From 551dc581e8fffe945d970409661b2e3ee761e670 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Mon, 10 Jul 2023 10:08:02 +0200 Subject: [PATCH] Implement proper support for data access logs in resource manager modules (#1497) * organization module * rename iam_bindings_authoritative to iam_policy, fix tests * add support for data access logs and iam policy to folder module * test inventories * add support for data access logs and iam policy to project module --- modules/folder/README.md | 83 ++++++++++--- modules/folder/iam.tf | 31 +++++ modules/folder/logging.tf | 16 +++ modules/folder/outputs.tf | 1 + modules/folder/variables.tf | 21 ++++ modules/organization/README.md | 103 +++++++++++++---- modules/organization/firewall-policies.tf | 1 - modules/organization/iam.tf | 24 +--- modules/organization/logging.tf | 18 ++- modules/organization/organization-policies.tf | 1 - modules/organization/outputs.tf | 2 - modules/organization/variables.tf | 42 +++---- modules/project/README.md | 109 ++++++++++++++---- modules/project/iam.tf | 31 +++++ modules/project/logging.tf | 16 +++ modules/project/variables.tf | 21 ++++ tests/modules/folder/examples/iam-policy.yaml | 27 +++++ .../folder/examples/logging-data-access.yaml | 38 ++++++ .../modules/organization/audit_config.tfvars | 6 - tests/modules/organization/audit_config.yaml | 16 --- .../organization/examples/iam-policy.yaml | 23 ++++ .../examples/logging-data-access.yaml | 34 ++++++ .../test_plan_org_policies_modules.py | 3 +- tests/modules/organization/tftest.yaml | 1 - .../modules/project/examples/iam-policy.yaml | 34 ++++++ .../project/examples/logging-data-access.yaml | 46 ++++++++ 26 files changed, 611 insertions(+), 137 deletions(-) create mode 100644 tests/modules/folder/examples/iam-policy.yaml create mode 100644 tests/modules/folder/examples/logging-data-access.yaml delete mode 100644 tests/modules/organization/audit_config.tfvars delete mode 100644 tests/modules/organization/audit_config.yaml create mode 100644 tests/modules/organization/examples/iam-policy.yaml create mode 100644 tests/modules/organization/examples/logging-data-access.yaml create mode 100644 tests/modules/project/examples/iam-policy.yaml create mode 100644 tests/modules/project/examples/logging-data-access.yaml diff --git a/modules/folder/README.md b/modules/folder/README.md index a4b8d804..d1fbc84c 100644 --- a/modules/folder/README.md +++ b/modules/folder/README.md @@ -11,6 +11,7 @@ This module allows the creation and management of folders, including support for - [Directly Defined](#directly-defined-firewall-policies) - [Factory](#firewall-policy-factory) - [Log Sinks](#log-sinks) +- [Data Access Logs](#data-access-logs) - [Tags](#tags) ## Basic example with IAM bindings @@ -44,10 +45,13 @@ module "folder" { ## IAM -There are two mutually exclusive ways at the role level of managing IAM in this module +There are three mutually exclusive ways at the role level of managing IAM in this module - non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here - authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here +- authoritative policy via the `iam_policy` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role + +The authoritative and additive approaches can be used together, provided different roles are managed by each. The IAM policy is incompatible with the other approaches, and must be used with extreme care. Some care must be taken with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph. @@ -301,6 +305,57 @@ module "folder-sink" { # tftest modules=5 resources=14 inventory=logging.yaml ``` +## Data Access Logs + +Activation of data access logs can be controlled via the `logging_data_access` variable. If the `iam_bindings_authoritative` variable is used to set a resource-level IAM policy, the data access log configuration will also be authoritative as part of the policy. + +This example shows how to set a non-authoritative access log configuration: + +```hcl +module "folder" { + source = "./fabric/modules/folder" + parent = "folders/657104291943" + name = "my-folder" + logging_data_access = { + allServices = { + # logs for principals listed here will be excluded + ADMIN_READ = ["group:organization-admins@example.org"] + } + "storage.googleapis.com" = { + DATA_READ = [] + DATA_WRITE = [] + } + } +} +# tftest modules=1 resources=3 inventory=logging-data-access.yaml +``` + +While this sets an authoritative policies that has exclusive control of both IAM bindings for all roles and data access log configuration, and should be used with extreme care: + +```hcl +module "folder" { + source = "./fabric/modules/folder" + parent = "folders/657104291943" + name = "my-folder" + iam_policy = { + "roles/owner" = ["group:org-admins@example.com"] + "roles/resourcemanager.folderAdmin" = ["group:org-admins@example.com"] + "roles/resourcemanager.organizationAdmin" = ["group:org-admins@example.com"] + "roles/resourcemanager.projectCreator" = ["group:org-admins@example.com"] + } + logging_data_access = { + allServices = { + ADMIN_READ = ["group:organization-admins@example.org"] + } + "storage.googleapis.com" = { + DATA_READ = [] + DATA_WRITE = [] + } + } +} +# tftest modules=1 resources=2 inventory=iam-policy.yaml +``` + ## Tags Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage. @@ -341,8 +396,8 @@ module "folder" { | name | description | resources | |---|---|---| | [firewall-policies.tf](./firewall-policies.tf) | None | google_compute_firewall_policy · google_compute_firewall_policy_association · google_compute_firewall_policy_rule | -| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | google_folder_iam_binding · google_folder_iam_member | -| [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_folder_exclusion · google_logging_folder_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | +| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | google_folder_iam_binding · google_folder_iam_member · google_folder_iam_policy | +| [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_folder_iam_audit_config · google_logging_folder_exclusion · google_logging_folder_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | | [main.tf](./main.tf) | Module-level locals and resources. | google_essential_contacts_contact · google_folder | | [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | google_org_policy_policy | | [outputs.tf](./outputs.tf) | Module outputs. | | @@ -363,14 +418,16 @@ module "folder" { | [iam](variables.tf#L71) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_additive](variables.tf#L78) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_additive_members](variables.tf#L85) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} | -| [id](variables.tf#L92) | Folder ID in case you use folder_create=false. | string | | null | -| [logging_exclusions](variables.tf#L98) | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) | | {} | -| [logging_sinks](variables.tf#L105) | Logging sinks to create for the organization. | map(object({…})) | | {} | -| [name](variables.tf#L135) | Folder name. | string | | null | -| [org_policies](variables.tf#L141) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} | -| [org_policies_data_path](variables.tf#L168) | Path containing org policies in YAML format. | string | | null | -| [parent](variables.tf#L174) | Parent in folders/folder_id or organizations/org_id format. | string | | null | -| [tag_bindings](variables.tf#L184) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null | +| [iam_policy](variables.tf#L92) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | map(list(string)) | | null | +| [id](variables.tf#L98) | Folder ID in case you use folder_create=false. | string | | null | +| [logging_data_access](variables.tf#L104) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | +| [logging_exclusions](variables.tf#L119) | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) | | {} | +| [logging_sinks](variables.tf#L126) | Logging sinks to create for the organization. | map(object({…})) | | {} | +| [name](variables.tf#L156) | Folder name. | string | | null | +| [org_policies](variables.tf#L162) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} | +| [org_policies_data_path](variables.tf#L189) | Path containing org policies in YAML format. | string | | null | +| [parent](variables.tf#L195) | Parent in folders/folder_id or organizations/org_id format. | string | | null | +| [tag_bindings](variables.tf#L205) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null | ## Outputs @@ -380,7 +437,7 @@ module "folder" { | [firewall_policy_id](outputs.tf#L21) | Map of firewall policy ids created in this folder. | | | [folder](outputs.tf#L26) | Folder resource. | | | [id](outputs.tf#L31) | Fully qualified folder id. | | -| [name](outputs.tf#L40) | Folder name. | | -| [sink_writer_identities](outputs.tf#L45) | Writer identities created for each sink. | | +| [name](outputs.tf#L41) | Folder name. | | +| [sink_writer_identities](outputs.tf#L46) | Writer identities created for each sink. | | diff --git a/modules/folder/iam.tf b/modules/folder/iam.tf index 995dbdab..5afae6f4 100644 --- a/modules/folder/iam.tf +++ b/modules/folder/iam.tf @@ -63,3 +63,34 @@ resource "google_folder_iam_member" "additive" { role = each.value.role member = each.value.member } + +resource "google_folder_iam_policy" "authoritative" { + count = var.iam_policy != null ? 1 : 0 + folder = local.folder.name + policy_data = data.google_iam_policy.authoritative.0.policy_data +} + +data "google_iam_policy" "authoritative" { + count = var.iam_policy != null ? 1 : 0 + dynamic "binding" { + for_each = try(var.iam_policy, {}) + content { + role = binding.key + members = binding.value + } + } + dynamic "audit_config" { + for_each = var.logging_data_access + content { + service = audit_config.key + dynamic "audit_log_configs" { + for_each = audit_config.value + iterator = config + content { + log_type = config.key + exempted_members = config.value + } + } + } + } +} diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf index 2b5a73ff..f7947f7a 100644 --- a/modules/folder/logging.tf +++ b/modules/folder/logging.tf @@ -27,6 +27,22 @@ locals { } } +resource "google_folder_iam_audit_config" "default" { + for_each = ( + var.iam_policy == null ? var.logging_data_access : {} + ) + folder = local.folder.name + service = each.key + dynamic "audit_log_config" { + for_each = each.value + iterator = config + content { + log_type = config.key + exempted_members = config.value + } + } +} + resource "google_logging_folder_sink" "sink" { for_each = var.logging_sinks name = each.key diff --git a/modules/folder/outputs.tf b/modules/folder/outputs.tf index 8b8ffc1c..bf96c4c8 100644 --- a/modules/folder/outputs.tf +++ b/modules/folder/outputs.tf @@ -33,6 +33,7 @@ output "id" { value = local.folder.name depends_on = [ google_folder_iam_binding.authoritative, + google_folder_iam_policy.authoritative, google_org_policy_policy.default, ] } diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf index e0abc612..284f0fd7 100644 --- a/modules/folder/variables.tf +++ b/modules/folder/variables.tf @@ -89,12 +89,33 @@ variable "iam_additive_members" { nullable = false } +variable "iam_policy" { + description = "IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution." + type = map(list(string)) + default = null +} + variable "id" { description = "Folder ID in case you use folder_create=false." type = string default = null } +variable "logging_data_access" { + description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services." + type = map(map(list(string))) + nullable = false + default = {} + validation { + condition = alltrue(flatten([ + for k, v in var.logging_data_access : [ + for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk) + ] + ])) + error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'." + } +} + variable "logging_exclusions" { description = "Logging exclusions for this folder in the form {NAME -> FILTER}." type = map(string) diff --git a/modules/organization/README.md b/modules/organization/README.md index 9ae8b299..1293b3a7 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -21,6 +21,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b - [Directly Defined](#directly-defined-firewall-policies) - [Factory](#firewall-policy-factory) - [Log Sinks](#log-sinks) +- [Data Access Logs](#data-access-logs) - [Custom Roles](#custom-roles) - [Tags](#tags) @@ -114,15 +115,15 @@ module "org" { ## IAM -There are several mutually exclusive ways of managing IAM in this module +There are three mutually exclusive ways of managing IAM in this module - non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here - authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here -- authoritative policy via the `iam_bindings_authoritative` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role +- authoritative policy via the `iam_policy` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role -If you set audit policies via the `iam_audit_config_authoritative` variable, be sure to also configure IAM bindings via `iam_bindings_authoritative`, as audit policies use the underlying `google_organization_iam_policy` resource, which is also authoritative for any role. +The authoritative and additive approaches can be used together, provided different roles are managed by each. The IAM policy is incompatible with the other approaches, and must be used with extreme care. -Some care must also be taken with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph. +Some care must also be taken with the `group_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph. ## Organization Policies @@ -324,6 +325,8 @@ allow-iap-ssh: ## Log Sinks +The following example shows how to define organization-level log sinks: + ```hcl module "gcs" { source = "./fabric/modules/gcs" @@ -388,8 +391,59 @@ module "org" { # tftest modules=5 resources=13 inventory=logging.yaml ``` +## Data Access Logs + +Activation of data access logs can be controlled via the `logging_data_access` variable. If the `iam_bindings_authoritative` variable is used to set a resource-level IAM policy, the data access log configuration will also be authoritative as part of the policy. + +This example shows how to set a non-authoritative access log configuration: + +```hcl +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + logging_data_access = { + allServices = { + # logs for principals listed here will be excluded + ADMIN_READ = ["group:organization-admins@example.org"] + } + "storage.googleapis.com" = { + DATA_READ = [] + DATA_WRITE = [] + } + } +} +# tftest modules=1 resources=2 inventory=logging-data-access.yaml +``` + +While this sets an authoritative policies that has exclusive control of both IAM bindings for all roles and data access log configuration, and should be used with extreme care: + +```hcl +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + iam_policy = { + "roles/owner" = ["group:org-admins@example.com"] + "roles/resourcemanager.folderAdmin" = ["group:org-admins@example.com"] + "roles/resourcemanager.organizationAdmin" = ["group:org-admins@example.com"] + "roles/resourcemanager.projectCreator" = ["group:org-admins@example.com"] + } + logging_data_access = { + allServices = { + ADMIN_READ = ["group:organization-admins@example.org"] + } + "storage.googleapis.com" = { + DATA_READ = [] + DATA_WRITE = [] + } + } +} +# tftest modules=1 resources=1 inventory=iam-policy.yaml +``` + ## Custom Roles +Custom roles can be defined via the `custom_roles` variable, and referenced via the `custom_role_id` output: + ```hcl module "org" { source = "./fabric/modules/organization" @@ -475,8 +529,8 @@ module "org" { | name | description | resources | |---|---|---| | [firewall-policies.tf](./firewall-policies.tf) | Hierarchical firewall policies. | google_compute_firewall_policy · google_compute_firewall_policy_association · google_compute_firewall_policy_rule | -| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | google_organization_iam_audit_config · google_organization_iam_binding · google_organization_iam_custom_role · google_organization_iam_member · google_organization_iam_policy | -| [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_organization_exclusion · google_logging_organization_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | +| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | google_organization_iam_binding · google_organization_iam_custom_role · google_organization_iam_member · google_organization_iam_policy | +| [logging.tf](./logging.tf) | Log sinks and data access logs. | google_bigquery_dataset_iam_member · google_logging_organization_exclusion · google_logging_organization_sink · google_organization_iam_audit_config · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | | [main.tf](./main.tf) | Module-level locals and resources. | google_essential_contacts_contact | | [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | google_org_policy_custom_constraint | | [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | google_org_policy_policy | @@ -489,7 +543,7 @@ module "org" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization_id](variables.tf#L234) | Organization id in organizations/nnnnnn format. | string | ✓ | | +| [organization_id](variables.tf#L226) | Organization id in organizations/nnnnnn format. | string | ✓ | | | [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} | | [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} | | [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | map(map(object({…}))) | | {} | @@ -499,18 +553,17 @@ module "org" { | [iam](variables.tf#L72) | IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_additive](variables.tf#L79) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_additive_members](variables.tf#L86) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} | -| [iam_audit_config](variables.tf#L93) | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) | | {} | -| [iam_audit_config_authoritative](variables.tf#L105) | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | map(map(list(string))) | | null | -| [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | map(list(string)) | | null | -| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) | | {} | -| [logging_sinks](variables.tf#L129) | Logging sinks