From 145f45807c829be7b8a38551f27b873ba1a12aad Mon Sep 17 00:00:00 2001 From: mariammartins Date: Mon, 26 Aug 2024 15:39:09 -0300 Subject: [PATCH 1/3] remove data_acess_logs_enabled references --- 1-org/README.md | 5 ----- 1-org/envs/shared/README.md | 1 - 1-org/envs/shared/iam.tf | 24 ++---------------------- 1-org/envs/shared/variables.tf | 6 ------ 4 files changed, 2 insertions(+), 34 deletions(-) diff --git a/1-org/README.md b/1-org/README.md index 1be58e521..2c0b16e00 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -68,11 +68,6 @@ See [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during ## Usage -**Disclaimer:** This step enables [Data Access logs](https://cloud.google.com/logging/docs/audit#data-access) for all services in your organization. -Enabling Data Access logs might result in your project being charged for the additional logs usage. -For details on costs you might incur, go to [Pricing](https://cloud.google.com/stackdriver/pricing). -You can choose not to enable the Data Access logs by setting the variable `data_access_logs_enabled` to false. - Consider the following: - This module creates a sink to export all logs to a Cloud Logging bucket. It also creates sinks to export a subset of security-related logs diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 671157da3..e260c67ca 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -6,7 +6,6 @@ | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no | | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no | | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | -| data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no | | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no | diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index 3a0cca12b..93e232197 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -18,25 +18,13 @@ Audit Logs - IAM *****************************************/ -locals { - enabling_data_logs = var.data_access_logs_enabled ? ["DATA_WRITE", "DATA_READ"] : [] -} - resource "google_organization_iam_audit_config" "org_config" { count = local.parent_folder == "" ? 1 : 0 org_id = local.org_id service = "allServices" - ################################################################################################### - ### Audit logs can generate costs, to know more about it, - ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs - ### To know more about audit logs, you can find more infos - ### here https://cloud.google.com/logging/docs/audit/configure-data-access - ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true - ### ADMIN_READ logs are enabled by default. - #################################################################################################### dynamic "audit_log_config" { - for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"]) + for_each = ["ADMIN_READ"] content { log_type = audit_log_config.key } @@ -48,16 +36,8 @@ resource "google_folder_iam_audit_config" "folder_config" { folder = "folders/${local.parent_folder}" service = "allServices" - ################################################################################################### - ### Audit logs can generate costs, to know more about it, - ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs - ### To know more about audit logs, you can find more infos - ### here https://cloud.google.com/logging/docs/audit/configure-data-access - ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true - ### ADMIN_READ logs are enabled by default. - #################################################################################################### dynamic "audit_log_config" { - for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"]) + for_each = ["ADMIN_READ"] content { log_type = audit_log_config.key } diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 24d454e6e..01ba2a832 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -54,12 +54,6 @@ variable "enforce_allowed_worker_pools" { default = false } -variable "data_access_logs_enabled" { - description = "Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default." - type = bool - default = false -} - variable "log_export_storage_location" { description = "The location of the storage bucket used to export logs." type = string From 94a5cc1d656ea539fa41be19315d557b1bd25c95 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Mon, 26 Aug 2024 17:00:12 -0300 Subject: [PATCH 2/3] removing for_each --- 1-org/envs/shared/iam.tf | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index 93e232197..1798ebb56 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -23,11 +23,8 @@ resource "google_organization_iam_audit_config" "org_config" { org_id = local.org_id service = "allServices" - dynamic "audit_log_config" { - for_each = ["ADMIN_READ"] - content { - log_type = audit_log_config.key - } + audit_log_config { + log_type = "ADMIN_READ" } } @@ -36,11 +33,8 @@ resource "google_folder_iam_audit_config" "folder_config" { folder = "folders/${local.parent_folder}" service = "allServices" - dynamic "audit_log_config" { - for_each = ["ADMIN_READ"] - content { - log_type = audit_log_config.key - } + audit_log_config { + log_type = "ADMIN_READ" } } From 242da9a56a3a3eddc0ac92ff2be773b1d8c846c1 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Tue, 27 Aug 2024 14:31:33 -0300 Subject: [PATCH 3/3] removing resources --- 1-org/envs/shared/iam.tf | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index 1798ebb56..b5c627705 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -18,26 +18,6 @@ Audit Logs - IAM *****************************************/ -resource "google_organization_iam_audit_config" "org_config" { - count = local.parent_folder == "" ? 1 : 0 - org_id = local.org_id - service = "allServices" - - audit_log_config { - log_type = "ADMIN_READ" - } -} - -resource "google_folder_iam_audit_config" "folder_config" { - count = local.parent_folder != "" ? 1 : 0 - folder = "folders/${local.parent_folder}" - service = "allServices" - - audit_log_config { - log_type = "ADMIN_READ" - } -} - resource "google_project_iam_member" "audit_log_logging_viewer" { project = module.org_audit_logs.project_id role = "roles/logging.viewer"