From 5d8d9234b5505d9b59b84d60102c517d195df9c6 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 08:38:40 -0700 Subject: [PATCH 01/10] Revert "Remove laser alerts (#462)" This reverts commit 7c2050515e62e93a27d69e615d9d4167e2c7012c. --- modules/cloudevent-recorder/README.md | 1 + modules/cloudevent-recorder/main.tf | 65 +++++++++++++++++ modules/configmap/README.md | 1 + modules/configmap/main.tf | 52 +++++++++++++ modules/cron/README.md | 2 + modules/cron/main.tf | 101 ++++++++++++++++++++++++++ modules/regional-go-service/main.tf | 5 ++ modules/regional-service/README.md | 1 + modules/regional-service/main.tf | 53 ++++++++++++++ modules/serverless-gclb/README.md | 1 + modules/serverless-gclb/main.tf | 42 +++++++++++ 11 files changed, 324 insertions(+) diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md index 02f94a39..01a2681a 100644 --- a/modules/cloudevent-recorder/README.md +++ b/modules/cloudevent-recorder/README.md @@ -107,6 +107,7 @@ No requirements. | [google_bigquery_table.types](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table) | resource | | [google_bigquery_table_iam_binding.import-writes-to-tables](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam_binding) | resource | | [google_monitoring_alert_policy.bq_dts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource | +| [google_monitoring_alert_policy.bucket-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource | | [google_pubsub_subscription.dead-letter-pull-sub](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource | | [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource | | [google_pubsub_subscription_iam_binding.allow-pubsub-to-ack](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_binding) | resource | diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf index 4dbf9938..ed7a1237 100644 --- a/modules/cloudevent-recorder/main.tf +++ b/modules/cloudevent-recorder/main.tf @@ -50,3 +50,68 @@ resource "google_storage_bucket" "recorder" { // What identity is deploying this? data "google_client_openid_userinfo" "me" {} +resource "google_monitoring_alert_policy" "bucket-access" { + # In the absence of data, incident will auto-close after an hour + alert_strategy { + auto_close = "3600s" + + notification_rate_limit { + period = "3600s" // re-alert hourly if condition still valid. + } + } + + display_name = "Abnormal Event Bucket Access: ${var.name}" + combiner = "OR" + + conditions { + display_name = "Bucket Access" + + condition_matched_log { + filter = < Date: Tue, 3 Sep 2024 08:45:42 -0700 Subject: [PATCH 02/10] make lasers optional, off by default Signed-off-by: Kenny Leung --- modules/cloudevent-recorder/README.md | 1 + modules/cloudevent-recorder/main.tf | 2 ++ modules/cloudevent-recorder/variables.tf | 6 ++++ modules/configmap/README.md | 1 + modules/configmap/main.tf | 2 ++ modules/configmap/variables.tf | 6 ++++ modules/cron/main.tf | 2 ++ modules/regional-service/README.md | 1 + modules/regional-service/main.tf | 40 +++++++++++++----------- modules/regional-service/variables.tf | 6 ++++ modules/serverless-gclb/main.tf | 2 ++ 11 files changed, 50 insertions(+), 19 deletions(-) diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md index 01a2681a..ff79b61b 100644 --- a/modules/cloudevent-recorder/README.md +++ b/modules/cloudevent-recorder/README.md @@ -136,6 +136,7 @@ No requirements. | [cloud\_storage\_config\_max\_bytes](#input\_cloud\_storage\_config\_max\_bytes) | The maximum bytes that can be written to a Cloud Storage file before a new file is created. Min 1 KB, max 10 GiB. | `number` | `1000000000` | no | | [cloud\_storage\_config\_max\_duration](#input\_cloud\_storage\_config\_max\_duration) | The maximum duration that can elapse before a new Cloud Storage file is created. Min 1 minute, max 10 minutes, default 5 minutes. | `number` | `300` | no | | [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection on data resources. | `bool` | `true` | no | +| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no | | [flush\_interval](#input\_flush\_interval) | Flush interval for logrotate, as a duration string. | `string` | `""` | no | | [ignore\_unknown\_values](#input\_ignore\_unknown\_values) | Whether to ignore unknown values in the data, when transferring data to BigQuery. | `bool` | `false` | no | diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf index ed7a1237..5bcb4cff 100644 --- a/modules/cloudevent-recorder/main.tf +++ b/modules/cloudevent-recorder/main.tf @@ -51,6 +51,8 @@ resource "google_storage_bucket" "recorder" { data "google_client_openid_userinfo" "me" {} resource "google_monitoring_alert_policy" "bucket-access" { + count = var.enable_lasers ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" diff --git a/modules/cloudevent-recorder/variables.tf b/modules/cloudevent-recorder/variables.tf index 16711a33..f9ab7ced 100644 --- a/modules/cloudevent-recorder/variables.tf +++ b/modules/cloudevent-recorder/variables.tf @@ -143,3 +143,9 @@ variable "flush_interval" { type = string default = "" } + +variable "enable_lasers" { + description = "Whether to enable alert policy for abnormal access to resource." + type = bool + default = false +} diff --git a/modules/configmap/README.md b/modules/configmap/README.md index 165eff69..a12cc3f0 100644 --- a/modules/configmap/README.md +++ b/modules/configmap/README.md @@ -89,6 +89,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [data](#input\_data) | The data to place in the secret. | `string` | n/a | yes | +| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [name](#input\_name) | The name to give the secret. | `string` | n/a | yes | | [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes | | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | diff --git a/modules/configmap/main.tf b/modules/configmap/main.tf index 09148954..418ce500 100644 --- a/modules/configmap/main.tf +++ b/modules/configmap/main.tf @@ -30,6 +30,8 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the secret is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-secret-access" { + count = var.enable_lasers ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" diff --git a/modules/configmap/variables.tf b/modules/configmap/variables.tf index f46502be..5e8bdc90 100644 --- a/modules/configmap/variables.tf +++ b/modules/configmap/variables.tf @@ -21,3 +21,9 @@ variable "notification-channels" { description = "The channels to notify if the configuration data is improperly accessed." type = list(string) } + +variable "enable_lasers" { + description = "Whether to enable alert policy for abnormal access to resource." + type = bool + default = false +} diff --git a/modules/cron/main.tf b/modules/cron/main.tf index 1d293c72..afdae0a7 100644 --- a/modules/cron/main.tf +++ b/modules/cron/main.tf @@ -254,6 +254,8 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the job is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-job-access" { + count = var.enable_lasers ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md index 88f614ad..47b325d9 100644 --- a/modules/regional-service/README.md +++ b/modules/regional-service/README.md @@ -87,6 +87,7 @@ No modules. | [containers](#input\_containers) | The containers to run in the service. Each container will be run in each region. | 
map(object({
    image = string
    args  = optional(list(string), [])
    ports = optional(list(object({
      name           = optional(string, "http1")
      container_port = number
    })), [])
    resources = optional(
      object(
        {
          limits = optional(object(
            {
              cpu    = string
              memory = string
            }
          ), null)
          cpu_idle          = optional(bool, true)
          startup_cpu_boost = optional(bool, true)
        }
      ),
      {
        cpu_idle = true
      }
    )
    env = optional(list(object({
      name  = string
      value = optional(string)
      value_source = optional(object({
        secret_key_ref = object({
          secret  = string
          version = string
        })
      }), null)
    })), [])
    regional-env = optional(list(object({
      name  = string
      value = map(string)
    })), [])
    volume_mounts = optional(list(object({
      name       = string
      mount_path = string
    })), [])
  }))
| n/a | yes | | [deletion\_protection](#input\_deletion\_protection) | Whether to enable delete protection for the service. | `bool` | `true` | no | | [egress](#input\_egress) | Which type of egress traffic to send through the VPC.

