Make KMS and Log sink optionals

blueprints/data-solutions/shielded-folder/kms.tf

@@ -32,7 +32,7 @@ locals {
   kms_log_sink_keys = {
     "storage" = {
       labels          = {}
-      locations       = [var.log_locations.gcs]
+      locations       = [var.log_locations.storage]
       rotation_period = "7776000s"
     }
     "bq" = {
@@ -54,6 +54,7 @@ locals {
 }
 
 module "sec-project" {
+  count           = var.enable_features.kms ? 1 : 0
   source          = "../../../modules/project"
   name            = "sec-core"
   parent          = module.folder.id
@@ -74,9 +75,9 @@ module "sec-project" {
 }
 
 module "sec-kms" {
-  for_each   = toset(local.kms_locations)
+  for_each   = var.enable_features.log_sink ? toset(local.kms_locations) : toset([])
   source     = "../../../modules/kms"
-  project_id = module.sec-project.project_id
+  project_id = module.sec-project[0].project_id
   keyring = {
     location = each.key
     name     = "${each.key}"
@@ -89,12 +90,12 @@ module "sec-kms" {
 }
 
 module "log-kms" {
-  for_each   = toset(local.kms_log_locations)
+  for_each   = var.enable_features.log_sink ? toset(local.kms_log_locations) : toset([])
   source     = "../../../modules/kms"
-  project_id = module.sec-project.project_id
+  project_id = module.sec-project[0].project_id
   keyring = {
     location = each.key
-    name     = "log-${each.key}"
+    name     = "${each.key}"
   }
   keys = local.kms_log_locations_keys[each.key]
 }

blueprints/data-solutions/shielded-folder/log-export.tf

@@ -18,15 +18,15 @@
 
 locals {
   gcs_storage_class = (
-    length(split("-", var.log_locations.gcs)) < 2
+    length(split("-", var.log_locations.storage)) < 2
     ? "MULTI_REGIONAL"
     : "REGIONAL"
   )
   log_types = toset([for k, v in var.log_sinks : v.type])
   _log_keys = {
-    bq      = [module.log-kms[var.log_locations.bq].keys["bq"].id]
-    pubsub  = try([module.log-kms[var.log_locations.pubsub].keys["pubsub"].id], null)
-    storage = [module.log-kms[var.log_locations.gcs].keys["storage"].id]
+    bq      = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.bq}/keyRings/${var.log_locations.bq}/cryptoKeys/bq"] : null
+    pubsub  = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.pubsub}/keyRings/${var.log_locations.pubsub}/cryptoKeys/pubsub"] : null
+    storage = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.storage}/keyRings/${var.log_locations.storage}/cryptoKeys/storage"] : null
   }
 
   log_keys = {
@@ -35,29 +35,35 @@ locals {
 }
 
 module "log-export-project" {
+  count           = var.enable_features.log_sink ? 1 : 0
   source          = "../../../modules/project"
   name            = "audit-logs"
   parent          = module.folder.id
   billing_account = try(var.projects_create.billing_account_id, null)
-  project_create  = var.projects_create != null && var.enable_features.log_sink
+  project_create  = var.projects_create != null
   prefix          = var.projects_create == null ? null : var.prefix
   iam = {
     # "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email]
   }
   services = [
     "bigquery.googleapis.com",
+    "pubsub.googleapis.com",
     "storage.googleapis.com",
     "stackdriver.googleapis.com"
   ]
-  service_encryption_key_ids = local.log_keys
+  service_encryption_key_ids = var.enable_features.kms ? local.log_keys : null
+
+  depends_on = [
+    module.log-kms
+  ]
 }
 
