Merge branch 'master' into feature/make-sed-and-find-compatible-with-mac

0-bootstrap/README-Jenkins.md

@@ -69,14 +69,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
 
    - You will see an output similar to this:
 
-   ```text
-   -----BEGIN RSA PRIVATE KEY-----
-         copy your private key
-           from BEGIN to END
-      And configure a new
-     Jenkins Agent in the Web UI
-   -----END RSA PRIVATE KEY-----
-   ```
+      ![RSA private key example](./files/private_key_example.png)
 
 1. Configure a new SSH Jenkins Agent in the Jenkins Controller’s Web UI. You need the following information:
    - [SSH Agent Jenkins plugin](https://plugins.jenkins.io/ssh-agent/) installed in your Controller

0-bootstrap/main.tf

@@ -93,6 +93,7 @@ module "seed_bootstrap" {
     "billingbudgets.googleapis.com",
     "essentialcontacts.googleapis.com",
     "assuredworkloads.googleapis.com",
+    "cloudasset.googleapis.com"
   ]
 
   sa_org_iam_permissions = []

0-bootstrap/sa.tf

@@ -47,6 +47,8 @@ locals {
       "roles/essentialcontacts.admin",
       "roles/resourcemanager.tagAdmin",
       "roles/resourcemanager.tagUser",
+      "roles/cloudasset.owner",
+      "roles/securitycenter.sourcesEditor",
     ], local.common_roles)),
     "env" = distinct(concat([
       "roles/resourcemanager.tagUser",

0-bootstrap/terraform.example.tfvars

@@ -41,19 +41,19 @@ default_region = "us-central1"
 #   create_groups = true,
 #   billing_project = "billing-project",
 #   required_groups = {
-    # group_org_admins           = "[email protected]"
-    # group_billing_admins       = "[email protected]"
-    # billing_data_users         = "[email protected]"
-    # audit_data_users           = "[email protected]"
-    # monitoring_workspace_users = "[email protected]"
+#     group_org_admins           = "[email protected]"
+#     group_billing_admins       = "[email protected]"
+#     billing_data_users         = "[email protected]"
+#     audit_data_users           = "[email protected]"
+#     monitoring_workspace_users = "[email protected]"
 #   },
 #   optional_groups = {
-    # gcp_platform_viewer      = "[email protected]"
-    # gcp_security_reviewer    = "[email protected]"
-    # gcp_network_viewer       = "[email protected]"
-    # gcp_scc_admin            = "[email protected]"
-    # gcp_global_secrets_admin = "[email protected]"
-    # gcp_audit_viewer         = "[email protected]"
+#     gcp_platform_viewer      = "[email protected]"
+#     gcp_security_reviewer    = "[email protected]"
+#     gcp_network_viewer       = "[email protected]"
+#     gcp_scc_admin            = "[email protected]"
+#     gcp_global_secrets_admin = "[email protected]"
+#     gcp_audit_viewer         = "[email protected]"
 #   }
 # }
 #

1-org/README.md

@@ -99,12 +99,13 @@ commands. The `-T` flag is required for Linux, but causes problems for MacOS.
 | gcp_scc_admin | Product updates and security | Org Admins |
 | gcp_security_reviewer | Security and technical | Org Admins |
 
-This module creates and applies [tags](https://cloud.google.com/resource-manager/docs/tags/tags-overview) to common and bootstrap folders. These tags are also applied to environment folders of step [2-environments](../2-environments/README.md). You can create your own tags by editing the `local.tags` map in `tags.tf` and following the commented template. The following table describes details about the tags that are applied to resources:
+This module creates and applies [tags](https://cloud.google.com/resource-manager/docs/tags/tags-overview) to common, network, and bootstrap folders. These tags are also applied to environment folders of step [2-environments](../2-environments/README.md). You can create your own tags by editing the `local.tags` map in `tags.tf` and following the commented template. The following table describes details about the tags that are applied to resources:
 
 | Resource | Type | Step | Tag Key | Tag Value |
 |----------|------|------|---------|-----------|
 | bootstrap | folder | 1-org | environment | bootstrap |
 | common | folder | 1-org | environment | production |
+| network | folder | 1-org | environment | production |
 | enviroment development | folder | [2-environments](../2-environments/README.md) | environment | development |
 | enviroment non-production | folder | [2-environments](../2-environments/README.md) | environment | non-production |
 | enviroment production | folder | [2-environments](../2-environments/README.md) | environment | production |

