Update FAST logging (#2235)
* Update FAST logging * Fix readme * Fix tests
This commit is contained in:
Julio Castillo
@@ -138,7 +138,9 @@ Because of limitations of API availability, manual steps have to be followed to
|
||||
|
||||
### Organization-level logging
|
||||
|
||||
We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
|
||||
We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
|
||||
|
||||
An organization-level sink captures IAM data access logs, including authentication and impersonation events for service accounts. To manage logging costs, the default configuration enables IAM data access logging only within the automation project (where sensitive service accounts reside). For enhanced security across the entire organization, consider enabling these logs at the organization level.
|
||||
|
||||
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
|
||||
|
||||
@@ -626,8 +628,8 @@ The `fast_features` variable consists of 4 toggles:
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object({ id = string is_org_level = optional(bool, true) no_iam = optional(bool, false) })">object({…})</code> | ✓ | | |
|
||||
| [organization](variables.tf#L223) | Organization details. | <code title="object({ id = number domain = optional(string) customer_id = optional(string) })">object({…})</code> | ✓ | | |
|
||||
| [prefix](variables.tf#L238) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | |
|
||||
| [organization](variables.tf#L241) | Organization details. | <code title="object({ id = number domain = optional(string) customer_id = optional(string) })">object({…})</code> | ✓ | | |
|
||||
| [prefix](variables.tf#L256) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | |
|
||||
| [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
|
||||
| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ bootstrap = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) resman = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_roles](variables.tf#L79) | Map of role names => list of permissions to additionally create at the organization level. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
@@ -639,12 +641,12 @@ The `fast_features` variable consists of 4 toggles:
|
||||
| [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [locations](variables.tf#L163) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\" OR protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.TransparencyLog\"" type = "logging" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "logging" } workspace-audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Fdata_access\" and protoPayload.serviceName:\"login.googleapis.com\"" type = "logging" } }">{…}</code> | |
|
||||
| [org_policies_config](variables.tf#L206) | Organization policies customization. | <code title="object({ constraints = optional(object({ allowed_policy_member_domains = optional(list(string), []) }), {}) import_defaults = optional(bool, false) tag_name = optional(string, "org-policies") tag_values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L232) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [project_parent_ids](variables.tf#L247) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object({ automation = optional(string) billing = optional(string) logging = optional(string) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [workforce_identity_providers](variables.tf#L258) | Workforce Identity Federation pools. | <code title="map(object({ attribute_condition = optional(string) issuer = string display_name = string description = string disabled = optional(bool, false) saml = optional(object({ idp_metadata_xml = string }), null) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [workload_identity_providers](variables.tf#L274) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map(object({ attribute_condition = optional(string) issuer = string custom_settings = optional(object({ issuer_uri = optional(string) audiences = optional(list(string), []) jwks_json = optional(string) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = <<-FILTER log_id("cloudaudit.googleapis.com/activity") OR log_id("cloudaudit.googleapis.com/system_event") OR log_id("cloudaudit.googleapis.com/policy") OR log_id("cloudaudit.googleapis.com/access_transparency") FILTER type = "logging" } iam = { filter = <<-FILTER protoPayload.serviceName="iamcredentials.googleapis.com" OR protoPayload.serviceName="iam.googleapis.com" OR protoPayload.serviceName="sts.googleapis.com" FILTER type = "logging" } vpc-sc = { filter = <<-FILTER protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" FILTER type = "logging" } workspace-audit-logs = { filter = <<-FILTER log_id("cloudaudit.googleapis.com/data_access") protoPayload.serviceName:"login.googleapis.com" FILTER type = "logging" } }">{…}</code> | |
|
||||
| [org_policies_config](variables.tf#L224) | Organization policies customization. | <code title="object({ constraints = optional(object({ allowed_policy_member_domains = optional(list(string), []) }), {}) import_defaults = optional(bool, false) tag_name = optional(string, "org-policies") tag_values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L250) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [project_parent_ids](variables.tf#L265) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object({ automation = optional(string) billing = optional(string) logging = optional(string) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [workforce_identity_providers](variables.tf#L276) | Workforce Identity Federation pools. | <code title="map(object({ attribute_condition = optional(string) issuer = string display_name = string description = string disabled = optional(bool, false) saml = optional(object({ idp_metadata_xml = string }), null) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [workload_identity_providers](variables.tf#L292) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map(object({ attribute_condition = optional(string) issuer = string custom_settings = optional(object({ issuer_uri = optional(string) audiences = optional(list(string), []) jwks_json = optional(string) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -156,6 +156,24 @@ module "automation-project" {
|
||||
"container.googleapis.com",
|
||||
]
|
||||
)
|
||||
|
||||
# Enable IAM data access logs to capture impersonation and service
|
||||
# account token generation events. This is implemented within the
|
||||
# automation project to limit log volume. For heightened security,
|
||||
# consider enabling it at the organization level. A log sink within
|
||||
# the organization will collect and store these logs in a logging
|
||||
# bucket. See
|
||||
# https://cloud.google.com/iam/docs/audit-logging#audited_operations
|
||||
logging_data_access = {
|
||||
"iam.googleapis.com" = {
|
||||
# ADMIN_READ captures impersonation and token generation/exchanges
|
||||
ADMIN_READ = []
|
||||
# enable DATA_WRITE if you want to capture configuration changes
|
||||
# to IAM-related resources (roles, deny policies, service
|
||||
# accounts, identity pools, etc)
|
||||
# DATA_WRITE = []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# output files bucket
|
||||
|
||||
@@ -182,15 +182,33 @@ variable "log_sinks" {
|
||||
}))
|
||||
default = {
|
||||
audit-logs = {
|
||||
filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\" OR protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.TransparencyLog\""
|
||||
filter = <<-FILTER
|
||||
log_id("cloudaudit.googleapis.com/activity") OR
|
||||
log_id("cloudaudit.googleapis.com/system_event") OR
|
||||
log_id("cloudaudit.googleapis.com/policy") OR
|
||||
log_id("cloudaudit.googleapis.com/access_transparency")
|
||||
FILTER
|
||||
type = "logging"
|
||||
}
|
||||
iam = {
|
||||
filter = <<-FILTER
|
||||
protoPayload.serviceName="iamcredentials.googleapis.com" OR
|
||||
protoPayload.serviceName="iam.googleapis.com" OR
|
||||
protoPayload.serviceName="sts.googleapis.com"
|
||||
FILTER
|
||||
type = "logging"
|
||||
}
|
||||
vpc-sc = {
|
||||
filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\""
|
||||
filter = <<-FILTER
|
||||
protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
|
||||
FILTER
|
||||
type = "logging"
|
||||
}
|
||||
workspace-audit-logs = {
|
||||
filter = "logName:\"/logs/cloudaudit.googleapis.com%2Fdata_access\" and protoPayload.serviceName:\"login.googleapis.com\""
|
||||
filter = <<-FILTER
|
||||
log_id("cloudaudit.googleapis.com/data_access")
|
||||
protoPayload.serviceName:"login.googleapis.com"
|
||||
FILTER
|
||||
type = "logging"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user