Skip to content

Commit

Permalink
Merge branch 'master' into add-cloudbuild-github-support
Browse files Browse the repository at this point in the history
  • Loading branch information
apeabody authored Aug 28, 2024
2 parents 30a56bb + 105a0db commit d294d7f
Show file tree
Hide file tree
Showing 49 changed files with 267 additions and 197 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/go-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,12 @@ jobs:
folder: [helpers/foundation-deployer]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: ${{ matrix.folder }}/go.mod
cache-dependency-path: ${{ matrix.folder }}/go.sum
- name: golangci-lint
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
with:
version: latest
working-directory: ${{ matrix.folder }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/go-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
folder: [helpers/foundation-deployer]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: ${{ matrix.folder }}/go.mod
cache-dependency-path: ${{ matrix.folder }}/go.sum
Expand Down
2 changes: 1 addition & 1 deletion 0-bootstrap/modules/tfc-agent-gke/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ terraform {
}

provider_meta "google" {
module_name = "blueprints/terraform/terraform-google-tf-cloud-agents:tfc-agent-gke/v4.0.0"
module_name = "blueprints/terraform/terraform-google-tf-cloud-agents:tfc-agent-gke/v4.1.0"
}
}

2 changes: 1 addition & 1 deletion 0-bootstrap/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ terraform {
}

provider_meta "google" {
module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v4.0.0"
module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v4.1.0"
}

}
1 change: 1 addition & 0 deletions 1-org/envs/shared/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
| data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
| domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
| enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
| essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
| essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
Expand Down
6 changes: 3 additions & 3 deletions 1-org/envs/shared/cai_monitoring.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
*/

module "cai_monitoring" {
source = "../../modules/cai-monitoring"

source = "../../modules/cai-monitoring"
count = var.enable_scc_resources_in_terraform ? 1 : 0
org_id = local.org_id
billing_account = local.billing_account
project_id = module.scc_notifications.project_id
location = local.default_region
build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder.email}"
build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder[0].email}"
}
15 changes: 8 additions & 7 deletions 1-org/envs/shared/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ resource "google_organization_iam_member" "org_scc_admin" {
}

resource "google_project_iam_member" "project_scc_admin" {
count = var.gcp_groups.scc_admin != null ? 1 : 0
count = var.gcp_groups.scc_admin != null && var.enable_scc_resources_in_terraform ? 1 : 0
project = module.scc_notifications.project_id
role = "roles/securitycenter.adminEditor"
member = "group:${var.gcp_groups.scc_admin}"
Expand All @@ -191,11 +191,12 @@ resource "google_project_iam_member" "kms_admin" {

resource "google_project_iam_member" "cai_monitoring_builder" {
project = module.scc_notifications.project_id
for_each = toset([
"roles/logging.logWriter",
"roles/storage.objectViewer",
"roles/artifactregistry.writer",
])
for_each = toset(var.enable_scc_resources_in_terraform ?
[
"roles/logging.logWriter",
"roles/storage.objectViewer",
"roles/artifactregistry.writer",
] : [])
role = each.key
member = "serviceAccount:${google_service_account.cai_monitoring_builder.email}"
member = "serviceAccount:${google_service_account.cai_monitoring_builder[0].email}"
}
10 changes: 5 additions & 5 deletions 1-org/envs/shared/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ output "interconnect_project_number" {
}

output "scc_notifications_project_id" {
value = module.scc_notifications.project_id
value = try(module.scc_notifications.project_id, null)
description = "The SCC notifications project ID"
}

Expand Down Expand Up @@ -140,21 +140,21 @@ output "shared_vpc_projects" {
}

output "cai_monitoring_artifact_registry" {
value = module.cai_monitoring.artifact_registry_name
value = try(module.cai_monitoring[0].artifact_registry_name, null)
description = "CAI Monitoring Cloud Function Artifact Registry name."
}

output "cai_monitoring_asset_feed" {
value = module.cai_monitoring.asset_feed_name
value = try(module.cai_monitoring[0].asset_feed_name, null)
description = "CAI Monitoring Cloud Function Organization Asset Feed name."
}

output "cai_monitoring_bucket" {
value = module.cai_monitoring.bucket_name
value = try(module.cai_monitoring[0].bucket_name, null)
description = "CAI Monitoring Cloud Function Source Bucket name."
}

