From 440e9c59b93d91370e2ff356f5982ab6352347ea Mon Sep 17 00:00:00 2001 From: lcaggio Date: Wed, 25 Jan 2023 12:32:10 +0100 Subject: [PATCH] Update --- .../data-solutions/shielded-folder/kms.tf | 8 ++++---- .../shielded-folder/log-export.tf | 14 +++++++------- .../data-solutions/shielded-folder/main.tf | 4 ++-- .../data-solutions/shielded-folder/variables.tf | 17 ++++++++++++++--- 4 files changed, 27 insertions(+), 16 deletions(-) diff --git a/blueprints/data-solutions/shielded-folder/kms.tf b/blueprints/data-solutions/shielded-folder/kms.tf index 94ff244d9..a48243060 100644 --- a/blueprints/data-solutions/shielded-folder/kms.tf +++ b/blueprints/data-solutions/shielded-folder/kms.tf @@ -30,17 +30,17 @@ locals { # Log sink keys kms_log_sink_keys = { - "log-gcs" = { + "storage" = { labels = {} locations = [var.log_locations.gcs] rotation_period = "7776000s" } - "log-bq" = { + "bq" = { labels = {} locations = [var.log_locations.bq] rotation_period = "7776000s" } - "log-pubsub" = { + "pubsub" = { labels = {} locations = [var.log_locations.pubsub] rotation_period = "7776000s" @@ -58,7 +58,7 @@ module "sec-project" { name = "sec-core" parent = module.folder.id billing_account = try(var.projects_create.billing_account_id, null) - project_create = var.projects_create != null + project_create = var.projects_create != null && var.enable_features.kms prefix = var.projects_create == null ? null : var.prefix group_iam = { (local.groups.data-engineers) = [ diff --git a/blueprints/data-solutions/shielded-folder/log-export.tf b/blueprints/data-solutions/shielded-folder/log-export.tf index 430b9f33d..2d8a5f843 100644 --- a/blueprints/data-solutions/shielded-folder/log-export.tf +++ b/blueprints/data-solutions/shielded-folder/log-export.tf @@ -24,9 +24,9 @@ locals { ) log_types = toset([for k, v in var.log_sinks : v.type]) _log_keys = { - bq = [module.log-kms[var.log_locations.bq].keys["log-bq"].id] - pubsub = try([module.log-kms[var.log_locations.pubsub].keys["log-pubsub"].id], null) - storage = [module.log-kms[var.log_locations.gcs].keys["log-gcs"].id] + bq = [module.log-kms[var.log_locations.bq].keys["bq"].id] + pubsub = try([module.log-kms[var.log_locations.pubsub].keys["pubsub"].id], null) + storage = [module.log-kms[var.log_locations.gcs].keys["storage"].id] } log_keys = { @@ -39,7 +39,7 @@ module "log-export-project" { name = "audit-logs" parent = module.folder.id billing_account = try(var.projects_create.billing_account_id, null) - project_create = var.projects_create != null + project_create = var.projects_create != null && var.enable_features.log_sink prefix = var.projects_create == null ? null : var.prefix iam = { # "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email] @@ -61,7 +61,7 @@ module "log-export-dataset" { id = "${var.prefix}_audit_export" friendly_name = "Audit logs export." location = replace(var.log_locations.bq, "europe", "EU") - encryption_key = module.log-kms[var.log_locations.bq].keys["log-bq"].id + encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.bq].keys["bq"].id : false } module "log-export-gcs" { @@ -72,7 +72,7 @@ module "log-export-gcs" { prefix = var.prefix location = replace(var.log_locations.gcs, "europe", "EU") storage_class = local.gcs_storage_class - encryption_key = module.log-kms[var.log_locations.gcs].keys["log-gcs"].id + encryption_key = var.enable_features.kms ? module.log-kms[var.log_locations.gcs].keys["storage"].id : null } module "log-export-logbucket" { @@ -91,5 +91,5 @@ module "log-export-pubsub" { project_id = module.log-export-project.project_id name = "audit-logs-${each.key}" regions = [var.log_locations.pubsub] - kms_key = module.log-kms[var.log_locations.pubsub].keys["log-pubsub"].id + kms_key = var.enable_features.kms ? module.log-kms[var.log_locations.pubsub].keys["pubsub"].id : null } diff --git a/blueprints/data-solutions/shielded-folder/main.tf b/blueprints/data-solutions/shielded-folder/main.tf index 33a2b50bc..924b5167d 100644 --- a/blueprints/data-solutions/shielded-folder/main.tf +++ b/blueprints/data-solutions/shielded-folder/main.tf @@ -67,14 +67,14 @@ module "folder" { policy_name = "hierarchical-policy" rules_file = "${var.data_dir}/firewall-policies/hierarchical-policy-rules.yaml" } - logging_sinks = { + logging_sinks = var.enable_features.log_sink ? { for name, attrs in var.log_sinks : name => { bq_partitioned_table = attrs.type == "bigquery" destination = local.log_sink_destinations[name].id filter = attrs.filter type = attrs.type } - } + } : null } #TODO VPCSC diff --git a/blueprints/data-solutions/shielded-folder/variables.tf b/blueprints/data-solutions/shielded-folder/variables.tf index 548d6fd28..8735886d8 100644 --- a/blueprints/data-solutions/shielded-folder/variables.tf +++ b/blueprints/data-solutions/shielded-folder/variables.tf @@ -41,8 +41,19 @@ variable "data_dir" { default = "data" } +variable "enable_features" { + description = "Flag to enable features on the solution." + type = object({ + kms = bool + log_sink = bool + }) + default = { + kms = true + log_sink = true + } +} variable "folder_create" { - description = "Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format." + description = "Provide values if folder creation is needed, uses existing folder if null. Parent is in 'folders/nnn' or 'organizations/nnn' format." type = object({ display_name = string parent = string @@ -83,13 +94,13 @@ variable "log_locations" { bq = optional(string, "europe") gcs = optional(string, "europe") logging = optional(string, "global") - pubsub = optional(string, null) + pubsub = optional(string, "global") }) default = { bq = "europe" gcs = "europe" logging = "global" - pubsub = null + pubsub = "global" } nullable = false }