fix

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

modules/audit-serviceaccount/main.tf

@@ -1,4 +1,6 @@
 resource "google_monitoring_alert_policy" "generate-access-token" {
+  count = len(var.notification_channels) > 0 ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"

modules/bucket-events/README.md

@@ -118,7 +118,6 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket"></a> [bucket](#input\_bucket) | The name of the bucket to watch for events. The region where the bucket is located will be the region where the Pub/Sub topic and trampoline service will be created. The bucket must be in a region that is in the set of regions passed to the regions variable. | `string` | n/a | yes |
-| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_enable_profiler"></a> [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no |
 | <a name="input_gcs_event_types"></a> [gcs\_event\_types](#input\_gcs\_event\_types) | The types of GCS events to watch for (https://cloud.google.com/storage/docs/pubsub-notifications#payload). | `list(string)` | <pre>[<br/>  "OBJECT_FINALIZE",<br/>  "OBJECT_METADATA_UPDATE",<br/>  "OBJECT_DELETE",<br/>  "OBJECT_ARCHIVE"<br/>]</pre> | no |
 | <a name="input_ingress"></a> [ingress](#input\_ingress) | An object holding the name of the ingress service, which can be used to authorize callers to publish cloud events. | <pre>object({<br/>    name = string<br/>  })</pre> | n/a | yes |

modules/bucket-events/main.tf

@@ -56,7 +56,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" {
 }
 
 module "audit-delivery-serviceaccount" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   source = "../audit-serviceaccount"
 

modules/bucket-events/variables.tf

@@ -48,9 +48,3 @@ variable "enable_profiler" {
   default     = false
   description = "Enable cloud profiler."
 }
-
-variable "enable_lasers" {
-  description = "Whether to enable alert policy for abnormal access to resource."
-  type        = bool
-  default     = false
-}

modules/cloudevent-recorder/README.md

@@ -137,7 +137,6 @@ No requirements.
 | <a name="input_cloud_storage_config_max_bytes"></a> [cloud\_storage\_config\_max\_bytes](#input\_cloud\_storage\_config\_max\_bytes) | The maximum bytes that can be written to a Cloud Storage file before a new file is created. Min 1 KB, max 10 GiB. | `number` | `1000000000` | no |
 | <a name="input_cloud_storage_config_max_duration"></a> [cloud\_storage\_config\_max\_duration](#input\_cloud\_storage\_config\_max\_duration) | The maximum duration that can elapse before a new Cloud Storage file is created. Min 1 minute, max 10 minutes, default 5 minutes. | `number` | `300` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection on data resources. | `bool` | `true` | no |
-| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_enable_profiler"></a> [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no |
 | <a name="input_flush_interval"></a> [flush\_interval](#input\_flush\_interval) | Flush interval for logrotate, as a duration string. | `string` | `""` | no |
 | <a name="input_ignore_unknown_values"></a> [ignore\_unknown\_values](#input\_ignore\_unknown\_values) | Whether to ignore unknown values in the data, when transferring data to BigQuery. | `bool` | `false` | no |

modules/cloudevent-recorder/bigquery.tf

@@ -75,7 +75,7 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi
 }
 
 module "audit-import-serviceaccount" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   source = "../audit-serviceaccount"
 

modules/cloudevent-recorder/main.tf

@@ -51,7 +51,7 @@ resource "google_storage_bucket" "recorder" {
 data "google_client_openid_userinfo" "me" {}
 
 resource "google_monitoring_alert_policy" "bucket-access" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {

modules/cloudevent-recorder/variables.tf

@@ -143,9 +143,3 @@ variable "flush_interval" {
   type        = string
   default     = ""
 }
-
-variable "enable_lasers" {
-  description = "Whether to enable alert policy for abnormal access to resource."
-  type        = bool
-  default     = false
-}

modules/cloudevent-trigger/README.md

@@ -115,7 +115,6 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_ack_deadline_seconds"></a> [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | The deadline for acking a message. | `number` | `300` | no |
 | <a name="input_broker"></a> [broker](#input\_broker) | The name of the pubsub topic we are using as a broker. | `string` | n/a | yes |
-| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_filter"></a> [filter](#input\_filter) | A Knative Trigger-style filter over the cloud event attributes.<br/><br/>This is normally used to filter relevant event types, for example:<br/><br/>  { "type" : "dev.chainguard.foo" }<br/><br/>In this case, only events with a type attribute of "dev.chainguard.foo" will be delivered. | `map(string)` | `{}` | no |
 | <a name="input_filter_has_attributes"></a> [filter\_has\_attributes](#input\_filter\_has\_attributes) | A Knative Trigger-style filter over the cloud event attribute prefixes.<br/><br/>This can be used to filter on the presence of an event attribute, for example:<br/><br/>  ["location"]<br/><br/>In this case, any event with a type attribute of "location" will be delivered. | `list(string)` | `[]` | no |
 | <a name="input_filter_not_has_attributes"></a> [filter\_not\_has\_attributes](#input\_filter\_not\_has\_attributes) | A Knative Trigger-style filter over the cloud event attribute prefixes.<br/><br/>This can be used to filter on the absence of an event attribute, for example:<br/><br/>  ["location"]<br/><br/>In this case, any event with a type attribute of "location" will NOT be delivered. | `list(string)` | `[]` | no |

modules/cloudevent-trigger/main.tf

@@ -31,7 +31,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" {
 }
 
 module "audit-trigger-serviceaccount" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   source = "../audit-serviceaccount"
 

modules/cloudevent-trigger/variables.tf

@@ -109,9 +109,3 @@ variable "ack_deadline_seconds" {
   type        = number
   default     = 300
 }
-
-variable "enable_lasers" {
-  description = "Whether to enable alert policy for abnormal access to resource."
-  type        = bool
-  default     = false
-}

modules/configmap/README.md

@@ -89,7 +89,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_data"></a> [data](#input\_data) | The data to place in the secret. | `string` | n/a | yes |
-| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the secret. | `string` | n/a | yes |
 | <a name="input_notification-channels"></a> [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |

modules/configmap/main.tf

@@ -30,7 +30,7 @@ data "google_client_openid_userinfo" "me" {}
 
 // Create an alert policy to notify if the secret is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-secret-access" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {

modules/configmap/variables.tf

@@ -21,9 +21,3 @@ variable "notification-channels" {
   description = "The channels to notify if the configuration data is improperly accessed."
   type        = list(string)
 }
-
-variable "enable_lasers" {
-  description = "Whether to enable alert policy for abnormal access to resource."
-  type        = bool
-  default     = false
-}

modules/cron/main.tf

@@ -218,7 +218,7 @@ resource "google_service_account" "delivery" {
 }
 
 module "audit-delivery-serviceaccount" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   source = "../audit-serviceaccount"
 
@@ -284,7 +284,7 @@ data "google_client_openid_userinfo" "me" {}
 
 // Create an alert policy to notify if the job is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-job-access" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {

modules/github-gsa/README.md

@@ -59,7 +59,6 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_audit_refspec"></a> [audit\_refspec](#input\_audit\_refspec) | The regular expression to use for auditing the refspec component when using '*' | `string` | `""` | no |
 | <a name="input_audit_workflow_ref"></a> [audit\_workflow\_ref](#input\_audit\_workflow\_ref) | The regular expression to use for auditing the workflow ref component when using '*' | `string` | `""` | no |
-| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the service account. | `string` | n/a | yes |
 | <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | The list of notification channels to alert when the service account is misused. | `list(string)` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |

modules/github-gsa/main.tf

@@ -136,7 +136,7 @@ resource "google_service_account_iam_binding" "allow-impersonation" {
 // Create an auditing policy to ensure that tokens are only issued for identities
 // matching our expectations.
 module "audit-usage" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   source = "../audit-serviceaccount"
 

modules/github-gsa/variables.tf

@@ -50,9 +50,3 @@ variable "notification_channels" {
   description = "The list of notification channels to alert when the service account is misused."
   type        = list(string)
 }
-
-variable "enable_lasers" {
-  description = "Whether to enable alert policy for abnormal access to resource."
-  type        = bool
-  default     = false
-}

modules/regional-go-service/main.tf

@@ -5,11 +5,6 @@ terraform {
   }
 }
 
-moved {
-  from = module.audit-serviceaccount
-  to   = module.this.module.audit-serviceaccount
-}
-
 moved {
   from = google_project_iam_member.metrics-writer
   to   = module.this.google_project_iam_member.metrics-writer

modules/regional-service/README.md

@@ -89,7 +89,6 @@ No requirements.
 | <a name="input_containers"></a> [containers](#input\_containers) | The containers to run in the service.  Each container will be run in each region. | <pre>map(object({<br/>    image = string<br/>    args  = optional(list(string), [])<br/>    ports = optional(list(object({<br/>      name           = optional(string, "http1")<br/>      container_port = number<br/>    })), [])<br/>    resources = optional(<br/>      object(<br/>        {<br/>          limits = optional(object(<br/>            {<br/>              cpu    = string<br/>              memory = string<br/>            }<br/>          ), null)<br/>          cpu_idle          = optional(bool, true)<br/>          startup_cpu_boost = optional(bool, true)<br/>        }<br/>      ),<br/>      {<br/>        cpu_idle = true<br/>      }<br/>    )<br/>    env = optional(list(object({<br/>      name  = string<br/>      value = optional(string)<br/>      value_source = optional(object({<br/>        secret_key_ref = object({<br/>          secret  = string<br/>          version = string<br/>        })<br/>      }), null)<br/>    })), [])<br/>    regional-env = optional(list(object({<br/>      name  = string<br/>      value = map(string)<br/>    })), [])<br/>    volume_mounts = optional(list(object({<br/>      name       = string<br/>      mount_path = string<br/>    })), [])<br/>  }))</pre> | n/a | yes |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Whether to enable delete protection for the service. | `bool` | `true` | no |
 | <a name="input_egress"></a> [egress](#input\_egress) | Which type of egress traffic to send through the VPC.<br/><br/>- ALL\_TRAFFIC sends all traffic through regional VPC network<br/>- PRIVATE\_RANGES\_ONLY sends only traffic to private IP addresses through regional VPC network | `string` | `"ALL_TRAFFIC"` | no |
-| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_enable_profiler"></a> [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no |
 | <a name="input_execution_environment"></a> [execution\_environment](#input\_execution\_environment) | The execution environment for the service | `string` | `"EXECUTION_ENVIRONMENT_GEN1"` | no |
 | <a name="input_ingress"></a> [ingress](#input\_ingress) | Which type of ingress traffic to accept for the service.<br/><br/>- INGRESS\_TRAFFIC\_ALL accepts all traffic, enabling the public .run.app URL for the service<br/>- INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER accepts traffic only from a load balancer<br/>- INGRESS\_TRAFFIC\_INTERNAL\_ONLY accepts internal traffic only | `string` | `"INGRESS_TRAFFIC_INTERNAL_ONLY"` | no |

modules/regional-service/main.tf

@@ -1,5 +1,5 @@
 module "audit-serviceaccount" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   source = "../audit-serviceaccount"
 
@@ -284,7 +284,7 @@ data "google_client_openid_userinfo" "me" {}
 
 // Create an alert policy to notify if the service is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-service-access" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
@@ -306,35 +306,35 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" {
       logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
       protoPayload.serviceName="run.googleapis.com"
       protoPayload.resourceName=("${join("\" OR \"", concat([
-        "namespaces/${var.project_id}/services/${var.name}"
-      ],
-      [
-        for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
-      ]))}")
+      "namespaces/${var.project_id}/services/${var.name}"
+    ],
+    [
+      for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
+    ]))}")
 
       -- Allow CI to reconcile services and their IAM policies.
       -(
         protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
         protoPayload.methodName=("${join("\" OR \"", [
-          "google.cloud.run.v2.Services.CreateService",
-          "google.cloud.run.v2.Services.UpdateService",
-          "google.cloud.run.v2.Services.SetIamPolicy",
-        ])}")
+    "google.cloud.run.v2.Services.CreateService",
+    "google.cloud.run.v2.Services.UpdateService",
+    "google.cloud.run.v2.Services.SetIamPolicy",
+])}")
       )
       EOT
 