output "cai_monitoring_topic" {
value = module.cai_monitoring.topic_name
value = try(module.cai_monitoring[0].topic_name, null)
description = "CAI Monitoring Cloud Function Pub/Sub Topic name."
}
1 change: 1 addition & 0 deletions 1-org/envs/shared/sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

resource "google_service_account" "cai_monitoring_builder" {
project = module.scc_notifications.project_id
count = var.enable_scc_resources_in_terraform ? 1 : 0
account_id = "cai-monitoring-builder"
description = "Cloud Functions has an underlying dependency on Cloud Build and other services. This service account allows Cloud Build to provision the necessary resources for Cloud Functions."
create_ignore_already_exists = true
Expand Down
7 changes: 5 additions & 2 deletions 1-org/envs/shared/scc_notification.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,24 @@
*****************************************/

resource "google_pubsub_topic" "scc_notification_topic" {
count = var.enable_scc_resources_in_terraform ? 1 : 0
name = "top-scc-notification"
project = module.scc_notifications.project_id
}

resource "google_pubsub_subscription" "scc_notification_subscription" {
count = var.enable_scc_resources_in_terraform ? 1 : 0
name = "sub-scc-notification"
topic = google_pubsub_topic.scc_notification_topic.name
topic = google_pubsub_topic.scc_notification_topic[0].name
project = module.scc_notifications.project_id
}

resource "google_scc_notification_config" "scc_notification_config" {
count = var.enable_scc_resources_in_terraform ? 1 : 0
config_id = var.scc_notification_name
organization = local.org_id
description = "SCC Notification for all active findings"
pubsub_topic = google_pubsub_topic.scc_notification_topic.id
pubsub_topic = google_pubsub_topic.scc_notification_topic[0].id

streaming_config {
filter = var.scc_notification_filter
Expand Down
6 changes: 6 additions & 0 deletions 1-org/envs/shared/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ variable "enable_hub_and_spoke" {
default = false
}

variable "enable_scc_resources_in_terraform" {
description = "Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context."
type = bool
default = false
}

variable "domains_to_allow" {
description = "The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy."
type = list(string)
Expand Down
4 changes: 2 additions & 2 deletions 1-org/envs/shared/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ terraform {
}

provider_meta "google" {
module_name = "blueprints/terraform/terraform-example-foundation:org/v4.0.0"
module_name = "blueprints/terraform/terraform-example-foundation:org/v4.1.0"
}

provider_meta "google-beta" {
module_name = "blueprints/terraform/terraform-example-foundation:org/v4.0.0"
module_name = "blueprints/terraform/terraform-example-foundation:org/v4.1.0"
}
}
79 changes: 43 additions & 36 deletions 1-org/modules/cai-monitoring/function-source/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion 1-org/modules/cai-monitoring/function-source/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"author": "",
"license": "ISC",
"dependencies": {
"@google-cloud/security-center": "8.8.0",
"@google-cloud/security-center": "8.11.0",
"uuid4": "2.0.3",
"moment": "2.30.1"
}
Expand Down
5 changes: 2 additions & 3 deletions 1-org/modules/cai-monitoring/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -162,9 +162,8 @@ module "cloud_function" {
service_config = {
service_account_email = google_service_account.cloudfunction.email
runtime_env_variables = {
ROLES = join(",", var.roles_to_monitor)
SOURCE_ID = google_scc_source.cai_monitoring.id
LOG_EXECUTION_ID = "true"
ROLES = join(",", var.roles_to_monitor)
SOURCE_ID = google_scc_source.cai_monitoring.id
}
}

Expand Down
4 changes: 2 additions & 2 deletions 1-org/modules/cai-monitoring/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 3.77"
version = ">= 5.42"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 3.77"
version = ">= 5.42"
}
random = {
source = "hashicorp/random"
Expand Down
4 changes: 2 additions & 2 deletions 2-environments/modules/env_baseline/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@ terraform {
}

provider_meta "google" {
module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.0.0"
module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.1.0"
}

provider_meta "google-beta" {
module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.0.0"
module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.1.0"
}
}
Loading

0 comments on commit d294d7f

Please sign in to comment.