From 730d6d50b193ee8b0bb2bd75d5b3ba75822d235b Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Wed, 30 Mar 2022 17:53:48 +0200
Subject: [PATCH] Update README.

---
 .../data-platform-foundations/README.md             | 13 +++++++++++++
 .../data-platform-foundations/variables.tf          |  6 +++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/examples/data-solutions/data-platform-foundations/README.md b/examples/data-solutions/data-platform-foundations/README.md
index 8b243251..a776a405 100644
--- a/examples/data-solutions/data-platform-foundations/README.md
+++ b/examples/data-solutions/data-platform-foundations/README.md
@@ -154,6 +154,19 @@ Cloud Data Loss Prevention resources and templates should be stored in the secur
 
 You can find more details and best practices on using DLP to De-identification and re-identification of PII in large-scale datasets in the [GCP documentation](https://cloud.google.com/architecture/de-identification-re-identification-pii-using-cloud-dlp).
 
+## Data Catalog
+
+[Data Catalog](https://cloud.google.com/data-catalog) helps you to document your data entry at scale. Data Catalog relies on [tags](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tags) and [tag template](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tag-templates) to manage metadata for all data entries in a unified and centralized service. To implement [column-level security](https://cloud.google.com/bigquery/docs/column-level-security-intro) on BigQuery, we suggest to use `Tags` and `Tag templates`.
+
+The default configuration will implement 3 tags:
+ - `3_Confidential`: policy tag for columns that include very sensitive information, such as credit card numbers.
+ - `2_Private`: policy tag for columns that include sensitive personal identifiable information (PII) information, such as a person's first name.
+ - `1_Sensitive`: policy tag for columns that include data that cannot be made public, such as the credit limit.
+
+Anything that is not tagged is available to all users who have access to the data warehouse.
+
+For the porpuse of the example no groups has access to tagged data. You can configure your tags and roles associated by configuring the `data_catalog_tags` variable. We suggest useing the "[Best practices for using policy tags in BigQuery](https://cloud.google.com/bigquery/docs/best-practices-policy-tags)" article as a guide to designing your tags structure and access pattern.
+
 ## How to run this script
 
 To deploy this example on your GCP organization, you will need
diff --git a/examples/data-solutions/data-platform-foundations/variables.tf b/examples/data-solutions/data-platform-foundations/variables.tf
index 1fecd04d..79d1ae4b 100644
--- a/examples/data-solutions/data-platform-foundations/variables.tf
+++ b/examples/data-solutions/data-platform-foundations/variables.tf
@@ -38,9 +38,9 @@ variable "data_catalog_tags" {
   type        = map(map(list(string)))
   nullable    = false
   default = {
-    high   = null
-    medium = null
-    low    = null
+    "3_Confidential" = null
+    "2_Private"      = null
+    "1_Sensitive"    = null
   }
 }