Changes as per @eeaton feedback.

terraform-google-modules · Jul 30, 2024 · c417022 · c417022
1 parent 93c3197
commit c417022
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 15 deletions.
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -9,7 +9,7 @@
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
-| enable\_scc\_notifications | Enable Security Command Center Notifications. | `bool` | `false` | no |
+| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |

diff --git a/1-org/envs/shared/cai_monitoring.tf b/1-org/envs/shared/cai_monitoring.tf
@@ -16,7 +16,7 @@
 
 module "cai_monitoring" {
   source                = "../../modules/cai-monitoring"
-  count                 = var.enable_scc_notifications ? 1 : 0
+  count                 = var.enable_scc_resources_in_terraform ? 1 : 0
   org_id                = local.org_id
   billing_account       = local.billing_account
   project_id            = module.scc_notifications[0].project_id

diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
@@ -162,21 +162,21 @@ resource "google_project_iam_member" "audit_bq_data_viewer" {
 }
 
 resource "google_organization_iam_member" "org_scc_admin" {
-  count  = var.gcp_groups.scc_admin != null && local.parent_folder == "" && var.enable_scc_notifications ? 1 : 0
+  count  = var.gcp_groups.scc_admin != null && local.parent_folder == "" ? 1 : 0
   org_id = local.org_id
   role   = "roles/securitycenter.adminEditor"
   member = "group:${var.gcp_groups.scc_admin}"
 }
 
 resource "google_project_iam_member" "project_scc_admin" {
-  count   = var.gcp_groups.scc_admin != null && var.enable_scc_notifications ? 1 : 0
+  count   = var.gcp_groups.scc_admin != null && var.enable_scc_resources_in_terraform ? 1 : 0
   project = module.scc_notifications[0].project_id
   role    = "roles/securitycenter.adminEditor"
   member  = "group:${var.gcp_groups.scc_admin}"
 }
 
 resource "google_project_iam_member" "global_secrets_admin" {
-  count   = var.gcp_groups.global_secrets_admin && var.enable_scc_notifications != null ? 1 : 0
+  count   = var.gcp_groups.global_secrets_admin != null ? 1 : 0
   project = module.org_secrets.project_id
   role    = "roles/secretmanager.admin"
   member  = "group:${var.gcp_groups.global_secrets_admin}"
@@ -191,7 +191,7 @@ resource "google_project_iam_member" "kms_admin" {
 
 resource "google_project_iam_member" "cai_monitoring_builder" {
   project = module.scc_notifications[0].project_id
-  for_each = toset(var.enable_scc_notifications ?
+  for_each = toset(var.enable_scc_resources_in_terraform ?
     [
       "roles/logging.logWriter",
       "roles/storage.objectViewer",

diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf
@@ -199,9 +199,9 @@ module "interconnect" {
 *****************************************/
 
 module "scc_notifications" {
-  source                   = "terraform-google-modules/project-factory/google"
-  version                  = "~> 15.0"
-  count                    = var.enable_scc_notifications ? 1 : 0
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 15.0"
+
   random_project_id        = true
   random_project_id_length = 4
   default_service_account  = "deprivilege"

diff --git a/1-org/envs/shared/sa.tf b/1-org/envs/shared/sa.tf
@@ -16,7 +16,7 @@
 
 resource "google_service_account" "cai_monitoring_builder" {
   project                      = module.scc_notifications[0].project_id
-  count                        = var.enable_scc_notifications ? 1 : 0
+  count                        = var.enable_scc_resources_in_terraform ? 1 : 0
   account_id                   = "cai-monitoring-builder"
   description                  = "Cloud Functions has an underlying dependency on Cloud Build and other services. This service account allows Cloud Build to provision the necessary resources for Cloud Functions."
   create_ignore_already_exists = true

diff --git a/1-org/envs/shared/scc_notification.tf b/1-org/envs/shared/scc_notification.tf
@@ -19,20 +19,20 @@
 *****************************************/
 
 resource "google_pubsub_topic" "scc_notification_topic" {
-  count   = var.enable_scc_notifications ? 1 : 0
+  count   = var.enable_scc_resources_in_terraform ? 1 : 0
   name    = "top-scc-notification"
   project = module.scc_notifications[0].project_id
 }
 
 resource "google_pubsub_subscription" "scc_notification_subscription" {
-  count   = var.enable_scc_notifications ? 1 : 0
+  count   = var.enable_scc_resources_in_terraform ? 1 : 0
   name    = "sub-scc-notification"
   topic   = google_pubsub_topic.scc_notification_topic[0].name
   project = module.scc_notifications[0].project_id
 }
 
 resource "google_scc_notification_config" "scc_notification_config" {
-  count        = var.enable_scc_notifications ? 1 : 0
+  count        = var.enable_scc_resources_in_terraform ? 1 : 0
   config_id    = var.scc_notification_name
   organization = local.org_id
   description  = "SCC Notification for all active findings"

diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -20,8 +20,8 @@ variable "enable_hub_and_spoke" {
   default     = false
 }
 
-variable "enable_scc_notifications" {
-  description = "Enable Security Command Center Notifications."
+variable "enable_scc_resources_in_terraform" {
+  description = "Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context."
   type        = bool
   default     = false
 }