zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add include_children option folder and organization sinks

This commit is contained in:
Julio Castillo 2020-12-06 17:55:01 +01:00
parent 8d65a97b11
commit c6691a6140
12 changed files with 115 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
foundations/business-units/main.tf
View File

@ -17,10 +17,11 @@
locals {
logging_sinks = {
audit-logs = {
type = "bigquery"
destination = module.audit-dataset.id
filter = var.audit_filter
iam = true
type = "bigquery"
destination = module.audit-dataset.id
filter = var.audit_filter
iam = true
include_children = true
}
}
root_node_type = split("/", var.root_node)[0]

9
foundations/environments/locals.tf
View File

@ -38,10 +38,11 @@ locals {
)
logging_sinks = {
audit-logs = {
type = "bigquery"
destination = module.audit-dataset.id
filter = var.audit_filter
iam = true
type = "bigquery"
destination = module.audit-dataset.id
filter = var.audit_filter
iam = true
include_children = true
}
}
root_node_type = split("/", var.root_node)[0]

29
modules/folder/README.md
View File

@ -69,22 +69,25 @@ module "folder-sink" {
name = "my-folder"
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
include_children = true
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
include_children = true
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
include_children = true
}
}
logging_exclusions = {
@ -147,7 +150,7 @@ module "folder2" {
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">{}</code> |
| *id* | Folder ID in case you use folder_create=false | <code title="">string</code> | | <code title="">null</code> |
| *logging_exclusions* | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *logging_sinks* | Logging sinks to create for this folder. | <code title="map&#40;object&#40;&#123;&#10;destination &#61; string&#10;type &#61; string&#10;filter &#61; string&#10;iam &#61; bool&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *logging_sinks* | Logging sinks to create for this folder. | <code title="map&#40;object&#40;&#123;&#10;destination &#61; string&#10;type &#61; string&#10;filter &#61; string&#10;iam &#61; bool&#10;include_children &#61; bool&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *name* | Folder name. | <code title="">string</code> | | <code title="">null</code> |
| *parent* | Parent in folders/folder_id or organizations/org_id format. | <code title="">string</code> | | <code title="null&#10;validation &#123;&#10;condition &#61; var.parent &#61;&#61; null &#124;&#124; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">...</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |

7
modules/folder/main.tf
View File

@ -188,9 +188,10 @@ resource "google_logging_folder_sink" "sink" {
for_each = local.logging_sinks
name = each.key
#description = "${each.key} (Terraform-managed)"
folder = local.folder.name
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
filter = each.value.filter
folder = local.folder.name
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
filter = each.value.filter
include_children = each.value.include_children
}
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {

9
modules/folder/variables.tf
View File

@ -78,10 +78,11 @@ variable "firewall_policy_attachments" {
variable "logging_sinks" {
description = "Logging sinks to create for this folder."
type = map(object({
destination = string
type = string
filter = string
iam = bool
destination = string
type = string
filter = string
iam = bool
include_children = bool
}))
default = {}
}

29
modules/organization/README.md
View File

@ -86,22 +86,25 @@ module "org" {
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
include_children = true
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
include_children = true
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
include_children = true
}
}
logging_exclusions = {
@ -126,7 +129,7 @@ module "org" {
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *logging_sinks* | Logging sinks to create for this organization. | <code title="map&#40;object&#40;&#123;&#10;destination &#61; string&#10;type &#61; string&#10;filter &#61; string&#10;iam &#61; bool&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *logging_sinks* | Logging sinks to create for this organization. | <code title="map&#40;object&#40;&#123;&#10;destination &#61; string&#10;type &#61; string&#10;filter &#61; string&#10;iam &#61; bool&#10;include_children &#61; bool&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value &#61; string&#10;status &#61; bool&#10;values &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |

7
modules/organization/main.tf
View File

@ -221,9 +221,10 @@ resource "google_logging_organization_sink" "sink" {
for_each = local.logging_sinks
name = each.key
#description = "${each.key} (Terraform-managed)"
org_id = local.organization_id_numeric
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
filter = each.value.filter
org_id = local.organization_id_numeric
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
filter = each.value.filter
include_children = each.value.include_children
}
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {

9
modules/organization/variables.tf
View File

@ -102,10 +102,11 @@ variable "firewall_policy_attachments" {
variable "logging_sinks" {
description = "Logging sinks to create for this organization."
type = map(object({
destination = string
type = string
filter = string
iam = bool
destination = string
type = string
filter = string
iam = bool
include_children = bool
}))
default = {}
}