- ALL\_TRAFFIC sends all traffic through regional VPC network
- PRIVATE\_RANGES\_ONLY sends only traffic to private IP addresses through regional VPC network | `string` | `"ALL_TRAFFIC"` | no | +| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no | | [execution\_environment](#input\_execution\_environment) | The execution environment for the service | `string` | `"EXECUTION_ENVIRONMENT_GEN1"` | no | | [ingress](#input\_ingress) | Which type of ingress traffic to accept for the service.

- INGRESS\_TRAFFIC\_ALL accepts all traffic, enabling the public .run.app URL for the service
- INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER accepts traffic only from a load balancer
- INGRESS\_TRAFFIC\_INTERNAL\_ONLY accepts internal traffic only | `string` | `"INGRESS_TRAFFIC_INTERNAL_ONLY"` | no | diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index 29de9f9c..d2c6eb4b 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -269,6 +269,8 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the service is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-service-access" { + count = var.enable_lasers ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" @@ -289,35 +291,35 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" { logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.serviceName="run.googleapis.com" protoPayload.resourceName=("${join("\" OR \"", concat([ - "namespaces/${var.project_id}/services/${var.name}" - ], - [ - for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}" - ]))}") + "namespaces/${var.project_id}/services/${var.name}" + ], + [ + for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}" + ]))}") -- Allow CI to reconcile services and their IAM policies. -( protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}" protoPayload.methodName=("${join("\" OR \"", [ - "google.cloud.run.v2.Services.CreateService", - "google.cloud.run.v2.Services.UpdateService", - "google.cloud.run.v2.Services.SetIamPolicy", - ])}") + "google.cloud.run.v2.Services.CreateService", + "google.cloud.run.v2.Services.UpdateService", + "google.cloud.run.v2.Services.SetIamPolicy", +])}") ) EOT - label_extractors = { - "email" = "EXTRACT(protoPayload.authenticationInfo.principalEmail)" - "method_name" = "EXTRACT(protoPayload.methodName)" - "user_agent" = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")" - } - } - } +label_extractors = { + "email" = "EXTRACT(protoPayload.authenticationInfo.principalEmail)" + "method_name" = "EXTRACT(protoPayload.methodName)" + "user_agent" = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")" +} +} +} - notification_channels = var.notification_channels +notification_channels = var.notification_channels - enabled = "true" - project = var.project_id +enabled = "true" +project = var.project_id } // When the service is behind a load balancer, then it is publicly exposed and responsible diff --git a/modules/regional-service/variables.tf b/modules/regional-service/variables.tf index a4e57195..e8ad0cf8 100644 --- a/modules/regional-service/variables.tf +++ b/modules/regional-service/variables.tf @@ -180,3 +180,9 @@ variable "enable_profiler" { default = false description = "Enable cloud profiler." } + +variable "enable_lasers" { + description = "Whether to enable alert policy for abnormal access to resource." + type = bool + default = false +} diff --git a/modules/serverless-gclb/main.tf b/modules/serverless-gclb/main.tf index 3404806c..8170ddb1 100644 --- a/modules/serverless-gclb/main.tf +++ b/modules/serverless-gclb/main.tf @@ -166,6 +166,8 @@ locals { } resource "google_monitoring_alert_policy" "abnormal-gclb-access" { + count = var.enable_lasers ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" From 433299ab89aad9f0f762be5983ff1e0bdc1455a2 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 08:50:42 -0700 Subject: [PATCH 03/10] Revert "Remove laser alerts (#462)" This reverts commit 7c2050515e62e93a27d69e615d9d4167e2c7012c. --- modules/regional-service/main.tf | 36 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index d2c6eb4b..7b4d1956 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -291,35 +291,35 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" { logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.serviceName="run.googleapis.com" protoPayload.resourceName=("${join("\" OR \"", concat([ - "namespaces/${var.project_id}/services/${var.name}" - ], - [ - for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}" - ]))}") + "namespaces/${var.project_id}/services/${var.name}" + ], + [ + for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}" + ]))}") -- Allow CI to reconcile services and their IAM policies. -( protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}" protoPayload.methodName=("${join("\" OR \"", [ - "google.cloud.run.v2.Services.CreateService", - "google.cloud.run.v2.Services.UpdateService", - "google.cloud.run.v2.Services.SetIamPolicy", -])}") + "google.cloud.run.v2.Services.CreateService", + "google.cloud.run.v2.Services.UpdateService", + "google.cloud.run.v2.Services.SetIamPolicy", + ])}") ) EOT -label_extractors = { - "email" = "EXTRACT(protoPayload.authenticationInfo.principalEmail)" - "method_name" = "EXTRACT(protoPayload.methodName)" - "user_agent" = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")" -} -} + label_extractors = { + "email" = "EXTRACT(protoPayload.authenticationInfo.principalEmail)" + "method_name" = "EXTRACT(protoPayload.methodName)" + "user_agent" = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")" + } + } } -notification_channels = var.notification_channels + notification_channels = var.notification_channels -enabled = "true" -project = var.project_id + enabled = "true" + project = var.project_id } // When the service is behind a load balancer, then it is publicly exposed and responsible From 605bf11c70a0d9eedbb34d165ef2c89d08a2410e Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 08:53:22 -0700 Subject: [PATCH 04/10] Revert "remove audit-serviceaccount (#465)" This reverts commit 518fa3cbc4d4f9ba9df94aff12fa9c1c10cf6cc1. --- .github/workflows/documentation.yaml | 1 + modules/audit-serviceaccount/README.md | 73 +++++++++++++++++++++++ modules/audit-serviceaccount/main.tf | 41 +++++++++++++ modules/audit-serviceaccount/variables.tf | 25 ++++++++ modules/bucket-events/README.md | 1 + modules/bucket-events/main.tf | 14 +++++ modules/cloudevent-recorder/README.md | 1 + modules/cloudevent-recorder/bigquery.tf | 14 +++++ modules/cloudevent-trigger/README.md | 1 + modules/cloudevent-trigger/main.tf | 14 +++++ modules/cron/README.md | 5 +- modules/cron/main.tf | 28 +++++++++ modules/github-gsa/README.md | 4 +- modules/github-gsa/main.tf | 12 ++++ modules/regional-go-service/main.tf | 5 ++ modules/regional-service/README.md | 4 +- modules/regional-service/main.tf | 13 ++++ 17 files changed, 253 insertions(+), 3 deletions(-) create mode 100644 modules/audit-serviceaccount/README.md create mode 100644 modules/audit-serviceaccount/main.tf create mode 100644 modules/audit-serviceaccount/variables.tf diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index e8743405..584462af 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -11,6 +11,7 @@ jobs: fail-fast: false matrix: module: + - audit-serviceaccount - authorize-private-service - bucket-events - cloudevent-broker diff --git a/modules/audit-serviceaccount/README.md b/modules/audit-serviceaccount/README.md new file mode 100644 index 00000000..e8f9dfa4 --- /dev/null +++ b/modules/audit-serviceaccount/README.md @@ -0,0 +1,73 @@ +# `audit-serviceaccount` + +This module creates an alert policy to monitor the principals that are +generating tokens for a particular service account. + +The set of authorized principals can be enumerated explicitly: +```hcl +module "audit-foo-usage" { + source = "chainguard-dev/common/infra//modules/audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.foo.email + + allowed_principals = [ + # Only GKE should generate tokens for this service account. + "serviceAccount:${var.project_id}.svc.id.goog[foo-system/foo]", + ] + + notification_channels = var.notification_channels +} +``` + +Or a regular expression can be provided for the allowed principals: +```hcl +module "audit-foo-usage" { + source = "chainguard-dev/common/infra//modules/audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.foo.email + + # Match v1.2.3 style tags on this repository. + allowed_principal_regex = "principal://iam[.]googleapis[.]com/${google_iam_workload_identity_pool.pool.name}/subject/repo:chainguard-dev/terraform-infra-common:ref:refs/tags/v[0-9]+[.][0-9]+[.][0-9]+" + + notification_channels = var.notification_channels +} +``` + + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google_monitoring_alert_policy.generate-access-token](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [allowed\_principal\_regex](#input\_allowed\_principal\_regex) | A regular expression to match allowed principals. | `string` | `""` | no | +| [allowed\_principals](#input\_allowed\_principals) | The list of principals authorized to assume this identity. | `list(string)` | `[]` | no | +| [notification\_channels](#input\_notification\_channels) | The list of notification channels to alert when this policy fires. | `list(string)` | n/a | yes | +| [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | +| [service-account](#input\_service-account) | The email of the service account being audited. | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/audit-serviceaccount/main.tf b/modules/audit-serviceaccount/main.tf new file mode 100644 index 00000000..48e72637 --- /dev/null +++ b/modules/audit-serviceaccount/main.tf @@ -0,0 +1,41 @@ +resource "google_monitoring_alert_policy" "generate-access-token" { + # In the absence of data, incident will auto-close after an hour + alert_strategy { + auto_close = "3600s" + + notification_rate_limit { + period = "3600s" // re-alert hourly if condition still valid. + } + } + + display_name = "Abnormal Access Token Generation: ${var.service-account}" + combiner = "OR" + + conditions { + display_name = "Access Token Generation" + + condition_matched_log { + filter = < [audit-delivery-serviceaccount](#module\_audit-delivery-serviceaccount) | ../audit-serviceaccount | n/a | | [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a | | [http](#module\_http) | ../dashboard/sections/http | n/a | | [layout](#module\_layout) | ../dashboard/sections/layout | n/a | diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf index f8f621e5..a49666bb 100644 --- a/modules/bucket-events/main.tf +++ b/modules/bucket-events/main.tf @@ -55,6 +55,20 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { members = ["serviceAccount:${google_project_service_identity.pubsub.email}"] } +module "audit-delivery-serviceaccount" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.delivery.email + + # The absence of authorized identities here means that + # nothing is authorized to act as this service account. + # Note: Cloud Pub/Sub's usage doesn't show up in the + # audit logs. + + notification_channels = var.notification_channels +} + module "this" { source = "../regional-go-service" project_id = var.project_id diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md index ff79b61b..04aae815 100644 --- a/modules/cloudevent-recorder/README.md +++ b/modules/cloudevent-recorder/README.md @@ -93,6 +93,7 @@ No requirements. | Name | Source | Version | |------|--------|---------| +| [audit-import-serviceaccount](#module\_audit-import-serviceaccount) | ../audit-serviceaccount | n/a | | [recorder-dashboard](#module\_recorder-dashboard) | ../dashboard/cloudevent-receiver | n/a | | [this](#module\_this) | ../regional-go-service | n/a | | [triggers](#module\_triggers) | ../cloudevent-trigger | n/a | diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf index 64a3b212..dba6737a 100644 --- a/modules/cloudevent-recorder/bigquery.tf +++ b/modules/cloudevent-recorder/bigquery.tf @@ -74,6 +74,20 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi members = [var.provisioner] } +module "audit-import-serviceaccount" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.import-identity.email + + # The absence of authorized identities here means that + # nothing is authorized to act as this service account. + # Note: BigQuery DTS's usage doesn't show up in the + # audit logs. + + notification_channels = var.notification_channels +} + // Create a BQ DTS job for each of the regions x types pulling from the appropriate buckets and paths. resource "google_bigquery_data_transfer_config" "import-job" { for_each = local.regional-types diff --git a/modules/cloudevent-trigger/README.md b/modules/cloudevent-trigger/README.md index c416f092..a687da20 100644 --- a/modules/cloudevent-trigger/README.md +++ b/modules/cloudevent-trigger/README.md @@ -92,6 +92,7 @@ No requirements. | Name | Source | Version | |------|--------|---------| +| [audit-trigger-serviceaccount](#module\_audit-trigger-serviceaccount) | ../audit-serviceaccount | n/a | | [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a | ## Resources diff --git a/modules/cloudevent-trigger/main.tf b/modules/cloudevent-trigger/main.tf index c0dd607b..62a87fbc 100644 --- a/modules/cloudevent-trigger/main.tf +++ b/modules/cloudevent-trigger/main.tf @@ -30,6 +30,20 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { members = ["serviceAccount:${google_project_service_identity.pubsub.email}"] } +module "audit-trigger-serviceaccount" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.this.email + + # The absence of authorized identities here means that + # nothing is authorized to act as this service account. + # Note: Cloud Pub/Sub's usage doesn't show up in the + # audit logs. + + notification_channels = var.notification_channels +} + // Authorize this service account to invoke the private service receiving // events from this trigger. module "authorize-delivery" { diff --git a/modules/cron/README.md b/modules/cron/README.md index e5168ec2..ea97c3c9 100644 --- a/modules/cron/README.md +++ b/modules/cron/README.md @@ -70,7 +70,10 @@ No requirements. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [audit-cronjob-serviceaccount](#module\_audit-cronjob-serviceaccount) | ../audit-serviceaccount | n/a | +| [audit-delivery-serviceaccount](#module\_audit-delivery-serviceaccount) | ../audit-serviceaccount | n/a | ## Resources diff --git a/modules/cron/main.tf b/modules/cron/main.tf index afdae0a7..87401cf5 100644 --- a/modules/cron/main.tf +++ b/modules/cron/main.tf @@ -18,6 +18,20 @@ resource "google_project_service" "cloudscheduler" { disable_on_destroy = false } +module "audit-cronjob-serviceaccount" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = var.service_account + + # The absence of authorized identities here means that + # nothing is authorized to act as this service account. + # Note: Cloud Run's usage doesn't show up in the + # audit logs. + + notification_channels = var.notification_channels +} + locals { repo = var.repository != "" ? var.repository : "gcr.io/${var.project_id}/${var.name}" } @@ -203,6 +217,20 @@ resource "google_service_account" "delivery" { display_name = "Dedicated service account for invoking ${google_cloud_run_v2_job.job.name}." } +module "audit-delivery-serviceaccount" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.delivery.email + + # The absence of authorized identities here means that + # nothing is authorized to act as this service account. + # Note: Cloud Scheduler's usage doesn't show up in the + # audit logs. + + notification_channels = var.notification_channels +} + resource "google_cloud_run_v2_job_iam_binding" "authorize-calls" { project = google_cloud_run_v2_job.job.project location = google_cloud_run_v2_job.job.location diff --git a/modules/github-gsa/README.md b/modules/github-gsa/README.md index 47c7708c..2182640c 100644 --- a/modules/github-gsa/README.md +++ b/modules/github-gsa/README.md @@ -42,7 +42,9 @@ No requirements. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [audit-usage](#module\_audit-usage) | ../audit-serviceaccount | n/a | ## Resources diff --git a/modules/github-gsa/main.tf b/modules/github-gsa/main.tf index e661e3ad..c7376d0c 100644 --- a/modules/github-gsa/main.tf +++ b/modules/github-gsa/main.tf @@ -132,3 +132,15 @@ resource "google_service_account_iam_binding" "allow-impersonation" { } } } + +// Create an auditing policy to ensure that tokens are only issued for identities +// matching our expectations. +module "audit-usage" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = google_service_account.this.email + + allowed_principal_regex = local.principalSubject + notification_channels = var.notification_channels +} diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf index 68f6a8c9..e8cba60d 100644 --- a/modules/regional-go-service/main.tf +++ b/modules/regional-go-service/main.tf @@ -5,6 +5,11 @@ terraform { } } +moved { + from = module.audit-serviceaccount + to = module.this.module.audit-serviceaccount +} + moved { from = google_project_iam_member.metrics-writer to = module.this.google_project_iam_member.metrics-writer diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md index 47b325d9..41fbea09 100644 --- a/modules/regional-service/README.md +++ b/modules/regional-service/README.md @@ -65,7 +65,9 @@ No requirements. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [audit-serviceaccount](#module\_audit-serviceaccount) | ../audit-serviceaccount | n/a | ## Resources diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index 7b4d1956..e8bb5f82 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -1,3 +1,16 @@ +module "audit-serviceaccount" { + source = "../audit-serviceaccount" + + project_id = var.project_id + service-account = var.service_account + + # The absence of authorized identities here means that + # nothing is authorized to act as this service account. + # Note: Cloud Run's usage doesn't show up in the audit logs. + + notification_channels = var.notification_channels +} + resource "google_project_iam_member" "metrics-writer" { project = var.project_id role = "roles/monitoring.metricWriter" From 5f8e2f9c86dd337e9d5cc0c231fa8941b7d204ba Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 09:04:46 -0700 Subject: [PATCH 05/10] audit service account Signed-off-by: Kenny Leung --- modules/bucket-events/main.tf | 2 ++ modules/bucket-events/variables.tf | 6 ++++++ modules/cloudevent-recorder/bigquery.tf | 2 ++ modules/cloudevent-trigger/main.tf | 2 ++ modules/cloudevent-trigger/variables.tf | 6 ++++++ modules/cron/main.tf | 2 ++ modules/github-gsa/main.tf | 2 ++ modules/github-gsa/variables.tf | 6 ++++++ modules/regional-service/main.tf | 2 ++ 9 files changed, 30 insertions(+) diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf index a49666bb..2f547cee 100644 --- a/modules/bucket-events/main.tf +++ b/modules/bucket-events/main.tf @@ -56,6 +56,8 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-delivery-serviceaccount" { + count = var.enable_laser ? 1 : 0 + source = "../audit-serviceaccount" project_id = var.project_id diff --git a/modules/bucket-events/variables.tf b/modules/bucket-events/variables.tf index dc3db882..024b669a 100644 --- a/modules/bucket-events/variables.tf +++ b/modules/bucket-events/variables.tf @@ -48,3 +48,9 @@ variable "enable_profiler" { default = false description = "Enable cloud profiler." } + +variable "enable_lasers" { + description = "Whether to enable alert policy for abnormal access to resource." + type = bool + default = false +} diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf index dba6737a..2100af81 100644 --- a/modules/cloudevent-recorder/bigquery.tf +++ b/modules/cloudevent-recorder/bigquery.tf @@ -75,6 +75,8 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi } module "audit-import-serviceaccount" { + count = var.enable_lasers ? 1 : 0 + source = "../audit-serviceaccount" project_id = var.project_id diff --git a/modules/cloudevent-trigger/main.tf b/modules/cloudevent-trigger/main.tf index 62a87fbc..ba05c1e3 100644 --- a/modules/cloudevent-trigger/main.tf +++ b/modules/cloudevent-trigger/main.tf @@ -31,6 +31,8 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-trigger-serviceaccount" { + count = var.enable_lasers ? 1 : 0 + source = "../audit-serviceaccount" project_id = var.project_id diff --git a/modules/cloudevent-trigger/variables.tf b/modules/cloudevent-trigger/variables.tf index ffdabc96..2e745b72 100644 --- a/modules/cloudevent-trigger/variables.tf +++ b/modules/cloudevent-trigger/variables.tf @@ -109,3 +109,9 @@ variable "ack_deadline_seconds" { type = number default = 300 } + +variable "enable_lasers" { + description = "Whether to enable alert policy for abnormal access to resource." + type = bool + default = false +} diff --git a/modules/cron/main.tf b/modules/cron/main.tf index 87401cf5..df5b01dd 100644 --- a/modules/cron/main.tf +++ b/modules/cron/main.tf @@ -218,6 +218,8 @@ resource "google_service_account" "delivery" { } module "audit-delivery-serviceaccount" { + count = var.enable_lasers ? 1 : 0 + source = "../audit-serviceaccount" project_id = var.project_id diff --git a/modules/github-gsa/main.tf b/modules/github-gsa/main.tf index c7376d0c..1c3f69de 100644 --- a/modules/github-gsa/main.tf +++ b/modules/github-gsa/main.tf @@ -136,6 +136,8 @@ resource "google_service_account_iam_binding" "allow-impersonation" { // Create an auditing policy to ensure that tokens are only issued for identities // matching our expectations. module "audit-usage" { + count = var.enable_lasers ? 1 : 0 + source = "../audit-serviceaccount" project_id = var.project_id diff --git a/modules/github-gsa/variables.tf b/modules/github-gsa/variables.tf index 2c54339b..393095ff 100644 --- a/modules/github-gsa/variables.tf +++ b/modules/github-gsa/variables.tf @@ -50,3 +50,9 @@ variable "notification_channels" { description = "The list of notification channels to alert when the service account is misused." type = list(string) } + +variable "enable_lasers" { + description = "Whether to enable alert policy for abnormal access to resource." + type = bool + default = false +} diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index e8bb5f82..c38adbb7 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -1,4 +1,6 @@ module "audit-serviceaccount" { + count = var.enable_lasers ? 1 : 0 + source = "../audit-serviceaccount" project_id = var.project_id From 33315a283ef17f8a844b601a08aa80ac94048e1d Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 09:10:58 -0700 Subject: [PATCH 06/10] docs Signed-off-by: Kenny Leung --- modules/bucket-events/README.md | 1 + modules/cloudevent-trigger/README.md | 1 + modules/github-gsa/README.md | 1 + 3 files changed, 3 insertions(+) diff --git a/modules/bucket-events/README.md b/modules/bucket-events/README.md index 18ab11e2..c291766b 100644 --- a/modules/bucket-events/README.md +++ b/modules/bucket-events/README.md @@ -118,6 +118,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [bucket](#input\_bucket) | The name of the bucket to watch for events. The region where the bucket is located will be the region where the Pub/Sub topic and trampoline service will be created. The bucket must be in a region that is in the set of regions passed to the regions variable. | `string` | n/a | yes | +| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no | | [gcs\_event\_types](#input\_gcs\_event\_types) | The types of GCS events to watch for (https://cloud.google.com/storage/docs/pubsub-notifications#payload). | `list(string)` | 
[
  "OBJECT_FINALIZE",
  "OBJECT_METADATA_UPDATE",
  "OBJECT_DELETE",
  "OBJECT_ARCHIVE"
]
| no | | [ingress](#input\_ingress) | An object holding the name of the ingress service, which can be used to authorize callers to publish cloud events. | 
object({
    name = string
  })
| n/a | yes | diff --git a/modules/cloudevent-trigger/README.md b/modules/cloudevent-trigger/README.md index a687da20..2ce9f3ac 100644 --- a/modules/cloudevent-trigger/README.md +++ b/modules/cloudevent-trigger/README.md @@ -115,6 +115,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | The deadline for acking a message. | `number` | `300` | no | | [broker](#input\_broker) | The name of the pubsub topic we are using as a broker. | `string` | n/a | yes | +| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [filter](#input\_filter) | A Knative Trigger-style filter over the cloud event attributes.

This is normally used to filter relevant event types, for example:

{ "type" : "dev.chainguard.foo" }

In this case, only events with a type attribute of "dev.chainguard.foo" will be delivered. | `map(string)` | `{}` | no | | [filter\_has\_attributes](#input\_filter\_has\_attributes) | A Knative Trigger-style filter over the cloud event attribute prefixes.

This can be used to filter on the presence of an event attribute, for example:

["location"]

In this case, any event with a type attribute of "location" will be delivered. | `list(string)` | `[]` | no | | [filter\_not\_has\_attributes](#input\_filter\_not\_has\_attributes) | A Knative Trigger-style filter over the cloud event attribute prefixes.

This can be used to filter on the absence of an event attribute, for example:

["location"]

In this case, any event with a type attribute of "location" will NOT be delivered. | `list(string)` | `[]` | no | diff --git a/modules/github-gsa/README.md b/modules/github-gsa/README.md index 2182640c..796e9355 100644 --- a/modules/github-gsa/README.md +++ b/modules/github-gsa/README.md @@ -59,6 +59,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [audit\_refspec](#input\_audit\_refspec) | The regular expression to use for auditing the refspec component when using '*' | `string` | `""` | no | | [audit\_workflow\_ref](#input\_audit\_workflow\_ref) | The regular expression to use for auditing the workflow ref component when using '*' | `string` | `""` | no | +| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [name](#input\_name) | The name to give the service account. | `string` | n/a | yes | | [notification\_channels](#input\_notification\_channels) | The list of notification channels to alert when the service account is misused. | `list(string)` | n/a | yes | | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | From d2df65c86022ebc373019c44f6468a7f196cef35 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 09:12:56 -0700 Subject: [PATCH 07/10] fix Signed-off-by: Kenny Leung --- modules/bucket-events/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf index 2f547cee..575dc731 100644 --- a/modules/bucket-events/main.tf +++ b/modules/bucket-events/main.tf @@ -56,7 +56,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-delivery-serviceaccount" { - count = var.enable_laser ? 1 : 0 + count = var.enable_lasers ? 1 : 0 source = "../audit-serviceaccount" From 1d36bab99db7670da76f3be155d093bcf980898b Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 3 Sep 2024 09:17:03 -0700 Subject: [PATCH 08/10] lint Signed-off-by: Kenny Leung --- modules/cloudevent-recorder/bigquery.tf | 2 +- modules/regional-service/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf index 2100af81..af7665f7 100644 --- a/modules/cloudevent-recorder/bigquery.tf +++ b/modules/cloudevent-recorder/bigquery.tf @@ -76,7 +76,7 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi module "audit-import-serviceaccount" { count = var.enable_lasers ? 1 : 0 - + source = "../audit-serviceaccount" project_id = var.project_id diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index c38adbb7..2ca51f89 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -1,5 +1,5 @@ module "audit-serviceaccount" { - count = var.enable_lasers ? 1 : 0 + count = var.enable_lasers ? 1 : 0 source = "../audit-serviceaccount" From 5f1e83b00dc6e5f9af8881335af746321ade485f Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Thu, 3 Oct 2024 12:48:02 -0700 Subject: [PATCH 09/10] fix Signed-off-by: Kenny Leung --- modules/audit-serviceaccount/main.tf | 2 ++ modules/bucket-events/README.md | 1 - modules/bucket-events/main.tf | 2 +- modules/bucket-events/variables.tf | 6 ---- modules/cloudevent-recorder/README.md | 1 - modules/cloudevent-recorder/bigquery.tf | 2 +- modules/cloudevent-recorder/main.tf | 2 +- modules/cloudevent-recorder/variables.tf | 6 ---- modules/cloudevent-trigger/README.md | 1 - modules/cloudevent-trigger/main.tf | 2 +- modules/cloudevent-trigger/variables.tf | 6 ---- modules/configmap/README.md | 1 - modules/configmap/main.tf | 2 +- modules/configmap/variables.tf | 6 ---- modules/cron/main.tf | 4 +-- modules/github-gsa/README.md | 1 - modules/github-gsa/main.tf | 2 +- modules/github-gsa/variables.tf | 6 ---- modules/regional-go-service/main.tf | 5 --- modules/regional-service/README.md | 1 - modules/regional-service/main.tf | 40 ++++++++++++------------ modules/regional-service/variables.tf | 6 ---- modules/secret/main.tf | 2 ++ modules/serverless-gclb/main.tf | 2 +- modules/workqueue/dashboard.tf | 2 +- modules/workqueue/dispatcher.tf | 6 ++-- modules/workqueue/main.tf | 4 +-- modules/workqueue/outputs.tf | 2 +- 28 files changed, 40 insertions(+), 83 deletions(-) diff --git a/modules/audit-serviceaccount/main.tf b/modules/audit-serviceaccount/main.tf index 48e72637..dd68f136 100644 --- a/modules/audit-serviceaccount/main.tf +++ b/modules/audit-serviceaccount/main.tf @@ -1,4 +1,6 @@ resource "google_monitoring_alert_policy" "generate-access-token" { + count = len(var.notification_channels) > 0 ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" diff --git a/modules/bucket-events/README.md b/modules/bucket-events/README.md index c291766b..18ab11e2 100644 --- a/modules/bucket-events/README.md +++ b/modules/bucket-events/README.md @@ -118,7 +118,6 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [bucket](#input\_bucket) | The name of the bucket to watch for events. The region where the bucket is located will be the region where the Pub/Sub topic and trampoline service will be created. The bucket must be in a region that is in the set of regions passed to the regions variable. | `string` | n/a | yes | -| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no | | [gcs\_event\_types](#input\_gcs\_event\_types) | The types of GCS events to watch for (https://cloud.google.com/storage/docs/pubsub-notifications#payload). | `list(string)` | 
[
  "OBJECT_FINALIZE",
  "OBJECT_METADATA_UPDATE",
  "OBJECT_DELETE",
  "OBJECT_ARCHIVE"
]
| no | | [ingress](#input\_ingress) | An object holding the name of the ingress service, which can be used to authorize callers to publish cloud events. | 
object({
    name = string
  })
| n/a | yes | diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf index 575dc731..71792fea 100644 --- a/modules/bucket-events/main.tf +++ b/modules/bucket-events/main.tf @@ -56,7 +56,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-delivery-serviceaccount" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/bucket-events/variables.tf b/modules/bucket-events/variables.tf index 024b669a..dc3db882 100644 --- a/modules/bucket-events/variables.tf +++ b/modules/bucket-events/variables.tf @@ -48,9 +48,3 @@ variable "enable_profiler" { default = false description = "Enable cloud profiler." } - -variable "enable_lasers" { - description = "Whether to enable alert policy for abnormal access to resource." - type = bool - default = false -} diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md index 04aae815..ed76be57 100644 --- a/modules/cloudevent-recorder/README.md +++ b/modules/cloudevent-recorder/README.md @@ -137,7 +137,6 @@ No requirements. | [cloud\_storage\_config\_max\_bytes](#input\_cloud\_storage\_config\_max\_bytes) | The maximum bytes that can be written to a Cloud Storage file before a new file is created. Min 1 KB, max 10 GiB. | `number` | `1000000000` | no | | [cloud\_storage\_config\_max\_duration](#input\_cloud\_storage\_config\_max\_duration) | The maximum duration that can elapse before a new Cloud Storage file is created. Min 1 minute, max 10 minutes, default 5 minutes. | `number` | `300` | no | | [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection on data resources. | `bool` | `true` | no | -| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no | | [flush\_interval](#input\_flush\_interval) | Flush interval for logrotate, as a duration string. | `string` | `""` | no | | [ignore\_unknown\_values](#input\_ignore\_unknown\_values) | Whether to ignore unknown values in the data, when transferring data to BigQuery. | `bool` | `false` | no | diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf index af7665f7..b5bde4b1 100644 --- a/modules/cloudevent-recorder/bigquery.tf +++ b/modules/cloudevent-recorder/bigquery.tf @@ -75,7 +75,7 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi } module "audit-import-serviceaccount" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf index 5bcb4cff..d6323e38 100644 --- a/modules/cloudevent-recorder/main.tf +++ b/modules/cloudevent-recorder/main.tf @@ -51,7 +51,7 @@ resource "google_storage_bucket" "recorder" { data "google_client_openid_userinfo" "me" {} resource "google_monitoring_alert_policy" "bucket-access" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/cloudevent-recorder/variables.tf b/modules/cloudevent-recorder/variables.tf index f9ab7ced..16711a33 100644 --- a/modules/cloudevent-recorder/variables.tf +++ b/modules/cloudevent-recorder/variables.tf @@ -143,9 +143,3 @@ variable "flush_interval" { type = string default = "" } - -variable "enable_lasers" { - description = "Whether to enable alert policy for abnormal access to resource." - type = bool - default = false -} diff --git a/modules/cloudevent-trigger/README.md b/modules/cloudevent-trigger/README.md index 2ce9f3ac..a687da20 100644 --- a/modules/cloudevent-trigger/README.md +++ b/modules/cloudevent-trigger/README.md @@ -115,7 +115,6 @@ No requirements. |------|-------------|------|---------|:--------:| | [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | The deadline for acking a message. | `number` | `300` | no | | [broker](#input\_broker) | The name of the pubsub topic we are using as a broker. | `string` | n/a | yes | -| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [filter](#input\_filter) | A Knative Trigger-style filter over the cloud event attributes.

This is normally used to filter relevant event types, for example:

{ "type" : "dev.chainguard.foo" }

In this case, only events with a type attribute of "dev.chainguard.foo" will be delivered. | `map(string)` | `{}` | no | | [filter\_has\_attributes](#input\_filter\_has\_attributes) | A Knative Trigger-style filter over the cloud event attribute prefixes.

This can be used to filter on the presence of an event attribute, for example:

["location"]

In this case, any event with a type attribute of "location" will be delivered. | `list(string)` | `[]` | no | | [filter\_not\_has\_attributes](#input\_filter\_not\_has\_attributes) | A Knative Trigger-style filter over the cloud event attribute prefixes.

This can be used to filter on the absence of an event attribute, for example:

["location"]

In this case, any event with a type attribute of "location" will NOT be delivered. | `list(string)` | `[]` | no | diff --git a/modules/cloudevent-trigger/main.tf b/modules/cloudevent-trigger/main.tf index ba05c1e3..c107c452 100644 --- a/modules/cloudevent-trigger/main.tf +++ b/modules/cloudevent-trigger/main.tf @@ -31,7 +31,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-trigger-serviceaccount" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/cloudevent-trigger/variables.tf b/modules/cloudevent-trigger/variables.tf index 2e745b72..ffdabc96 100644 --- a/modules/cloudevent-trigger/variables.tf +++ b/modules/cloudevent-trigger/variables.tf @@ -109,9 +109,3 @@ variable "ack_deadline_seconds" { type = number default = 300 } - -variable "enable_lasers" { - description = "Whether to enable alert policy for abnormal access to resource." - type = bool - default = false -} diff --git a/modules/configmap/README.md b/modules/configmap/README.md index a12cc3f0..165eff69 100644 --- a/modules/configmap/README.md +++ b/modules/configmap/README.md @@ -89,7 +89,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [data](#input\_data) | The data to place in the secret. | `string` | n/a | yes | -| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [name](#input\_name) | The name to give the secret. | `string` | n/a | yes | | [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes | | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | diff --git a/modules/configmap/main.tf b/modules/configmap/main.tf index 418ce500..2dbfe085 100644 --- a/modules/configmap/main.tf +++ b/modules/configmap/main.tf @@ -30,7 +30,7 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the secret is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-secret-access" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/configmap/variables.tf b/modules/configmap/variables.tf index 5e8bdc90..f46502be 100644 --- a/modules/configmap/variables.tf +++ b/modules/configmap/variables.tf @@ -21,9 +21,3 @@ variable "notification-channels" { description = "The channels to notify if the configuration data is improperly accessed." type = list(string) } - -variable "enable_lasers" { - description = "Whether to enable alert policy for abnormal access to resource." - type = bool - default = false -} diff --git a/modules/cron/main.tf b/modules/cron/main.tf index df5b01dd..7bc95d5d 100644 --- a/modules/cron/main.tf +++ b/modules/cron/main.tf @@ -218,7 +218,7 @@ resource "google_service_account" "delivery" { } module "audit-delivery-serviceaccount" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" @@ -284,7 +284,7 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the job is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-job-access" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/github-gsa/README.md b/modules/github-gsa/README.md index 796e9355..2182640c 100644 --- a/modules/github-gsa/README.md +++ b/modules/github-gsa/README.md @@ -59,7 +59,6 @@ No requirements. |------|-------------|------|---------|:--------:| | [audit\_refspec](#input\_audit\_refspec) | The regular expression to use for auditing the refspec component when using '*' | `string` | `""` | no | | [audit\_workflow\_ref](#input\_audit\_workflow\_ref) | The regular expression to use for auditing the workflow ref component when using '*' | `string` | `""` | no | -| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [name](#input\_name) | The name to give the service account. | `string` | n/a | yes | | [notification\_channels](#input\_notification\_channels) | The list of notification channels to alert when the service account is misused. | `list(string)` | n/a | yes | | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | diff --git a/modules/github-gsa/main.tf b/modules/github-gsa/main.tf index 1c3f69de..a8dcd128 100644 --- a/modules/github-gsa/main.tf +++ b/modules/github-gsa/main.tf @@ -136,7 +136,7 @@ resource "google_service_account_iam_binding" "allow-impersonation" { // Create an auditing policy to ensure that tokens are only issued for identities // matching our expectations. module "audit-usage" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/github-gsa/variables.tf b/modules/github-gsa/variables.tf index 393095ff..2c54339b 100644 --- a/modules/github-gsa/variables.tf +++ b/modules/github-gsa/variables.tf @@ -50,9 +50,3 @@ variable "notification_channels" { description = "The list of notification channels to alert when the service account is misused." type = list(string) } - -variable "enable_lasers" { - description = "Whether to enable alert policy for abnormal access to resource." - type = bool - default = false -} diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf index e8cba60d..68f6a8c9 100644 --- a/modules/regional-go-service/main.tf +++ b/modules/regional-go-service/main.tf @@ -5,11 +5,6 @@ terraform { } } -moved { - from = module.audit-serviceaccount - to = module.this.module.audit-serviceaccount -} - moved { from = google_project_iam_member.metrics-writer to = module.this.google_project_iam_member.metrics-writer diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md index 41fbea09..d732ef28 100644 --- a/modules/regional-service/README.md +++ b/modules/regional-service/README.md @@ -89,7 +89,6 @@ No requirements. | [containers](#input\_containers) | The containers to run in the service. Each container will be run in each region. | 
map(object({
    image = string
    args  = optional(list(string), [])
    ports = optional(list(object({
      name           = optional(string, "http1")
      container_port = number
    })), [])
    resources = optional(
      object(
        {
          limits = optional(object(
            {
              cpu    = string
              memory = string
            }
          ), null)
          cpu_idle          = optional(bool, true)
          startup_cpu_boost = optional(bool, true)
        }
      ),
      {
        cpu_idle = true
      }
    )
    env = optional(list(object({
      name  = string
      value = optional(string)
      value_source = optional(object({
        secret_key_ref = object({
          secret  = string
          version = string
        })
      }), null)
    })), [])
    regional-env = optional(list(object({
      name  = string
      value = map(string)
    })), [])
    volume_mounts = optional(list(object({
      name       = string
      mount_path = string
    })), [])
  }))
| n/a | yes | | [deletion\_protection](#input\_deletion\_protection) | Whether to enable delete protection for the service. | `bool` | `true` | no | | [egress](#input\_egress) | Which type of egress traffic to send through the VPC.

- ALL\_TRAFFIC sends all traffic through regional VPC network
- PRIVATE\_RANGES\_ONLY sends only traffic to private IP addresses through regional VPC network | `string` | `"ALL_TRAFFIC"` | no | -| [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no | | [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no | | [execution\_environment](#input\_execution\_environment) | The execution environment for the service | `string` | `"EXECUTION_ENVIRONMENT_GEN1"` | no | | [ingress](#input\_ingress) | Which type of ingress traffic to accept for the service.

- INGRESS\_TRAFFIC\_ALL accepts all traffic, enabling the public .run.app URL for the service
- INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER accepts traffic only from a load balancer
- INGRESS\_TRAFFIC\_INTERNAL\_ONLY accepts internal traffic only | `string` | `"INGRESS_TRAFFIC_INTERNAL_ONLY"` | no | diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index 2ca51f89..3cf1fc23 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -1,5 +1,5 @@ module "audit-serviceaccount" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" @@ -284,7 +284,7 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the service is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-service-access" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { @@ -306,35 +306,35 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" { logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity" protoPayload.serviceName="run.googleapis.com" protoPayload.resourceName=("${join("\" OR \"", concat([ - "namespaces/${var.project_id}/services/${var.name}" - ], - [ - for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}" - ]))}") + "namespaces/${var.project_id}/services/${var.name}" + ], + [ + for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}" + ]))}") -- Allow CI to reconcile services and their IAM policies. -( protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}" protoPayload.methodName=("${join("\" OR \"", [ - "google.cloud.run.v2.Services.CreateService", - "google.cloud.run.v2.Services.UpdateService", - "google.cloud.run.v2.Services.SetIamPolicy", - ])}") + "google.cloud.run.v2.Services.CreateService", + "google.cloud.run.v2.Services.UpdateService", + "google.cloud.run.v2.Services.SetIamPolicy", +])}") ) EOT - label_extractors = { - "email" = "EXTRACT(protoPayload.authenticationInfo.principalEmail)" - "method_name" = "EXTRACT(protoPayload.methodName)" - "user_agent" = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")" - } - } +label_extractors = { + "email" = "EXTRACT(protoPayload.authenticationInfo.principalEmail)" + "method_name" = "EXTRACT(protoPayload.methodName)" + "user_agent" = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")" +} +} } - notification_channels = var.notification_channels +notification_channels = var.notification_channels - enabled = "true" - project = var.project_id +enabled = "true" +project = var.project_id } // When the service is behind a load balancer, then it is publicly exposed and responsible diff --git a/modules/regional-service/variables.tf b/modules/regional-service/variables.tf index e8ad0cf8..a4e57195 100644 --- a/modules/regional-service/variables.tf +++ b/modules/regional-service/variables.tf @@ -180,9 +180,3 @@ variable "enable_profiler" { default = false description = "Enable cloud profiler." } - -variable "enable_lasers" { - description = "Whether to enable alert policy for abnormal access to resource." - type = bool - default = false -} diff --git a/modules/secret/main.tf b/modules/secret/main.tf index 3beb9ff4..67cdf573 100644 --- a/modules/secret/main.tf +++ b/modules/secret/main.tf @@ -41,6 +41,8 @@ data "google_project" "project" { project_id = var.project_id } // Create an alert policy to notify if the secret is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-secret-access" { + count = len(var.notification_channels) > 0 ? 1 : 0 + # In the absence of data, incident will auto-close after an hour alert_strategy { auto_close = "3600s" diff --git a/modules/serverless-gclb/main.tf b/modules/serverless-gclb/main.tf index 8170ddb1..9155d20d 100644 --- a/modules/serverless-gclb/main.tf +++ b/modules/serverless-gclb/main.tf @@ -166,7 +166,7 @@ locals { } resource "google_monitoring_alert_policy" "abnormal-gclb-access" { - count = var.enable_lasers ? 1 : 0 + count = len(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/workqueue/dashboard.tf b/modules/workqueue/dashboard.tf index ba748834..0885861e 100644 --- a/modules/workqueue/dashboard.tf +++ b/modules/workqueue/dashboard.tf @@ -48,7 +48,7 @@ module "work-added" { "metric.type=\"prometheus.googleapis.com/workqueue_added_keys_total/counter\"", "metric.label.\"service_name\"=\"${var.name}-rcv\"", ] - group_by_fields = ["metric.label.\"service_name\""] + group_by_fields = ["metric.label.\"service_name\""] primary_align = "ALIGN_RATE" primary_reduce = "REDUCE_NONE" secondary_align = "ALIGN_NONE" diff --git a/modules/workqueue/dispatcher.tf b/modules/workqueue/dispatcher.tf index 4e64fb9d..864d9898 100644 --- a/modules/workqueue/dispatcher.tf +++ b/modules/workqueue/dispatcher.tf @@ -47,7 +47,7 @@ module "dispatcher-service" { importpath = "github.com/chainguard-dev/terraform-infra-common/modules/workqueue/cmd/dispatcher" } ports = [{ - name = "h2c" + name = "h2c" container_port = 8080 }] env = [ @@ -99,7 +99,7 @@ module "cron-trigger-calls-dispatcher" { source = "../authorize-private-service" - depends_on = [ module.dispatcher-service ] + depends_on = [module.dispatcher-service] project_id = var.project_id region = each.key @@ -171,7 +171,7 @@ module "change-trigger-calls-dispatcher" { source = "../authorize-private-service" - depends_on = [ module.dispatcher-service ] + depends_on = [module.dispatcher-service] project_id = var.project_id region = each.key diff --git a/modules/workqueue/main.tf b/modules/workqueue/main.tf index 139cd9da..0ddf3fc4 100644 --- a/modules/workqueue/main.tf +++ b/modules/workqueue/main.tf @@ -18,7 +18,7 @@ resource "google_storage_bucket_iam_binding" "authorize-access" { for_each = var.regions bucket = google_storage_bucket.workqueue[each.key].name - role = "roles/storage.admin" + role = "roles/storage.admin" members = [ "serviceAccount:${google_service_account.receiver.email}", "serviceAccount:${google_service_account.dispatcher.email}", @@ -48,7 +48,7 @@ resource "google_pubsub_topic_iam_binding" "gcs-publishes-to-topic" { resource "google_storage_notification" "object-change-notifications" { for_each = var.regions - depends_on = [ google_pubsub_topic_iam_binding.gcs-publishes-to-topic ] + depends_on = [google_pubsub_topic_iam_binding.gcs-publishes-to-topic] bucket = google_storage_bucket.workqueue[each.key].name payload_format = "JSON_API_V1" diff --git a/modules/workqueue/outputs.tf b/modules/workqueue/outputs.tf index a6036c51..da277eb6 100644 --- a/modules/workqueue/outputs.tf +++ b/modules/workqueue/outputs.tf @@ -1,5 +1,5 @@ output "receiver" { - depends_on = [ module.receiver-service ] + depends_on = [module.receiver-service] value = { name = "${var.name}-rcv" } From 98d97660849305a79ff7571943a4fdc4d61b5ad5 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Thu, 3 Oct 2024 13:04:43 -0700 Subject: [PATCH 10/10] fix Signed-off-by: Kenny Leung --- modules/audit-serviceaccount/main.tf | 2 +- modules/bucket-events/main.tf | 2 +- modules/cloudevent-recorder/bigquery.tf | 2 +- modules/cloudevent-recorder/main.tf | 2 +- modules/cloudevent-trigger/main.tf | 2 +- modules/configmap/README.md | 4 ++-- modules/configmap/main.tf | 4 ++-- modules/configmap/variables.tf | 2 +- modules/cron/main.tf | 4 ++-- modules/github-events/main.tf | 2 +- modules/github-gsa/main.tf | 2 +- modules/regional-service/main.tf | 4 ++-- modules/secret/README.md | 4 ++-- modules/secret/main.tf | 4 ++-- modules/secret/variables.tf | 2 +- modules/serverless-gclb/main.tf | 2 +- 16 files changed, 22 insertions(+), 22 deletions(-) diff --git a/modules/audit-serviceaccount/main.tf b/modules/audit-serviceaccount/main.tf index dd68f136..cbb75ffd 100644 --- a/modules/audit-serviceaccount/main.tf +++ b/modules/audit-serviceaccount/main.tf @@ -1,5 +1,5 @@ resource "google_monitoring_alert_policy" "generate-access-token" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf index 71792fea..77ae5e9c 100644 --- a/modules/bucket-events/main.tf +++ b/modules/bucket-events/main.tf @@ -56,7 +56,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-delivery-serviceaccount" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf index b5bde4b1..c2b85b7c 100644 --- a/modules/cloudevent-recorder/bigquery.tf +++ b/modules/cloudevent-recorder/bigquery.tf @@ -75,7 +75,7 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi } module "audit-import-serviceaccount" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf index d6323e38..645d0129 100644 --- a/modules/cloudevent-recorder/main.tf +++ b/modules/cloudevent-recorder/main.tf @@ -51,7 +51,7 @@ resource "google_storage_bucket" "recorder" { data "google_client_openid_userinfo" "me" {} resource "google_monitoring_alert_policy" "bucket-access" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/cloudevent-trigger/main.tf b/modules/cloudevent-trigger/main.tf index c107c452..a79115c7 100644 --- a/modules/cloudevent-trigger/main.tf +++ b/modules/cloudevent-trigger/main.tf @@ -31,7 +31,7 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { } module "audit-trigger-serviceaccount" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/configmap/README.md b/modules/configmap/README.md index 165eff69..2c845283 100644 --- a/modules/configmap/README.md +++ b/modules/configmap/README.md @@ -22,7 +22,7 @@ module "my-configmap" { EOT # Optionally: channels to notify if this configuration is manipulated. - notification-channels = [ ... ] + notification_channels = [ ... ] } module "foo-service" { @@ -90,7 +90,7 @@ No modules. |------|-------------|------|---------|:--------:| | [data](#input\_data) | The data to place in the secret. | `string` | n/a | yes | | [name](#input\_name) | The name to give the secret. | `string` | n/a | yes | -| [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes | +| [notification\_channels](#input\_notification\_channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes | | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | | [service-account](#input\_service-account) | The email of the service account that will access the secret. | `string` | n/a | yes | diff --git a/modules/configmap/main.tf b/modules/configmap/main.tf index 2dbfe085..79481eee 100644 --- a/modules/configmap/main.tf +++ b/modules/configmap/main.tf @@ -30,7 +30,7 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the secret is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-secret-access" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { @@ -77,7 +77,7 @@ resource "google_monitoring_alert_policy" "anomalous-secret-access" { } } - notification_channels = var.notification-channels + notification_channels = var.notification_channels enabled = "true" project = var.project_id diff --git a/modules/configmap/variables.tf b/modules/configmap/variables.tf index f46502be..47de0f04 100644 --- a/modules/configmap/variables.tf +++ b/modules/configmap/variables.tf @@ -17,7 +17,7 @@ variable "service-account" { type = string } -variable "notification-channels" { +variable "notification_channels" { description = "The channels to notify if the configuration data is improperly accessed." type = list(string) } diff --git a/modules/cron/main.tf b/modules/cron/main.tf index 7bc95d5d..3e70d16a 100644 --- a/modules/cron/main.tf +++ b/modules/cron/main.tf @@ -218,7 +218,7 @@ resource "google_service_account" "delivery" { } module "audit-delivery-serviceaccount" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" @@ -284,7 +284,7 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the job is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-job-access" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/github-events/main.tf b/modules/github-events/main.tf index eaad5f58..3a92bfc0 100644 --- a/modules/github-events/main.tf +++ b/modules/github-events/main.tf @@ -21,7 +21,7 @@ module "webhook-secret" { service-account = google_service_account.service.email authorized-adder = var.secret_version_adder - notification-channels = var.notification_channels + notification_channels = var.notification_channels } module "this" { diff --git a/modules/github-gsa/main.tf b/modules/github-gsa/main.tf index a8dcd128..33547c00 100644 --- a/modules/github-gsa/main.tf +++ b/modules/github-gsa/main.tf @@ -136,7 +136,7 @@ resource "google_service_account_iam_binding" "allow-impersonation" { // Create an auditing policy to ensure that tokens are only issued for identities // matching our expectations. module "audit-usage" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf index 3cf1fc23..0cb60d94 100644 --- a/modules/regional-service/main.tf +++ b/modules/regional-service/main.tf @@ -1,5 +1,5 @@ module "audit-serviceaccount" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 source = "../audit-serviceaccount" @@ -284,7 +284,7 @@ data "google_client_openid_userinfo" "me" {} // Create an alert policy to notify if the service is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-service-access" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { diff --git a/modules/secret/README.md b/modules/secret/README.md index 5856a0f0..309cd794 100644 --- a/modules/secret/README.md +++ b/modules/secret/README.md @@ -21,7 +21,7 @@ module "my-secret" { authorized-adder = "group:oncall@my-corp.dev" # Optionally: channels to notify if this secret is manipulated. - notification-channels = [ ... ] + notification_channels = [ ... ] } module "foo-service" { @@ -90,7 +90,7 @@ No modules. | [authorized-adder](#input\_authorized-adder) | A member-style representation of the identity authorized to add new secret values (e.g. group:oncall@my-corp.dev). | `string` | n/a | yes | | [create\_placeholder\_version](#input\_create\_placeholder\_version) | Whether to create a placeholder secret version to avoid bad reference on first deploy. | `bool` | `false` | no | | [name](#input\_name) | The name to give the secret. | `string` | n/a | yes | -| [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes | +| [notification\_channels](#input\_notification\_channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes | | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | | [service-account](#input\_service-account) | The email of the service account that will access the secret. | `string` | n/a | yes | diff --git a/modules/secret/main.tf b/modules/secret/main.tf index 67cdf573..c5a5167c 100644 --- a/modules/secret/main.tf +++ b/modules/secret/main.tf @@ -41,7 +41,7 @@ data "google_project" "project" { project_id = var.project_id } // Create an alert policy to notify if the secret is accessed by an unauthorized entity. resource "google_monitoring_alert_policy" "anomalous-secret-access" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy { @@ -82,7 +82,7 @@ resource "google_monitoring_alert_policy" "anomalous-secret-access" { } } - notification_channels = var.notification-channels + notification_channels = var.notification_channels enabled = "true" project = var.project_id diff --git a/modules/secret/variables.tf b/modules/secret/variables.tf index 89c6a005..f0df212f 100644 --- a/modules/secret/variables.tf +++ b/modules/secret/variables.tf @@ -17,7 +17,7 @@ variable "service-account" { type = string } -variable "notification-channels" { +variable "notification_channels" { description = "The channels to notify if the configuration data is improperly accessed." type = list(string) } diff --git a/modules/serverless-gclb/main.tf b/modules/serverless-gclb/main.tf index 9155d20d..d385e35a 100644 --- a/modules/serverless-gclb/main.tf +++ b/modules/serverless-gclb/main.tf @@ -166,7 +166,7 @@ locals { } resource "google_monitoring_alert_policy" "abnormal-gclb-access" { - count = len(var.notification_channels) > 0 ? 1 : 0 + count = length(var.notification_channels) > 0 ? 1 : 0 # In the absence of data, incident will auto-close after an hour alert_strategy {