Update
This commit is contained in:
parent
4007d42705
commit
440e9c59b9
|
@ -30,17 +30,17 @@ locals {
|
|||
|
||||
# Log sink keys
|
||||
kms_log_sink_keys = {
|
||||
"log-gcs" = {
|
||||
"storage" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.gcs]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
"log-bq" = {
|
||||
"bq" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.bq]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
"log-pubsub" = {
|
||||
"pubsub" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.pubsub]
|
||||
rotation_period = "7776000s"
|
||||
|
@ -58,7 +58,7 @@ module "sec-project" {
|
|||
name = "sec-core"
|
||||
parent = module.folder.id
|
||||
billing_account = try(var.projects_create.billing_account_id, null)
|
||||
project_create = var.projects_create != null
|
||||
project_create = var.projects_create != null && var.enable_features.kms
|
||||
prefix = var.projects_create == null ? null : var.prefix
|
||||
group_iam = {
|
||||
(local.groups.data-engineers) = [
|
||||
|
|
|
@ -24,9 +24,9 @@ locals {
|
|||
)
|
||||
log_types = toset([for k, v in var.log_sinks : v.type])
|
||||
_log_keys = {
|
||||
bq = [module.log-kms[var.log_locations.bq].keys["log-bq"].id]
|
||||
pubsub = try([module.log-kms[var.log_locations.pubsub].keys["log-pubsub"].id], null)
|
||||
storage = [module.log-kms[var.log_locations.gcs].keys["log-gcs"].id]
|
||||
bq = [module.log-kms[var.log_locations.bq].keys["bq"].id]
|
||||
pubsub = try([module.log-kms[var.log_locations.pubsub].keys["pubsub"].id], null)
|
||||
storage = [module.log-kms[var.log_locations.gcs].keys["storage"].id]
|
||||
}
|
||||
|
||||
log_keys = {
|
||||
|
@ -39,7 +39,7 @@ module "log-export-project" {
|
|||
name = "audit-logs"
|
||||
parent = module.folder.id
|
||||
billing_account = try(var.projects_create.billing_account_id, null)
|
||||
project_create = var.projects_create != null
|
||||
project_create = var.projects_create != null && var.enable_features.log_sink
|
||||
prefix = var.projects_create == null ? null : var.prefix
|
||||
iam = {
|
||||
# "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email]
|
||||
|
@ -61,7 +61,7 @@ module "log-export-dataset" {
|
|||
id = "${var.prefix}_audit_export"
|
||||
friendly_name = "Audit logs export."
|
||||
location = replace(var.log_locations.bq, "europe", "EU")
|
||||
encryption_key = module.log-kms[var.log_locations.bq].keys["log-bq"].id
|
||||
encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.bq].keys["bq"].id : false
|
||||
}
|
||||
|
||||
module "log-export-gcs" {
|
||||
|
@ -72,7 +72,7 @@ module "log-export-gcs" {
|
|||
prefix = var.prefix
|
||||
location = replace(var.log_locations.gcs, "europe", "EU")
|
||||
storage_class = local.gcs_storage_class
|
||||
encryption_key = module.log-kms[var.log_locations.gcs].keys["log-gcs"].id
|
||||
encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.gcs].keys["storage"].id : null
|
||||
}
|
||||
|
||||
module "log-export-logbucket" {
|
||||
|
@ -91,5 +91,5 @@ module "log-export-pubsub" {
|
|||
project_id = module.log-export-project.project_id
|
||||
name = "audit-logs-${each.key}"
|
||||
regions = [var.log_locations.pubsub]
|
||||
kms_key = module.log-kms[var.log_locations.pubsub].keys["log-pubsub"].id
|
||||
kms_key = var.enable_features.kms ? module.log-kms[var.log_locations.pubsub].keys["pubsub"].id : null
|
||||
}
|
||||
|
|
|
@ -67,14 +67,14 @@ module "folder" {
|
|||
policy_name = "hierarchical-policy"
|
||||
rules_file = "${var.data_dir}/firewall-policies/hierarchical-policy-rules.yaml"
|
||||
}
|
||||
logging_sinks = {
|
||||
logging_sinks = var.enable_features.log_sink ? {
|
||||
for name, attrs in var.log_sinks : name => {
|
||||
bq_partitioned_table = attrs.type == "bigquery"
|
||||
destination = local.log_sink_destinations[name].id
|
||||
filter = attrs.filter
|
||||
type = attrs.type
|
||||
}
|
||||
}
|
||||
} : null
|
||||
}
|
||||
|
||||
#TODO VPCSC
|
||||
|
|
|
@ -41,8 +41,19 @@ variable "data_dir" {
|
|||
default = "data"
|
||||
}
|
||||
|
||||
variable "enable_features" {
|
||||
description = "Flag to enable features on the solution."
|
||||
type = object({
|
||||
kms = bool
|
||||
log_sink = bool
|
||||
})
|
||||
default = {
|
||||
kms = true
|
||||
log_sink = true
|
||||
}
|
||||
}
|
||||
variable "folder_create" {
|
||||
description = "Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
description = "Provide values if folder creation is needed, uses existing folder if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
type = object({
|
||||
display_name = string
|
||||
parent = string
|
||||
|
@ -83,13 +94,13 @@ variable "log_locations" {
|
|||
bq = optional(string, "europe")
|
||||
gcs = optional(string, "europe")
|
||||
logging = optional(string, "global")
|
||||
pubsub = optional(string, null)
|
||||
pubsub = optional(string, "global")
|
||||
})
|
||||
default = {
|
||||
bq = "europe"
|
||||
gcs = "europe"
|
||||
logging = "global"
|
||||
pubsub = null
|
||||
pubsub = "global"
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue