Skip to content

Commit

Permalink
Merge branch 'master' into enable-fine-grained-configuration-for-vpc-…
Browse files Browse the repository at this point in the history
…flow-logs
  • Loading branch information
daniel-cit authored Dec 5, 2023
2 parents 3b1be73 + 8a4c106 commit 13f324d
Show file tree
Hide file tree
Showing 17 changed files with 80 additions and 46 deletions.
2 changes: 1 addition & 1 deletion 1-org/envs/shared/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
| log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `"US"` | no |
| log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br> is_locked = bool<br> retention_period_days = number<br> })</pre> | `null` | no |
| log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`. | <pre>object({<br> dns_hub_budget_amount = optional(number, 1000)<br> dns_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> dns_hub_alert_pubsub_topic = optional(string, null)<br> base_net_hub_budget_amount = optional(number, 1000)<br> base_net_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> base_net_hub_alert_pubsub_topic = optional(string, null)<br> restricted_net_hub_budget_amount = optional(number, 1000)<br> restricted_net_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> restricted_net_hub_alert_pubsub_topic = optional(string, null)<br> interconnect_budget_amount = optional(number, 1000)<br> interconnect_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> interconnect_alert_pubsub_topic = optional(string, null)<br> org_secrets_budget_amount = optional(number, 1000)<br> org_secrets_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> org_secrets_alert_pubsub_topic = optional(string, null)<br> org_billing_logs_budget_amount = optional(number, 1000)<br> org_billing_logs_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> org_billing_logs_alert_pubsub_topic = optional(string, null)<br> org_audit_logs_budget_amount = optional(number, 1000)<br> org_audit_logs_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> org_audit_logs_alert_pubsub_topic = optional(string, null)<br> scc_notifications_budget_amount = optional(number, 1000)<br> scc_notifications_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> scc_notifications_alert_pubsub_topic = optional(string, null)<br> })</pre> | `{}` | no |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br> alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br> dns_hub_budget_amount = optional(number, 1000)<br> dns_hub_alert_spent_percents = optional(list(number), [1.2])<br> dns_hub_alert_pubsub_topic = optional(string, null)<br> dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> base_net_hub_budget_amount = optional(number, 1000)<br> base_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> base_net_hub_alert_pubsub_topic = optional(string, null)<br> base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_net_hub_budget_amount = optional(number, 1000)<br> restricted_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> restricted_net_hub_alert_pubsub_topic = optional(string, null)<br> restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> interconnect_budget_amount = optional(number, 1000)<br> interconnect_alert_spent_percents = optional(list(number), [1.2])<br> interconnect_alert_pubsub_topic = optional(string, null)<br> interconnect_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_secrets_budget_amount = optional(number, 1000)<br> org_secrets_alert_spent_percents = optional(list(number), [1.2])<br> org_secrets_alert_pubsub_topic = optional(string, null)<br> org_secrets_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_billing_logs_budget_amount = optional(number, 1000)<br> org_billing_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_billing_logs_alert_pubsub_topic = optional(string, null)<br> org_billing_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_audit_logs_budget_amount = optional(number, 1000)<br> org_audit_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_audit_logs_alert_pubsub_topic = optional(string, null)<br> org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> scc_notifications_budget_amount = optional(number, 1000)<br> scc_notifications_alert_spent_percents = optional(list(number), [1.2])<br> scc_notifications_alert_pubsub_topic = optional(string, null)<br> scc_notifications_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> })</pre> | `{}` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
| scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
Expand Down
8 changes: 8 additions & 0 deletions 1-org/envs/shared/projects.tf
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ module "org_audit_logs" {
budget_alert_pubsub_topic = var.project_budget.org_audit_logs_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.org_audit_logs_alert_spent_percents
budget_amount = var.project_budget.org_audit_logs_budget_amount
budget_alert_spend_basis = var.project_budget.org_audit_logs_budget_alert_spend_basis
}

module "org_billing_logs" {
Expand Down Expand Up @@ -79,6 +80,7 @@ module "org_billing_logs" {
budget_alert_pubsub_topic = var.project_budget.org_billing_logs_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.org_billing_logs_alert_spent_percents
budget_amount = var.project_budget.org_billing_logs_budget_amount
budget_alert_spend_basis = var.project_budget.org_billing_logs_budget_alert_spend_basis
}

/******************************************
Expand Down Expand Up @@ -110,6 +112,7 @@ module "org_secrets" {
budget_alert_pubsub_topic = var.project_budget.org_secrets_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.org_secrets_alert_spent_percents
budget_amount = var.project_budget.org_secrets_budget_amount
budget_alert_spend_basis = var.project_budget.org_secrets_budget_alert_spend_basis
}

/******************************************
Expand Down Expand Up @@ -141,6 +144,7 @@ module "interconnect" {
budget_alert_pubsub_topic = var.project_budget.interconnect_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.interconnect_alert_spent_percents
budget_amount = var.project_budget.interconnect_budget_amount
budget_alert_spend_basis = var.project_budget.interconnect_budget_alert_spend_basis
}

/******************************************
Expand Down Expand Up @@ -172,6 +176,7 @@ module "scc_notifications" {
budget_alert_pubsub_topic = var.project_budget.scc_notifications_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.scc_notifications_alert_spent_percents
budget_amount = var.project_budget.scc_notifications_budget_amount
budget_alert_spend_basis = var.project_budget.scc_notifications_budget_alert_spend_basis
}

/******************************************
Expand Down Expand Up @@ -211,6 +216,7 @@ module "dns_hub" {
budget_alert_pubsub_topic = var.project_budget.dns_hub_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.dns_hub_alert_spent_percents
budget_amount = var.project_budget.dns_hub_budget_amount
budget_alert_spend_basis = var.project_budget.dns_hub_budget_alert_spend_basis
}

/******************************************
Expand Down Expand Up @@ -251,6 +257,7 @@ module "base_network_hub" {
budget_alert_pubsub_topic = var.project_budget.base_net_hub_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.base_net_hub_alert_spent_percents
budget_amount = var.project_budget.base_net_hub_budget_amount
budget_alert_spend_basis = var.project_budget.base_net_hub_budget_alert_spend_basis
}

resource "google_project_iam_member" "network_sa_base" {
Expand Down Expand Up @@ -299,6 +306,7 @@ module "restricted_network_hub" {
budget_alert_pubsub_topic = var.project_budget.restricted_net_hub_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.restricted_net_hub_alert_spent_percents
budget_amount = var.project_budget.restricted_net_hub_budget_amount
budget_alert_spend_basis = var.project_budget.restricted_net_hub_budget_alert_spend_basis
}