1-org/envs/shared/README.md

@@ -8,6 +8,7 @@
 | audit\_logs\_table\_expiration\_days | Period before tables expire for all audit logs in milliseconds. Default is 30 days. | `number` | `30` | no |
 | billing\_data\_users | Google Workspace or Cloud Identity group that have access to billing data set. | `string` | n/a | yes |
 | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `"US"` | no |
+| cai\_monitoring\_kms\_force\_destroy | If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. | `bool` | `false` | no |
 | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
@@ -22,7 +23,7 @@
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `"US"` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
 | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
-| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`. | <pre>object({<br>    dns_hub_budget_amount                   = optional(number, 1000)<br>    dns_hub_alert_spent_percents            = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    dns_hub_alert_pubsub_topic              = optional(string, null)<br>    base_net_hub_budget_amount              = optional(number, 1000)<br>    base_net_hub_alert_spent_percents       = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    base_net_hub_alert_pubsub_topic         = optional(string, null)<br>    restricted_net_hub_budget_amount        = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    restricted_net_hub_alert_pubsub_topic   = optional(string, null)<br>    interconnect_budget_amount              = optional(number, 1000)<br>    interconnect_alert_spent_percents       = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    interconnect_alert_pubsub_topic         = optional(string, null)<br>    org_secrets_budget_amount               = optional(number, 1000)<br>    org_secrets_alert_spent_percents        = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    org_secrets_alert_pubsub_topic          = optional(string, null)<br>    org_billing_logs_budget_amount          = optional(number, 1000)<br>    org_billing_logs_alert_spent_percents   = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    org_billing_logs_alert_pubsub_topic     = optional(string, null)<br>    org_audit_logs_budget_amount            = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents     = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    org_audit_logs_alert_pubsub_topic       = optional(string, null)<br>    scc_notifications_budget_amount         = optional(number, 1000)<br>    scc_notifications_alert_spent_percents  = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br>    scc_notifications_alert_pubsub_topic    = optional(string, null)<br>  })</pre> | `{}` | no |
+| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_logs_budget_amount              = optional(number, 1000)<br>    org_billing_logs_alert_spent_percents       = optional(list(number), [1.2])<br>    org_billing_logs_alert_pubsub_topic         = optional(string, null)<br>    org_billing_logs_budget_alert_spend_basis   = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
 | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
@@ -32,6 +33,10 @@
 | Name | Description |
 |------|-------------|
 | base\_net\_hub\_project\_id | The Base Network hub project ID |
+| cai\_monitoring\_artifact\_registry | CAI Monitoring Cloud Function Artifact Registry name. |
+| cai\_monitoring\_asset\_feed | CAI Monitoring Cloud Function Organization Asset Feed name. |
+| cai\_monitoring\_bucket | CAI Monitoring Cloud Function Source Bucket name. |
+| cai\_monitoring\_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. |
 | common\_folder\_name | The common folder name |
 | dns\_hub\_project\_id | The DNS hub project ID |
 | domains\_to\_allow | The list of domains to allow users from in IAM. |
@@ -41,7 +46,8 @@
 | logs\_export\_logbucket\_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
 | logs\_export\_pubsub\_topic | The Pub/Sub topic for destination of log exports |
 | logs\_export\_storage\_bucket\_name | The storage bucket for destination of log exports |
-| org\_audit\_logs\_project\_id | The org audit logs project ID |
+| network\_folder\_name | The network folder name. |
+| org\_audit\_logs\_project\_id | The org audit logs project ID. |
 | org\_billing\_logs\_project\_id | The org billing logs project ID |
 | org\_id | The organization id |
 | org\_secrets\_project\_id | The org secrets project ID |
@@ -51,6 +57,7 @@
 | restricted\_net\_hub\_project\_number | The Restricted Network hub project number |
 | scc\_notification\_name | Name of SCC Notification |
 | scc\_notifications\_project\_id | The SCC notifications project ID |
-| tags | Tag Values to be applied on next steps |
+| shared\_vpc\_projects | Base and restricted shared VPC Projects info grouped by environment (development, non-production, production). |
+| tags | Tag Values to be applied on next steps. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

