Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master' into split-kms-configura…
Browse files Browse the repository at this point in the history
…tion-from-secrets-project
  • Loading branch information
daniel-cit committed Dec 10, 2023
2 parents c9a4d8f + 89e11aa commit 9a894bf
Show file tree
Hide file tree
Showing 34 changed files with 396 additions and 234 deletions.
22 changes: 11 additions & 11 deletions 0-bootstrap/terraform.example.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -41,19 +41,19 @@ default_region = "us-central1"
# create_groups = true,
# billing_project = "billing-project",
# required_groups = {
# group_org_admins = "[email protected]"
# group_billing_admins = "[email protected]"
# billing_data_users = "[email protected]"
# audit_data_users = "[email protected]"
# monitoring_workspace_users = "[email protected]"
# group_org_admins = "[email protected]"
# group_billing_admins = "[email protected]"
# billing_data_users = "[email protected]"
# audit_data_users = "[email protected]"
# monitoring_workspace_users = "[email protected]"
# },
# optional_groups = {
# gcp_platform_viewer = "[email protected]"
# gcp_security_reviewer = "[email protected]"
# gcp_network_viewer = "[email protected]"
# gcp_scc_admin = "[email protected]"
# gcp_global_secrets_admin = "[email protected]"
# gcp_audit_viewer = "[email protected]"
# gcp_platform_viewer = "[email protected]"
# gcp_security_reviewer = "[email protected]"
# gcp_network_viewer = "[email protected]"
# gcp_scc_admin = "[email protected]"
# gcp_global_secrets_admin = "[email protected]"
# gcp_audit_viewer = "[email protected]"
# }
# }
#
Expand Down
3 changes: 2 additions & 1 deletion 1-org/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,12 +99,13 @@ commands. The `-T` flag is required for Linux, but causes problems for MacOS.
| gcp_scc_admin | Product updates and security | Org Admins |
| gcp_security_reviewer | Security and technical | Org Admins |

This module creates and applies [tags](https://cloud.google.com/resource-manager/docs/tags/tags-overview) to common and bootstrap folders. These tags are also applied to environment folders of step [2-environments](../2-environments/README.md). You can create your own tags by editing the `local.tags` map in `tags.tf` and following the commented template. The following table describes details about the tags that are applied to resources:
This module creates and applies [tags](https://cloud.google.com/resource-manager/docs/tags/tags-overview) to common, network, and bootstrap folders. These tags are also applied to environment folders of step [2-environments](../2-environments/README.md). You can create your own tags by editing the `local.tags` map in `tags.tf` and following the commented template. The following table describes details about the tags that are applied to resources:

| Resource | Type | Step | Tag Key | Tag Value |
|----------|------|------|---------|-----------|
| bootstrap | folder | 1-org | environment | bootstrap |
| common | folder | 1-org | environment | production |
| network | folder | 1-org | environment | production |
| enviroment development | folder | [2-environments](../2-environments/README.md) | environment | development |
| enviroment non-production | folder | [2-environments](../2-environments/README.md) | environment | non-production |
| enviroment production | folder | [2-environments](../2-environments/README.md) | environment | production |
Expand Down
8 changes: 5 additions & 3 deletions 1-org/envs/shared/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
| log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `"US"` | no |
| log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br> is_locked = bool<br> retention_period_days = number<br> })</pre> | `null` | no |
| log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br> alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br> dns_hub_budget_amount = optional(number, 1000)<br> dns_hub_alert_spent_percents = optional(list(number), [1.2])<br> dns_hub_alert_pubsub_topic = optional(string, null)<br> dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> base_net_hub_budget_amount = optional(number, 1000)<br> base_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> base_net_hub_alert_pubsub_topic = optional(string, null)<br> base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_net_hub_budget_amount = optional(number, 1000)<br> restricted_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> restricted_net_hub_alert_pubsub_topic = optional(string, null)<br> restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> interconnect_budget_amount = optional(number, 1000)<br> interconnect_alert_spent_percents = optional(list(number), [1.2])<br> interconnect_alert_pubsub_topic = optional(string, null)<br> interconnect_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_secrets_budget_amount = optional(number, 1000)<br> org_secrets_alert_spent_percents = optional(list(number), [1.2])<br> org_secrets_alert_pubsub_topic = optional(string, null)<br> org_secrets_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_billing_logs_budget_amount = optional(number, 1000)<br> org_billing_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_billing_logs_alert_pubsub_topic = optional(string, null)<br> org_billing_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_audit_logs_budget_amount = optional(number, 1000)<br> org_audit_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_audit_logs_alert_pubsub_topic = optional(string, null)<br> org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_kms_budget_amount = optional(number, 1000)<br> org_kms_alert_spent_percents = optional(list(number), [1.2])<br> org_kms_alert_pubsub_topic = optional(string, null)<br> org_kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> scc_notifications_budget_amount = optional(number, 1000)<br> scc_notifications_alert_spent_percents = optional(list(number), [1.2])<br> scc_notifications_alert_pubsub_topic = optional(string, null)<br> scc_notifications_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> })</pre> | `{}` | no |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br> alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br> dns_hub_budget_amount = optional(number, 1000)<br> dns_hub_alert_spent_percents = optional(list(number), [1.2])<br> dns_hub_alert_pubsub_topic = optional(string, null)<br> dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> base_net_hub_budget_amount = optional(number, 1000)<br> base_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> base_net_hub_alert_pubsub_topic = optional(string, null)<br> base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> base_network_budget_amount = optional(number, 1000)<br> base_network_alert_spent_percents = optional(list(number), [1.2])<br> base_network_alert_pubsub_topic = optional(string, null)<br> base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_net_hub_budget_amount = optional(number, 1000)<br> restricted_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> restricted_net_hub_alert_pubsub_topic = optional(string, null)<br> restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_network_budget_amount = optional(number, 1000)<br> restricted_network_alert_spent_percents = optional(list(number), [1.2])<br> restricted_network_alert_pubsub_topic = optional(string, null)<br> restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> interconnect_budget_amount = optional(number, 1000)<br> interconnect_alert_spent_percents = optional(list(number), [1.2])<br> interconnect_alert_pubsub_topic = optional(string, null)<br> interconnect_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_secrets_budget_amount = optional(number, 1000)<br> org_secrets_alert_spent_percents = optional(list(number), [1.2])<br> org_secrets_alert_pubsub_topic = optional(string, null)<br> org_secrets_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_billing_logs_budget_amount = optional(number, 1000)<br> org_billing_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_billing_logs_alert_pubsub_topic = optional(string, null)<br> org_billing_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_audit_logs_budget_amount = optional(number, 1000)<br> org_audit_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_audit_logs_alert_pubsub_topic = optional(string, null)<br> org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_kms_budget_amount = optional(number, 1000)<br> org_kms_alert_spent_percents = optional(list(number), [1.2])<br> org_kms_alert_pubsub_topic = optional(string, null)<br> org_kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> scc_notifications_budget_amount = optional(number, 1000)<br> scc_notifications_alert_spent_percents = optional(list(number), [1.2])<br> scc_notifications_alert_pubsub_topic = optional(string, null)<br> scc_notifications_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> })</pre> | `{}` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
| scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
Expand All @@ -46,7 +46,8 @@
| logs\_export\_logbucket\_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
| logs\_export\_pubsub\_topic | The Pub/Sub topic for destination of log exports |
| logs\_export\_storage\_bucket\_name | The storage bucket for destination of log exports |
| org\_audit\_logs\_project\_id | The org audit logs project ID |
| network\_folder\_name | The network folder name. |
| org\_audit\_logs\_project\_id | The org audit logs project ID. |
| org\_billing\_logs\_project\_id | The org billing logs project ID |
| org\_id | The organization id |
| org\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID |
Expand All @@ -57,6 +58,7 @@
| restricted\_net\_hub\_project\_number | The Restricted Network hub project number |
| scc\_notification\_name | Name of SCC Notification |
| scc\_notifications\_project\_id | The SCC notifications project ID |
| tags | Tag Values to be applied on next steps |
| shared\_vpc\_projects | Base and restricted shared VPC Projects info grouped by environment (development, non-production, production). |
| tags | Tag Values to be applied on next steps. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
5 changes: 5 additions & 0 deletions 1-org/envs/shared/folders.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,8 @@ resource "google_folder" "common" {
display_name = "${local.folder_prefix}-common"
parent = local.parent
}

resource "google_folder" "network" {
display_name = "${local.folder_prefix}-network"
parent = local.parent
}
14 changes: 12 additions & 2 deletions 1-org/envs/shared/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,14 @@ output "common_folder_name" {
description = "The common folder name"
}

output "network_folder_name" {
value = google_folder.network.name
description = "The network folder name."
}

output "org_audit_logs_project_id" {
value = module.org_audit_logs.project_id
description = "The org audit logs project ID"
description = "The org audit logs project ID."
}

output "org_billing_logs_project_id" {
Expand Down Expand Up @@ -121,7 +126,12 @@ output "logs_export_bigquery_dataset_name" {

output "tags" {
value = local.tags_output
description = "Tag Values to be applied on next steps"
description = "Tag Values to be applied on next steps."
}

output "shared_vpc_projects" {
value = { for k, v in module.base_restricted_environment_network : k => v }
description = "Base and restricted shared VPC Projects info grouped by environment (development, non-production, production)."
}

output "cai_monitoring_artifact_registry" {
Expand Down
45 changes: 41 additions & 4 deletions 1-org/envs/shared/projects.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ locals {
"roles/resourcemanager.projectIamAdmin",
"roles/iam.serviceAccountUser",
]
environments = {
"development" : "d",
"non-production" : "n",
"production" : "p"
}
}

/******************************************
Expand Down Expand Up @@ -162,7 +167,7 @@ module "interconnect" {
name = "${local.project_prefix}-c-interconnect"
org_id = local.org_id
billing_account = local.billing_account
folder_id = google_folder.common.id
folder_id = google_folder.network.id
activate_apis = ["billingbudgets.googleapis.com", "compute.googleapis.com"]

labels = {
Expand Down Expand Up @@ -226,7 +231,7 @@ module "dns_hub" {
name = "${local.project_prefix}-c-dns-hub"
org_id = local.org_id
billing_account = local.billing_account
folder_id = google_folder.common.id
folder_id = google_folder.network.id

activate_apis = [
"compute.googleapis.com",
Expand Down Expand Up @@ -267,7 +272,7 @@ module "base_network_hub" {
name = "${local.project_prefix}-c-base-net-hub"
org_id = local.org_id
billing_account = local.billing_account
folder_id = google_folder.common.id
folder_id = google_folder.network.id

activate_apis = [
"compute.googleapis.com",
Expand Down Expand Up @@ -316,7 +321,7 @@ module "restricted_network_hub" {
name = "${local.project_prefix}-c-restricted-net-hub"
org_id = local.org_id
billing_account = local.billing_account
folder_id = google_folder.common.id
folder_id = google_folder.network.id

activate_apis = [
"compute.googleapis.com",
Expand All @@ -342,6 +347,38 @@ module "restricted_network_hub" {
budget_alert_spend_basis = var.project_budget.restricted_net_hub_budget_alert_spend_basis
}

/************************************************************
Base and Restricted Network Projects for each Environment
************************************************************/

module "base_restricted_environment_network" {
source = "../../modules/network"
for_each = local.environments

org_id = local.org_id
billing_account = local.billing_account
project_prefix = local.project_prefix
folder_id = google_folder.network.id

env = each.key
env_code = each.value

project_budget = {
base_network_budget_amount = var.project_budget.base_network_budget_amount
base_network_alert_spent_percents = var.project_budget.base_network_alert_spent_percents
base_network_alert_pubsub_topic = var.project_budget.base_network_alert_pubsub_topic
base_network_budget_alert_spend_basis = var.project_budget.base_network_budget_alert_spend_basis
restricted_network_budget_amount = var.project_budget.restricted_network_budget_amount
restricted_network_alert_spent_percents = var.project_budget.restricted_network_alert_spent_percents
restricted_network_alert_pubsub_topic = var.project_budget.restricted_network_alert_pubsub_topic
restricted_network_budget_alert_spend_basis = var.project_budget.restricted_network_budget_alert_spend_basis
}
}

/*********************************************************************
Roles granted to the networks SA for Hub and Spoke network topology
*********************************************************************/

resource "google_project_iam_member" "network_sa_restricted" {
for_each = toset(var.enable_hub_and_spoke ? local.hub_and_spoke_roles : [])

Expand Down
5 changes: 5 additions & 0 deletions 1-org/envs/shared/tags.tf
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,11 @@ resource "google_tags_tag_binding" "common_folder" {
tag_value = google_tags_tag_value.tag_values["environment_production"].id
}

resource "google_tags_tag_binding" "network_folder" {
parent = "//cloudresourcemanager.googleapis.com/${google_folder.network.id}"
tag_value = google_tags_tag_value.tag_values["environment_production"].id
}

resource "google_tags_tag_binding" "bootstrap_folder" {
parent = "//cloudresourcemanager.googleapis.com/${local.bootstrap_folder_name}"
tag_value = google_tags_tag_value.tag_values["environment_bootstrap"].id
Expand Down
Loading

0 comments on commit 9a894bf

Please sign in to comment.