resource "google_project_iam_member" "network_sa_restricted" {
Expand Down
57 changes: 33 additions & 24 deletions 1-org/envs/shared/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -115,32 +115,41 @@ variable "project_budget" {
budget_amount: The amount to use as the budget.
alert_spent_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert_pubsub_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default).
EOT
type = object({
dns_hub_budget_amount = optional(number, 1000)
dns_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
dns_hub_alert_pubsub_topic = optional(string, null)
base_net_hub_budget_amount = optional(number, 1000)
base_net_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
base_net_hub_alert_pubsub_topic = optional(string, null)
restricted_net_hub_budget_amount = optional(number, 1000)
restricted_net_hub_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
restricted_net_hub_alert_pubsub_topic = optional(string, null)
interconnect_budget_amount = optional(number, 1000)
interconnect_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
interconnect_alert_pubsub_topic = optional(string, null)
org_secrets_budget_amount = optional(number, 1000)
org_secrets_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
org_secrets_alert_pubsub_topic = optional(string, null)
org_billing_logs_budget_amount = optional(number, 1000)
org_billing_logs_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
org_billing_logs_alert_pubsub_topic = optional(string, null)
org_audit_logs_budget_amount = optional(number, 1000)
org_audit_logs_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
org_audit_logs_alert_pubsub_topic = optional(string, null)
scc_notifications_budget_amount = optional(number, 1000)
scc_notifications_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])
scc_notifications_alert_pubsub_topic = optional(string, null)
dns_hub_budget_amount = optional(number, 1000)
dns_hub_alert_spent_percents = optional(list(number), [1.2])
dns_hub_alert_pubsub_topic = optional(string, null)
dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
base_net_hub_budget_amount = optional(number, 1000)
base_net_hub_alert_spent_percents = optional(list(number), [1.2])
base_net_hub_alert_pubsub_topic = optional(string, null)
base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
restricted_net_hub_budget_amount = optional(number, 1000)
restricted_net_hub_alert_spent_percents = optional(list(number), [1.2])
restricted_net_hub_alert_pubsub_topic = optional(string, null)
restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
interconnect_budget_amount = optional(number, 1000)
interconnect_alert_spent_percents = optional(list(number), [1.2])
interconnect_alert_pubsub_topic = optional(string, null)
interconnect_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_secrets_budget_amount = optional(number, 1000)
org_secrets_alert_spent_percents = optional(list(number), [1.2])
org_secrets_alert_pubsub_topic = optional(string, null)
org_secrets_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_billing_logs_budget_amount = optional(number, 1000)
org_billing_logs_alert_spent_percents = optional(list(number), [1.2])
org_billing_logs_alert_pubsub_topic = optional(string, null)
org_billing_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_audit_logs_budget_amount = optional(number, 1000)
org_audit_logs_alert_spent_percents = optional(list(number), [1.2])
org_audit_logs_alert_pubsub_topic = optional(string, null)
org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
scc_notifications_budget_amount = optional(number, 1000)
scc_notifications_alert_spent_percents = optional(list(number), [1.2])
scc_notifications_alert_pubsub_topic = optional(string, null)
scc_notifications_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
})
default = {}
}
Expand Down
2 changes: 1 addition & 1 deletion 2-environments/modules/env_baseline/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
| env | The environment to prepare (ex. development) | `string` | n/a | yes |
| environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes |
| monitoring\_workspace\_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | `string` | n/a | yes |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`. | <pre>object({<br> base_network_budget_amount = optional(number, 1000)<br> base_network_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> base_network_alert_pubsub_topic = optional(string, null)<br> restricted_network_budget_amount = optional(number, 1000)<br> restricted_network_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> restricted_network_alert_pubsub_topic = optional(string, null)<br> monitoring_budget_amount = optional(number, 1000)<br> monitoring_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> monitoring_alert_pubsub_topic = optional(string, null)<br> secret_budget_amount = optional(number, 1000)<br> secret_alert_spent_percents = optional(list(number), [0.5, 0.75, 0.9, 0.95])<br> secret_alert_pubsub_topic = optional(string, null)<br> })</pre> | `{}` | no |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br> alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br> base_network_budget_amount = optional(number, 1000)<br> base_network_alert_spent_percents = optional(list(number), [1.2])<br> base_network_alert_pubsub_topic = optional(string, null)<br> base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_network_budget_amount = optional(number, 1000)<br> restricted_network_alert_spent_percents = optional(list(number), [1.2])<br> restricted_network_alert_pubsub_topic = optional(string, null)<br> restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> monitoring_budget_amount = optional(number, 1000)<br> monitoring_alert_spent_percents = optional(list(number), [1.2])<br> monitoring_alert_pubsub_topic = optional(string, null)<br> monitoring_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> secret_budget_amount = optional(number, 1000)<br> secret_alert_spent_percents = optional(list(number), [1.2])<br> secret_alert_pubsub_topic = optional(string, null)<br> secret_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> })</pre> | `{}` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |

## Outputs
Expand Down
1 change: 1 addition & 0 deletions 2-environments/modules/env_baseline/monitoring.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,5 @@ module "monitoring_project" {
budget_alert_pubsub_topic = var.project_budget.monitoring_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.monitoring_alert_spent_percents
budget_amount = var.project_budget.monitoring_budget_amount
budget_alert_spend_basis = var.project_budget.monitoring_budget_alert_spend_basis
}
1 change: 1 addition & 0 deletions 2-environments/modules/env_baseline/networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -88,4 +88,5 @@ module "restricted_shared_vpc_host_project" {
budget_alert_pubsub_topic = var.project_budget.restricted_network_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.restricted_network_alert_spent_percents
budget_amount = var.project_budget.restricted_network_budget_amount
budget_alert_spend_basis = var.project_budget.restricted_network_budget_alert_spend_basis
}
1 change: 1 addition & 0 deletions 2-environments/modules/env_baseline/secrets.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,5 @@ module "env_secrets" {
budget_alert_pubsub_topic = var.project_budget.secret_alert_pubsub_topic
budget_alert_spent_percents = var.project_budget.secret_alert_spent_percents
budget_amount = var.project_budget.secret_budget_amount
budget_alert_spend_basis = var.project_budget.secret_budget_alert_spend_basis
}
Loading

0 comments on commit 13f324d

Please sign in to comment.