1-org/envs/shared/cai_monitoring.tf

@@ -0,0 +1,38 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 2.1"
+
+  project_id      = module.scc_notifications.project_id
+  keyring         = "krg-cai-monitoring"
+  location        = local.default_region
+  keys            = ["key-cai-monitoring"]
+  prevent_destroy = !var.cai_monitoring_kms_force_destroy
+}
+
+module "cai_monitoring" {
+  source = "../../modules/cai-monitoring"
+
+  org_id               = local.org_id
+  billing_account      = local.billing_account
+  project_id           = module.scc_notifications.project_id
+  location             = local.default_region
+  enable_cmek          = true
+  encryption_key       = module.kms.keys["key-cai-monitoring"]
+  impersonate_sa_email = local.org_step_terraform_service_account_email
+}

1-org/envs/shared/folders.tf

@@ -22,3 +22,8 @@ resource "google_folder" "common" {
   display_name = "${local.folder_prefix}-common"
   parent       = local.parent
 }
+
+resource "google_folder" "network" {
+  display_name = "${local.folder_prefix}-network"
+  parent       = local.parent
+}

1-org/envs/shared/main.tf

@@ -29,6 +29,7 @@ locals {
   group_billing_admins                          = data.terraform_remote_state.bootstrap.outputs.group_billing_admins
   group_org_admins                              = data.terraform_remote_state.bootstrap.outputs.group_org_admins
   networks_step_terraform_service_account_email = data.terraform_remote_state.bootstrap.outputs.networks_step_terraform_service_account_email
+  org_step_terraform_service_account_email      = data.terraform_remote_state.bootstrap.outputs.organization_step_terraform_service_account_email
   bootstrap_folder_name                         = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name
   cloud_build_private_worker_pool_id            = try(data.terraform_remote_state.bootstrap.outputs.cloud_build_private_worker_pool_id, "")
 }

1-org/envs/shared/org_policy.tf

@@ -27,7 +27,6 @@ locals {
   boolean_type_organization_policies = toset([
     "compute.disableNestedVirtualization",
     "compute.disableSerialPortAccess",
-    "compute.disableGuestAttributesAccess",
     "compute.skipDefaultNetworkCreation",
     "compute.restrictXpnProjectLienRemoval",
     "compute.disableVpcExternalIpv6",

1-org/envs/shared/outputs.tf

@@ -39,9 +39,14 @@ output "common_folder_name" {
   description = "The common folder name"
 }
 
+output "network_folder_name" {
+  value       = google_folder.network.name
+  description = "The network folder name."
+}
+
 output "org_audit_logs_project_id" {
   value       = module.org_audit_logs.project_id
-  description = "The org audit logs project ID"
+  description = "The org audit logs project ID."
 }
 
 output "org_billing_logs_project_id" {
@@ -116,5 +121,30 @@ output "logs_export_bigquery_dataset_name" {
 
 output "tags" {
   value       = local.tags_output
-  description = "Tag Values to be applied on next steps"
+  description = "Tag Values to be applied on next steps."
+}
+
+output "shared_vpc_projects" {
+  value       = { for k, v in module.base_restricted_environment_network : k => v }
+  description = "Base and restricted shared VPC Projects info grouped by environment (development, non-production, production)."
+}
+
+output "cai_monitoring_artifact_registry" {
+  value       = module.cai_monitoring.artifact_registry_name
+  description = "CAI Monitoring Cloud Function Artifact Registry name."
+}
+
+output "cai_monitoring_asset_feed" {
+  value       = module.cai_monitoring.asset_feed_name
+  description = "CAI Monitoring Cloud Function Organization Asset Feed name."
+}
+
+output "cai_monitoring_bucket" {
+  value       = module.cai_monitoring.bucket_name
+  description = "CAI Monitoring Cloud Function Source Bucket name."
+}
+
+output "cai_monitoring_topic" {
+  value       = module.cai_monitoring.topic_name
+  description = "CAI Monitoring Cloud Function Pub/Sub Topic name."
 }