9
tests/modules/folder/fixture/variables.tf
View File

@ -56,10 +56,11 @@ variable "firewall_policy_attachments" {
variable "logging_sinks" {
type = map(object({
destination = string
type = string
filter = string
iam = bool
destination = string
type = string
filter = string
iam = bool
include_children = bool
}))
default = {}
}

38
tests/modules/folder/test_plan_logging.py
View File

@ -25,22 +25,25 @@ def test_sinks(plan_runner):
"Test folder-level sinks."
logging_sinks = """ {
warning = {
type = "gcs"
destination = "mybucket"
filter = "severity=WARNING"
iam = true
type = "gcs"
destination = "mybucket"
filter = "severity=WARNING"
iam = true
include_children = true
}
info = {
type = "bigquery"
destination = "projects/myproject/datasets/mydataset"
filter = "severity=INFO"
iam = true
type = "bigquery"
destination = "projects/myproject/datasets/mydataset"
filter = "severity=INFO"
iam = true
include_children = true
}
notice = {
type = "pubsub"
destination = "projects/myproject/topics/mytopic"
filter = "severity=NOTICE"
iam = true
type = "pubsub"
destination = "projects/myproject/topics/mytopic"
filter = "severity=NOTICE"
iam = true
include_children = false
}
}
"""
@ -63,16 +66,19 @@ def test_sinks(plan_runner):
'notice',
'warning',
]
values = [(r['index'], r['values']['filter'], r['values']['destination'])
values = [(r['index'], r['values']['filter'], r['values']['destination'],
r['values']['include_children'])
for r in sinks]
assert sorted(values) == [
('info',
'severity=INFO',
'bigquery.googleapis.com/projects/myproject/datasets/mydataset'),
'bigquery.googleapis.com/projects/myproject/datasets/mydataset',
True),
('notice',
'severity=NOTICE',
'pubsub.googleapis.com/projects/myproject/topics/mytopic'),
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket')]
'pubsub.googleapis.com/projects/myproject/topics/mytopic',
False),
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket', True)]
bindings = [r for r in resources
if 'binding' in r['type']]

9
tests/modules/organization/fixture/variables.tf
View File

@ -76,10 +76,11 @@ variable "firewall_policy_attachments" {
variable "logging_sinks" {
type = map(object({
destination = string
type = string
filter = string
iam = bool
destination = string
type = string
filter = string
iam = bool
include_children = bool
}))
default = {}
}

40
tests/modules/organization/test_plan_logging.py
View File

@ -25,22 +25,25 @@ def test_sinks(plan_runner):
"Test folder-level sinks."
logging_sinks = """ {
warning = {
type = "gcs"
destination = "mybucket"
filter = "severity=WARNING"
iam = true
type = "gcs"
destination = "mybucket"
filter = "severity=WARNING"
iam = true
include_children = true
}
info = {
type = "bigquery"
destination = "projects/myproject/datasets/mydataset"
filter = "severity=INFO"
iam = true
}
type = "bigquery"
destination = "projects/myproject/datasets/mydataset"
filter = "severity=INFO"
iam = true
include_children = true
}
notice = {
type = "pubsub"
destination = "projects/myproject/topics/mytopic"
filter = "severity=NOTICE"
iam = true
type = "pubsub"
destination = "projects/myproject/topics/mytopic"
filter = "severity=NOTICE"
iam = true
include_children = false
}
}
"""
@ -62,16 +65,19 @@ def test_sinks(plan_runner):
'notice',
'warning',
]
values = [(r['index'], r['values']['filter'], r['values']['destination'])
values = [(r['index'], r['values']['filter'], r['values']['destination'],
r['values']['include_children'])
for r in sinks]
assert sorted(values) == [
('info',
'severity=INFO',
'bigquery.googleapis.com/projects/myproject/datasets/mydataset'),
'bigquery.googleapis.com/projects/myproject/datasets/mydataset',
True),
('notice',
'severity=NOTICE',
'pubsub.googleapis.com/projects/myproject/topics/mytopic'),
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket')]
'pubsub.googleapis.com/projects/myproject/topics/mytopic',
False),
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket', True)]
bindings = [r for r in resources
if 'binding' in r['type']]