 # one log export per type, with conditionals to skip those not needed
 
 module "log-export-dataset" {
   source         = "../../../modules/bigquery-dataset"
-  count          = contains(local.log_types, "bigquery") ? 1 : 0
-  project_id     = module.log-export-project.project_id
+  count          = var.enable_features.log_sink && contains(local.log_types, "bigquery") ? 1 : 0
+  project_id     = module.log-export-project[0].project_id
   id             = "${var.prefix}_audit_export"
   friendly_name  = "Audit logs export."
   location       = replace(var.log_locations.bq, "europe", "EU")
@@ -66,20 +72,20 @@ module "log-export-dataset" {
 
 module "log-export-gcs" {
   source         = "../../../modules/gcs"
-  count          = contains(local.log_types, "storage") ? 1 : 0
-  project_id     = module.log-export-project.project_id
+  count          = var.enable_features.log_sink && contains(local.log_types, "storage") ? 1 : 0
+  project_id     = module.log-export-project[0].project_id
   name           = "audit-logs"
   prefix         = var.prefix
-  location       = replace(var.log_locations.gcs, "europe", "EU")
+  location       = replace(var.log_locations.storage, "europe", "EU")
   storage_class  = local.gcs_storage_class
-  encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.gcs].keys["storage"].id : null
+  encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.storage].keys["storage"].id : null
 }
 
 module "log-export-logbucket" {
   source      = "../../../modules/logging-bucket"
-  for_each    = toset([for k, v in var.log_sinks : k if v.type == "logging"])
+  for_each    = var.enable_features.log_sink ? toset([for k, v in var.log_sinks : k if v.type == "logging"]) : []
   parent_type = "project"
-  parent      = module.log-export-project.project_id
+  parent      = module.log-export-project[0].project_id
   id          = "audit-logs-${each.key}"
   location    = var.log_locations.logging
   #TODO check if logging bucket support encryption.
@@ -87,8 +93,8 @@ module "log-export-logbucket" {
 
 module "log-export-pubsub" {
   source     = "../../../modules/pubsub"
-  for_each   = toset([for k, v in var.log_sinks : k if v.type == "pubsub"])
-  project_id = module.log-export-project.project_id
+  for_each   = toset([for k, v in var.log_sinks : k if v.type == "pubsub" && var.enable_features.log_sink])
+  project_id = module.log-export-project[0].project_id
   name       = "audit-logs-${each.key}"
   regions    = [var.log_locations.pubsub]
   kms_key    = var.enable_features.kms ? module.log-kms[var.log_locations.pubsub].keys["pubsub"].id : null

blueprints/data-solutions/shielded-folder/main.tf

@@ -38,7 +38,7 @@ locals {
     for k, v in data.google_projects.folder-projects.projects : format("projects/%s", v.number)
   ]
 
-  log_sink_destinations = merge(
+  log_sink_destinations = var.enable_features.log_sink ? merge(
     # use the same dataset for all sinks with `bigquery` as  destination
     { for k, v in var.log_sinks : k => module.log-export-dataset.0 if v.type == "bigquery" },
     # use the same gcs bucket for all sinks with `storage` as destination
@@ -47,7 +47,7 @@ locals {
     # destination `pubsub` and `logging`
     module.log-export-pubsub,
     module.log-export-logbucket
-  )
+  ) : null
 }
 
 module "folder" {
@@ -64,7 +64,7 @@ module "folder" {
   org_policies_data_path = "${var.data_dir}/org-policies"
   firewall_policy_factory = {
     cidr_file   = "${var.data_dir}/firewall-policies/cidrs.yaml"
-    policy_name = "hierarchical-policy"
+    policy_name = "${var.prefix}-fw-policy"
     rules_file  = "${var.data_dir}/firewall-policies/hierarchical-policy-rules.yaml"
   }
   logging_sinks = var.enable_features.log_sink ? {

blueprints/data-solutions/shielded-folder/variables.tf

@@ -92,15 +92,15 @@ variable "log_locations" {
   description = "Optional locations for GCS, BigQuery, and logging buckets created here."
   type = object({
     bq      = optional(string, "europe")
-    gcs     = optional(string, "europe")
+    storage = optional(string, "europe")
     logging = optional(string, "global")
     pubsub  = optional(string, "global")
   })
   default = {
     bq      = "europe"
-    gcs     = "europe"
+    storage = "europe"
     logging = "global"
-    pubsub  = "global"
+    pubsub  = null
   }
   nullable = false
 }