to create for the organization. | map(object({…})) | | {} | -| [network_tags](variables.tf#L159) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | -| [org_policies](variables.tf#L181) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} | -| [org_policies_data_path](variables.tf#L208) | Path containing org policies in YAML format. | string | | null | -| [org_policy_custom_constraints](variables.tf#L214) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} | -| [org_policy_custom_constraints_data_path](variables.tf#L228) | Path containing org policy custom constraints in YAML format. | string | | null | -| [tag_bindings](variables.tf#L243) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null | -| [tags](variables.tf#L249) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | +| [iam_policy](variables.tf#L93) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | map(list(string)) | | null | +| [logging_data_access](variables.tf#L99) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | +| [logging_exclusions](variables.tf#L114) | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) | | {} | +| [logging_sinks](variables.tf#L121) | Logging sinks to create for the organization. | map(object({…})) | | {} | +| [network_tags](variables.tf#L151) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | +| [org_policies](variables.tf#L173) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} | +| [org_policies_data_path](variables.tf#L200) | Path containing org policies in YAML format. | string | | null | +| [org_policy_custom_constraints](variables.tf#L206) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} | +| [org_policy_custom_constraints_data_path](variables.tf#L220) | Path containing org policy custom constraints in YAML format. | string | | null | +| [tag_bindings](variables.tf#L235) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null | +| [tags](variables.tf#L241) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | ## Outputs @@ -521,11 +574,11 @@ module "org" { | [firewall_policies](outputs.tf#L35) | Map of firewall policy resources created in the organization. | | | [firewall_policy_id](outputs.tf#L40) | Map of firewall policy ids created in the organization. | | | [id](outputs.tf#L45) | Fully qualified organization id. | | -| [network_tag_keys](outputs.tf#L62) | Tag key resources. | | -| [network_tag_values](outputs.tf#L71) | Tag value resources. | | -| [organization_id](outputs.tf#L81) | Organization id dependent on module resources. | | -| [sink_writer_identities](outputs.tf#L98) | Writer identities created for each sink. | | -| [tag_keys](outputs.tf#L106) | Tag key resources. | | -| [tag_values](outputs.tf#L115) | Tag value resources. | | +| [network_tag_keys](outputs.tf#L61) | Tag key resources. | | +| [network_tag_values](outputs.tf#L70) | Tag value resources. | | +| [organization_id](outputs.tf#L80) | Organization id dependent on module resources. | | +| [sink_writer_identities](outputs.tf#L96) | Writer identities created for each sink. | | +| [tag_keys](outputs.tf#L104) | Tag key resources. | | +| [tag_values](outputs.tf#L113) | Tag value resources. | | diff --git a/modules/organization/firewall-policies.tf b/modules/organization/firewall-policies.tf index 864a4477..b5c635af 100644 --- a/modules/organization/firewall-policies.tf +++ b/modules/organization/firewall-policies.tf @@ -59,7 +59,6 @@ resource "google_compute_firewall_policy" "policy" { short_name = each.key parent = var.organization_id depends_on = [ - google_organization_iam_audit_config.config, google_organization_iam_binding.authoritative, google_organization_iam_custom_role.roles, google_organization_iam_member.additive, diff --git a/modules/organization/iam.tf b/modules/organization/iam.tf index 48cb452f..410c9ece 100644 --- a/modules/organization/iam.tf +++ b/modules/organization/iam.tf @@ -74,22 +74,22 @@ resource "google_organization_iam_member" "additive" { } resource "google_organization_iam_policy" "authoritative" { - count = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0 + count = var.iam_policy != null ? 1 : 0 org_id = local.organization_id_numeric - policy_data = data.google_iam_policy.authoritative.policy_data + policy_data = data.google_iam_policy.authoritative.0.policy_data } data "google_iam_policy" "authoritative" { + count = var.iam_policy != null ? 1 : 0 dynamic "binding" { - for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {} + for_each = try(var.iam_policy, {}) content { role = binding.key members = binding.value } } - dynamic "audit_config" { - for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {} + for_each = var.logging_data_access content { service = audit_config.key dynamic "audit_log_configs" { @@ -103,17 +103,3 @@ data "google_iam_policy" "authoritative" { } } } - -resource "google_organization_iam_audit_config" "config" { - for_each = var.iam_audit_config - org_id = local.organization_id_numeric - service = each.key - dynamic "audit_log_config" { - for_each = each.value - iterator = config - content { - log_type = config.key - exempted_members = config.value - } - } -} diff --git a/modules/organization/logging.tf b/modules/organization/logging.tf index e78a2c4d..65e773a8 100644 --- a/modules/organization/logging.tf +++ b/modules/organization/logging.tf @@ -14,7 +14,7 @@ * limitations under the License. */ -# tfdoc:file:description Log sinks and supporting resources. +# tfdoc:file:description Log sinks and data access logs. locals { sink_bindings = { @@ -26,6 +26,22 @@ locals { } } +resource "google_organization_iam_audit_config" "default" { + for_each = ( + var.iam_policy == null ? var.logging_data_access : {} + ) + org_id = local.organization_id_numeric + service = each.key + dynamic "audit_log_config" { + for_each = each.value + iterator = config + content { + log_type = config.key + exempted_members = config.value + } + } +} + resource "google_logging_organization_sink" "sink" { for_each = var.logging_sinks name = each.key diff --git a/modules/organization/organization-policies.tf b/modules/organization/organization-policies.tf index d5f789f3..6f10bb93 100644 --- a/modules/organization/organization-policies.tf +++ b/modules/organization/organization-policies.tf @@ -115,7 +115,6 @@ resource "google_org_policy_policy" "default" { } } depends_on = [ - google_organization_iam_audit_config.config, google_organization_iam_binding.authoritative, google_organization_iam_custom_role.roles, google_organization_iam_member.additive, diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf index 4450ecd0..8684e798 100644 --- a/modules/organization/outputs.tf +++ b/modules/organization/outputs.tf @@ -46,7 +46,6 @@ output "id" { description = "Fully qualified organization id." value = var.organization_id depends_on = [ - google_organization_iam_audit_config.config, google_organization_iam_binding.authoritative, google_organization_iam_custom_role.roles, google_organization_iam_member.additive, @@ -82,7 +81,6 @@ output "organization_id" { description = "Organization id dependent on module resources." value = var.organization_id depends_on = [ - google_organization_iam_audit_config.config, google_organization_iam_binding.authoritative, google_organization_iam_custom_role.roles, google_organization_iam_member.additive, diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf index 524b6588..7c2d33e4 100644 --- a/modules/organization/variables.tf +++ b/modules/organization/variables.tf @@ -90,35 +90,27 @@ variable "iam_additive_members" { nullable = false } -variable "iam_audit_config" { - description = "Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service." - type = map(map(list(string))) - default = {} - nullable = false - # default = { - # allServices = { - # DATA_READ = ["user:me@example.org"] - # } - # } -} - -variable "iam_audit_config_authoritative" { - description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution." - type = map(map(list(string))) - default = null - # default = { - # allServices = { - # DATA_READ = ["user:me@example.org"] - # } - # } -} - -variable "iam_bindings_authoritative" { - description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution." +variable "iam_policy" { + description = "IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution." type = map(list(string)) default = null } +variable "logging_data_access" { + description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services." + type = map(map(list(string))) + nullable = false + default = {} + validation { + condition = alltrue(flatten([ + for k, v in var.logging_data_access : [ + for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk) + ] + ])) + error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'." + } +} + variable "logging_exclusions" { description = "Logging exclusions for this organization in the form {NAME -> FILTER}." type = map(string) diff --git a/modules/project/README.md b/modules/project/README.md index 6fb3d42f..d44aca57 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -16,6 +16,7 @@ This module implements the creation and management of one GCP project including - [Organization Policies](#organization-policies) - [Factory](#organization-policy-factory) - [Log Sinks](#log-sinks) +- [Data Access Logs](#data-access-logs) - [Cloud KMS Encryption Keys](#cloud-kms-encryption-keys) - [Tags](#tags) @@ -42,6 +43,9 @@ IAM is managed via several variables that implement different levels of control: - `group_iam` and `iam` configure authoritative bindings that manage individual roles exclusively, mapping to the [`google_project_iam_binding`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding) resource - `iam_additive` and `iam_additive_members` configure additive bindings that only manage individual role/member pairs, mapping to the [`google_project_iam_member`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) resource +- `iam_policy` which controls the entire IAM policy for the project, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role + +The authoritative and additive approaches can be used together, provided different roles are managed by each. The IAM policy is incompatible with the other approaches, and must be used with extreme care. Be mindful about service identity roles when using authoritative IAM, as you might inadvertently remove a role from a [service identity](https://cloud.google.com/iam/docs/service-account-types#google-managed) or default service account. For example, using `roles/editor` with `iam` or `group_iam` will remove the default permissions for the Cloud Services identity. A simple workaround for these scenarios is described below. @@ -433,6 +437,59 @@ module "project-host" { # tftest modules=5 resources=14 inventory=logging.yaml ``` +## Data Access Logs + +Activation of data access logs can be controlled via the `logging_data_access` variable. If the `iam_bindings_authoritative` variable is used to set a resource-level IAM policy, the data access log configuration will also be authoritative as part of the policy. + +This example shows how to set a non-authoritative access log configuration: + +```hcl +module "project" { + source = "./fabric/modules/project" + name = "my-project" + billing_account = "123456-123456-123456" + parent = "folders/1234567890" + logging_data_access = { + allServices = { + # logs for principals listed here will be excluded + ADMIN_READ = ["group:organization-admins@example.org"] + } + "storage.googleapis.com" = { + DATA_READ = [] + DATA_WRITE = [] + } + } +} +# tftest modules=1 resources=3 inventory=logging-data-access.yaml +``` + +While this sets an authoritative policies that has exclusive control of both IAM bindings for all roles and data access log configuration, and should be used with extreme care: + +```hcl +module "project" { + source = "./fabric/modules/project" + name = "my-project" + billing_account = "123456-123456-123456" + parent = "folders/1234567890" + iam_policy = { + "roles/owner" = ["group:org-admins@example.com"] + "roles/resourcemanager.folderAdmin" = ["group:org-admins@example.com"] + "roles/resourcemanager.organizationAdmin" = ["group:org-admins@example.com"] + "roles/resourcemanager.projectCreator" = ["group:org-admins@example.com"] + } + logging_data_access = { + allServices = { + ADMIN_READ = ["group:organization-admins@example.org"] + } + "storage.googleapis.com" = { + DATA_READ = [] + DATA_WRITE = [] + } + } +} +# tftest modules=1 resources=2 inventory=iam-policy.yaml +``` + ## Cloud Kms Encryption Keys The module offers a simple, centralized way to assign `roles/cloudkms.cryptoKeyEncrypterDecrypter` to service identities. @@ -518,8 +575,8 @@ output "compute_robot" { | name | description | resources | |---|---|---| -| [iam.tf](./iam.tf) | Generic and OSLogin-specific IAM bindings and roles. | google_project_iam_binding · google_project_iam_custom_role · google_project_iam_member | -| [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_project_exclusion · google_logging_project_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | +| [iam.tf](./iam.tf) | Generic and OSLogin-specific IAM bindings and roles. | google_project_iam_binding · google_project_iam_custom_role · google_project_iam_member · google_project_iam_policy | +| [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_project_exclusion · google_logging_project_sink · google_project_iam_audit_config · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | | [main.tf](./main.tf) | Module-level locals and resources. | google_compute_project_metadata_item · google_essential_contacts_contact · google_monitoring_monitored_project · google_project · google_project_service · google_resource_manager_lien | | [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | google_org_policy_policy | | [outputs.tf](./outputs.tf) | Module outputs. | | @@ -534,7 +591,7 @@ output "compute_robot" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L140) | Project name and id suffix. | string | ✓ | | +| [name](variables.tf#L161) | Project name and id suffix. | string | ✓ | | | [auto_create_network](variables.tf#L17) | Whether to create the default network for the project. | bool | | false | | [billing_account](variables.tf#L23) | Billing account id. | string | | null | | [contacts](variables.tf#L29) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} | @@ -545,28 +602,30 @@ output "compute_robot" { | [iam](variables.tf#L62) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_additive](variables.tf#L69) | IAM additive bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_additive_members](variables.tf#L76) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} | -| [labels](variables.tf#L82) | Resource labels. | map(string) | | {} | -| [lien_reason](variables.tf#L89) | If non-empty, creates a project lien with this description. | string | | "" | -| [logging_exclusions](variables.tf#L95) | Logging exclusions for this project in the form {NAME -> FILTER}. | map(string) | | {} | -| [logging_sinks](variables.tf#L102) | Logging sinks to create for this project. | map(object({…})) | | {} | -| [metric_scopes](variables.tf#L133) | List of projects that will act as metric scopes for this project. | list(string) | | [] | -| [org_policies](variables.tf#L145) | Organization policies applied to this project keyed by policy name. | map(object({…})) | | {} | -| [org_policies_data_path](variables.tf#L172) | Path containing org policies in YAML format. | string | | null | -| [oslogin](variables.tf#L178) | Enable OS Login. | bool | | false | -| [oslogin_admins](variables.tf#L184) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | list(string) | | [] | -| [oslogin_users](variables.tf#L192) | List of IAM-style identities that will be granted roles necessary for OS Login users. | list(string) | | [] | -| [parent](variables.tf#L199) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string | | null | -| [prefix](variables.tf#L209) | Optional prefix used to generate project id and name. | string | | null | -| [project_create](variables.tf#L219) | Create project. When set to false, uses a data source to reference existing project. | bool | | true | -| [service_config](variables.tf#L225) | Configure service API activation. | object({…}) | | {…} | -| [service_encryption_key_ids](variables.tf#L237) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string)) | | {} | -| [service_perimeter_bridges](variables.tf#L244) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | list(string) | | null | -| [service_perimeter_standard](variables.tf#L251) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | string | | null | -| [services](variables.tf#L257) | Service APIs to enable. | list(string) | | [] | -| [shared_vpc_host_config](variables.tf#L263) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null | -| [shared_vpc_service_config](variables.tf#L272) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | null | -| [skip_delete](variables.tf#L282) | Allows the underlying resources to be destroyed without destroying the project itself. | bool | | false | -| [tag_bindings](variables.tf#L288) | Tag bindings for this project, in key => tag value id format. | map(string) | | null | +| [iam_policy](variables.tf#L82) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | map(list(string)) | | null | +| [labels](variables.tf#L88) | Resource labels. | map(string) | | {} | +| [lien_reason](variables.tf#L95) | If non-empty, creates a project lien with this description. | string | | "" | +| [logging_data_access](variables.tf#L101) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | +| [logging_exclusions](variables.tf#L116) | Logging exclusions for this project in the form {NAME -> FILTER}. | map(string) | | {} | +| [logging_sinks](variables.tf#L123) | Logging sinks to create for this project. | map(object({…})) | | {} | +| [metric_scopes](variables.tf#L154) | List of projects that will act as metric scopes for this project. | list(string) | | [] | +| [org_policies](variables.tf#L166) | Organization policies applied to this project keyed by policy name. | map(object({…})) | | {} | +| [org_policies_data_path](variables.tf#L193) | Path containing org policies in YAML format. | string | | null | +| [oslogin](variables.tf#L199) | Enable OS Login. | bool | | false | +| [oslogin_admins](variables.tf#L205) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | list(string) | | [] | +| [oslogin_users](variables.tf#L213) | List of IAM-style identities that will be granted roles necessary for OS Login users. | list(string) | | [] | +| [parent](variables.tf#L220) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string | | null | +| [prefix](variables.tf#L230) | Optional prefix used to generate project id and name. | string | | null | +| [project_create](variables.tf#L240) | Create project. When set to false, uses a data source to reference existing project. | bool | | true | +| [service_config](variables.tf#L246) | Configure service API activation. | object({…}) | | {…} | +| [service_encryption_key_ids](variables.tf#L258) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string)) | | {} | +| [service_perimeter_bridges](variables.tf#L265) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | list(string) | | null | +| [service_perimeter_standard](variables.tf#L272) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | string | | null | +| [services](variables.tf#L278) | Service APIs to enable. | list(string) | | [] | +| [shared_vpc_host_config](variables.tf#L284) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null | +| [shared_vpc_service_config](variables.tf#L293) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | null | +| [skip_delete](variables.tf#L303) | Allows the underlying resources to be destroyed without destroying the project itself. | bool | | false | +| [tag_bindings](variables.tf#L309) | Tag bindings for this project, in key => tag value id format. | map(string) | | null | ## Outputs diff --git a/modules/project/iam.tf b/modules/project/iam.tf index 3ed2d2a6..2ee8a63c 100644 --- a/modules/project/iam.tf +++ b/modules/project/iam.tf @@ -124,3 +124,34 @@ resource "google_project_iam_member" "oslogin_users" { role = "roles/compute.osLogin" member = each.value } + +resource "google_project_iam_policy" "authoritative" { + count = var.iam_policy != null ? 1 : 0 + project = local.project.project_id + policy_data = data.google_iam_policy.authoritative.0.policy_data +} + +data "google_iam_policy" "authoritative" { + count = var.iam_policy != null ? 1 : 0 + dynamic "binding" { + for_each = try(var.iam_policy, {}) + content { + role = binding.key + members = binding.value + } + } + dynamic "audit_config" { + for_each = var.logging_data_access + content { + service = audit_config.key + dynamic "audit_log_configs" { + for_each = audit_config.value + iterator = config + content { + log_type = config.key + exempted_members = config.value + } + } + } + } +} diff --git a/modules/project/logging.tf b/modules/project/logging.tf index 1db60dca..e80254da 100644 --- a/modules/project/logging.tf +++ b/modules/project/logging.tf @@ -26,6 +26,22 @@ locals { } } +resource "google_project_iam_audit_config" "default" { + for_each = ( + var.iam_policy == null ? var.logging_data_access : {} + ) + project = local.project.project_id + service = each.key + dynamic "audit_log_config" { + for_each = each.value + iterator = config + content { + log_type = config.key + exempted_members = config.value + } + } +} + resource "google_logging_project_sink" "sink" { for_each = var.logging_sinks name = each.key diff --git a/modules/project/variables.tf b/modules/project/variables.tf index ede3a8c6..bbd9fb60 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -79,6 +79,12 @@ variable "iam_additive_members" { default = {} } +variable "iam_policy" { + description = "IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution." + type = map(list(string)) + default = null +} + variable "labels" { description = "Resource labels." type = map(string) @@ -92,6 +98,21 @@ variable "lien_reason" { default = "" } +variable "logging_data_access" { + description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services." + type = map(map(list(string))) + nullable = false + default = {} + validation { + condition = alltrue(flatten([ + for k, v in var.logging_data_access : [ + for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk) + ] + ])) + error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'." + } +} + variable "logging_exclusions" { description = "Logging exclusions for this project in the form {NAME -> FILTER}." type = map(string) diff --git a/tests/modules/folder/examples/iam-policy.yaml b/tests/modules/folder/examples/iam-policy.yaml new file mode 100644 index 00000000..5ed33ab4 --- /dev/null +++ b/tests/modules/folder/examples/iam-policy.yaml @@ -0,0 +1,27 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.folder.google_folder.folder[0]: + display_name: my-folder + parent: folders/657104291943 + timeouts: null + module.folder.google_folder_iam_policy.authoritative[0]: + policy_data: '{"auditConfigs":[{"auditLogConfigs":[{"exemptedMembers":["group:organization-admins@example.org"],"logType":"ADMIN_READ"}],"service":"allServices"},{"auditLogConfigs":[{"logType":"DATA_WRITE"},{"logType":"DATA_READ"}],"service":"storage.googleapis.com"}],"bindings":[{"members":["group:org-admins@example.com"],"role":"roles/owner"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.folderAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.organizationAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.projectCreator"}]}' + +counts: + google_folder: 1 + google_folder_iam_policy: 1 + modules: 1 + resources: 2 diff --git a/tests/modules/folder/examples/logging-data-access.yaml b/tests/modules/folder/examples/logging-data-access.yaml new file mode 100644 index 00000000..91bcdd6e --- /dev/null +++ b/tests/modules/folder/examples/logging-data-access.yaml @@ -0,0 +1,38 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.folder.google_folder.folder[0]: + display_name: my-folder + parent: folders/657104291943 + timeouts: null + module.folder.google_folder_iam_audit_config.default["allServices"]: + audit_log_config: + - exempted_members: + - group:organization-admins@example.org + log_type: ADMIN_READ + service: allServices + module.folder.google_folder_iam_audit_config.default["storage.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: DATA_READ + - exempted_members: [] + log_type: DATA_WRITE + service: storage.googleapis.com + +counts: + google_folder: 1 + google_folder_iam_audit_config: 2 + modules: 1 + resources: 3 diff --git a/tests/modules/organization/audit_config.tfvars b/tests/modules/organization/audit_config.tfvars deleted file mode 100644 index b071033a..00000000 --- a/tests/modules/organization/audit_config.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -iam_audit_config = { - allServices = { - DATA_READ = [], - DATA_WRITE = ["user:me@example.org"] - } -} diff --git a/tests/modules/organization/audit_config.yaml b/tests/modules/organization/audit_config.yaml deleted file mode 100644 index 56e90b62..00000000 --- a/tests/modules/organization/audit_config.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - google_organization_iam_audit_config: 1 diff --git a/tests/modules/organization/examples/iam-policy.yaml b/tests/modules/organization/examples/iam-policy.yaml new file mode 100644 index 00000000..d853ca64 --- /dev/null +++ b/tests/modules/organization/examples/iam-policy.yaml @@ -0,0 +1,23 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.org.google_organization_iam_policy.authoritative[0]: + org_id: '1122334455' + policy_data: '{"auditConfigs":[{"auditLogConfigs":[{"exemptedMembers":["group:organization-admins@example.org"],"logType":"ADMIN_READ"}],"service":"allServices"},{"auditLogConfigs":[{"logType":"DATA_WRITE"},{"logType":"DATA_READ"}],"service":"storage.googleapis.com"}],"bindings":[{"members":["group:org-admins@example.com"],"role":"roles/owner"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.folderAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.organizationAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.projectCreator"}]}' + +counts: + google_organization_iam_policy: 1 + modules: 1 + resources: 1 diff --git a/tests/modules/organization/examples/logging-data-access.yaml b/tests/modules/organization/examples/logging-data-access.yaml new file mode 100644 index 00000000..b3507742 --- /dev/null +++ b/tests/modules/organization/examples/logging-data-access.yaml @@ -0,0 +1,34 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.org.google_organization_iam_audit_config.default["allServices"]: + audit_log_config: + - exempted_members: ["group:organization-admins@example.org"] + log_type: ADMIN_READ + org_id: '1122334455' + service: allServices + module.org.google_organization_iam_audit_config.default["storage.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: DATA_READ + - exempted_members: [] + log_type: DATA_WRITE + org_id: '1122334455' + service: storage.googleapis.com + +counts: + google_organization_iam_audit_config: 2 + modules: 1 + resources: 2 diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py index 2d3bf8d8..3126872e 100644 --- a/tests/modules/organization/test_plan_org_policies_modules.py +++ b/tests/modules/organization/test_plan_org_policies_modules.py @@ -54,9 +54,8 @@ def test_policy_implementation(): '- parent = local.folder.name\n', '+ name = "${var.organization_id}/policies/${k}"\n', '+ parent = var.organization_id\n', - '@@ -116,0 +117,10 @@\n', + '@@ -116,0 +117,9 @@\n', '+ depends_on = [\n', - '+ google_organization_iam_audit_config.config,\n', '+ google_organization_iam_binding.authoritative,\n', '+ google_organization_iam_custom_role.roles,\n', '+ google_organization_iam_member.additive,\n', diff --git a/tests/modules/organization/tftest.yaml b/tests/modules/organization/tftest.yaml index 7568b732..d179d057 100644 --- a/tests/modules/organization/tftest.yaml +++ b/tests/modules/organization/tftest.yaml @@ -18,7 +18,6 @@ common_tfvars: - common.tfvars tests: - audit_config: org_policies_list: org_policies_boolean: org_policies_custom_constraints: diff --git a/tests/modules/project/examples/iam-policy.yaml b/tests/modules/project/examples/iam-policy.yaml new file mode 100644 index 00000000..5aebc110 --- /dev/null +++ b/tests/modules/project/examples/iam-policy.yaml @@ -0,0 +1,34 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.project.google_project.project[0]: + auto_create_network: false + billing_account: 123456-123456-123456 + folder_id: '1234567890' + labels: null + name: my-project + org_id: null + project_id: my-project + skip_delete: false + timeouts: null + module.project.google_project_iam_policy.authoritative[0]: + policy_data: '{"auditConfigs":[{"auditLogConfigs":[{"exemptedMembers":["group:organization-admins@example.org"],"logType":"ADMIN_READ"}],"service":"allServices"},{"auditLogConfigs":[{"logType":"DATA_WRITE"},{"logType":"DATA_READ"}],"service":"storage.googleapis.com"}],"bindings":[{"members":["group:org-admins@example.com"],"role":"roles/owner"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.folderAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.organizationAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.projectCreator"}]}' + project: my-project + +counts: + google_project: 1 + google_project_iam_policy: 1 + modules: 1 + resources: 2 diff --git a/tests/modules/project/examples/logging-data-access.yaml b/tests/modules/project/examples/logging-data-access.yaml new file mode 100644 index 00000000..c6533839 --- /dev/null +++ b/tests/modules/project/examples/logging-data-access.yaml @@ -0,0 +1,46 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.project.google_project.project[0]: + auto_create_network: false + billing_account: 123456-123456-123456 + folder_id: '1234567890' + labels: null + name: my-project + org_id: null + project_id: my-project + skip_delete: false + timeouts: null + module.project.google_project_iam_audit_config.default["allServices"]: + audit_log_config: + - exempted_members: + - group:organization-admins@example.org + log_type: ADMIN_READ + project: my-project + service: allServices + module.project.google_project_iam_audit_config.default["storage.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: DATA_READ + - exempted_members: [] + log_type: DATA_WRITE + project: my-project + service: storage.googleapis.com + +counts: + google_project: 1 + google_project_iam_audit_config: 2 + modules: 1 + resources: 3