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-    }
-  }
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
 }
 
-  notification_channels = var.notification_channels
+notification_channels = var.notification_channels
 
-  enabled = "true"
-  project = var.project_id
+enabled = "true"
+project = var.project_id
 }
 
 // When the service is behind a load balancer, then it is publicly exposed and responsible

modules/regional-service/variables.tf

@@ -180,9 +180,3 @@ variable "enable_profiler" {
   default     = false
   description = "Enable cloud profiler."
 }
-
-variable "enable_lasers" {
-  description = "Whether to enable alert policy for abnormal access to resource."
-  type        = bool
-  default     = false
-}

modules/secret/main.tf

@@ -41,6 +41,8 @@ data "google_project" "project" { project_id = var.project_id }
 
 // Create an alert policy to notify if the secret is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  count = len(var.notification_channels) > 0 ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"

modules/serverless-gclb/main.tf

@@ -166,7 +166,7 @@ locals {
 }
 
 resource "google_monitoring_alert_policy" "abnormal-gclb-access" {
-  count = var.enable_lasers ? 1 : 0
+  count = len(var.notification_channels) > 0 ? 1 : 0
 
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {

modules/workqueue/dashboard.tf

@@ -48,7 +48,7 @@ module "work-added" {
     "metric.type=\"prometheus.googleapis.com/workqueue_added_keys_total/counter\"",
     "metric.label.\"service_name\"=\"${var.name}-rcv\"",
   ]
-  group_by_fields = ["metric.label.\"service_name\""]
+  group_by_fields  = ["metric.label.\"service_name\""]
   primary_align    = "ALIGN_RATE"
   primary_reduce   = "REDUCE_NONE"
   secondary_align  = "ALIGN_NONE"

modules/workqueue/dispatcher.tf

@@ -47,7 +47,7 @@ module "dispatcher-service" {
         importpath  = "github.com/chainguard-dev/terraform-infra-common/modules/workqueue/cmd/dispatcher"
       }
       ports = [{
-        name = "h2c"
+        name           = "h2c"
         container_port = 8080
       }]
       env = [
@@ -99,7 +99,7 @@ module "cron-trigger-calls-dispatcher" {
 
   source = "../authorize-private-service"
 
-  depends_on = [ module.dispatcher-service ]
+  depends_on = [module.dispatcher-service]
 
   project_id = var.project_id
   region     = each.key
@@ -171,7 +171,7 @@ module "change-trigger-calls-dispatcher" {
 
   source = "../authorize-private-service"
 
-  depends_on = [ module.dispatcher-service ]
+  depends_on = [module.dispatcher-service]
 
   project_id = var.project_id
   region     = each.key

modules/workqueue/main.tf

@@ -18,7 +18,7 @@ resource "google_storage_bucket_iam_binding" "authorize-access" {
   for_each = var.regions
 
   bucket = google_storage_bucket.workqueue[each.key].name
-  role = "roles/storage.admin"
+  role   = "roles/storage.admin"
   members = [
     "serviceAccount:${google_service_account.receiver.email}",
     "serviceAccount:${google_service_account.dispatcher.email}",
@@ -48,7 +48,7 @@ resource "google_pubsub_topic_iam_binding" "gcs-publishes-to-topic" {
 resource "google_storage_notification" "object-change-notifications" {
   for_each = var.regions
 
-  depends_on = [ google_pubsub_topic_iam_binding.gcs-publishes-to-topic ]
+  depends_on = [google_pubsub_topic_iam_binding.gcs-publishes-to-topic]
 
   bucket         = google_storage_bucket.workqueue[each.key].name
   payload_format = "JSON_API_V1"

modules/workqueue/outputs.tf

@@ -1,5 +1,5 @@
 output "receiver" {
-  depends_on = [ module.receiver-service ]
+  depends_on = [module.receiver-service]
   value = {
     name = "${var.name}-rcv"
   }