||
module "log-export-logbucket" {
|
||||
source = "../../../modules/logging-bucket"
|
||||
for_each = toset([for k, v in var.log_sinks : k if v.type == "logging"])
|
||||
for_each = var.enable_features.log_sink ? toset([for k, v in var.log_sinks : k if v.type == "logging"]) : []
|
||||
parent_type = "project"
|
||||
parent = module.log-export-project.project_id
|
||||
parent = module.log-export-project[0].project_id
|
||||
id = "audit-logs-${each.key}"
|
||||
location = var.log_locations.logging
|
||||
#TODO check if logging bucket support encryption.
|
||||
|
@ -87,8 +93,8 @@ module "log-export-logbucket" {
|
|||
|
||||
module "log-export-pubsub" {
|
||||
source = "../../../modules/pubsub"
|
||||
for_each = toset([for k, v in var.log_sinks : k if v.type == "pubsub"])
|
||||
project_id = module.log-export-project.project_id
|
||||
for_each = toset([for k, v in var.log_sinks : k if v.type == "pubsub" && var.enable_features.log_sink])
|
||||
project_id = module.log-export-project[0].project_id
|
||||
name = "audit-logs-${each.key}"
|
||||
regions = [var.log_locations.pubsub]
|
||||
kms_key = var.enable_features.kms ? module.log-kms[var.log_locations.pubsub].keys["pubsub"].id : null
|
||||
|
|
|
@ -38,7 +38,7 @@ locals {
|
|||
for k, v in data.google_projects.folder-projects.projects : format("projects/%s", v.number)
|
||||
]
|
||||
|
||||
log_sink_destinations = merge(
|
||||
log_sink_destinations = var.enable_features.log_sink ? merge(
|
||||
# use the same dataset for all sinks with `bigquery` as destination
|
||||
{ for k, v in var.log_sinks : k => module.log-export-dataset.0 if v.type == "bigquery" },
|
||||
# use the same gcs bucket for all sinks with `storage` as destination
|
||||
|
@ -47,7 +47,7 @@ locals {
|
|||
# destination `pubsub` and `logging`
|
||||
module.log-export-pubsub,
|
||||
module.log-export-logbucket
|
||||
)
|
||||
) : null
|
||||
}
|
||||
|
||||
module "folder" {
|
||||
|
@ -64,7 +64,7 @@ module "folder" {
|
|||
org_policies_data_path = "${var.data_dir}/org-policies"
|
||||
firewall_policy_factory = {
|
||||
cidr_file = "${var.data_dir}/firewall-policies/cidrs.yaml"
|
||||
policy_name = "hierarchical-policy"
|
||||
policy_name = "${var.prefix}-fw-policy"
|
||||
rules_file = "${var.data_dir}/firewall-policies/hierarchical-policy-rules.yaml"
|
||||
}
|
||||
logging_sinks = var.enable_features.log_sink ? {
|
||||
|
|
|
@ -92,15 +92,15 @@ variable "log_locations" {
|
|||
description = "Optional locations for GCS, BigQuery, and logging buckets created here."
|
||||
type = object({
|
||||
bq = optional(string, "europe")
|
||||
gcs = optional(string, "europe")
|
||||
storage = optional(string, "europe")
|
||||
logging = optional(string, "global")
|
||||
pubsub = optional(string, "global")
|
||||
})
|
||||
default = {
|
||||
bq = "europe"
|
||||
gcs = "europe"
|
||||
storage = "europe"
|
||||
logging = "global"
|
||||
pubsub = "global"
|
||||
pubsub = null
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue