make lasers optional, off by default

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

modules/cloudevent-recorder/README.md

@@ -136,6 +136,7 @@ No requirements.
 | <a name="input_cloud_storage_config_max_bytes"></a> [cloud\_storage\_config\_max\_bytes](#input\_cloud\_storage\_config\_max\_bytes) | The maximum bytes that can be written to a Cloud Storage file before a new file is created. Min 1 KB, max 10 GiB. | `number` | `1000000000` | no |
 | <a name="input_cloud_storage_config_max_duration"></a> [cloud\_storage\_config\_max\_duration](#input\_cloud\_storage\_config\_max\_duration) | The maximum duration that can elapse before a new Cloud Storage file is created. Min 1 minute, max 10 minutes, default 5 minutes. | `number` | `300` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection on data resources. | `bool` | `true` | no |
+| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_enable_profiler"></a> [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no |
 | <a name="input_flush_interval"></a> [flush\_interval](#input\_flush\_interval) | Flush interval for logrotate, as a duration string. | `string` | `""` | no |
 | <a name="input_ignore_unknown_values"></a> [ignore\_unknown\_values](#input\_ignore\_unknown\_values) | Whether to ignore unknown values in the data, when transferring data to BigQuery. | `bool` | `false` | no |

modules/cloudevent-recorder/main.tf

@@ -51,6 +51,8 @@ resource "google_storage_bucket" "recorder" {
 data "google_client_openid_userinfo" "me" {}
 
 resource "google_monitoring_alert_policy" "bucket-access" {
+  count = var.enable_lasers ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"

modules/cloudevent-recorder/variables.tf

@@ -143,3 +143,9 @@ variable "flush_interval" {
   type        = string
   default     = ""
 }
+
+variable "enable_lasers" {
+  description = "Whether to enable alert policy for abnormal access to resource."
+  type        = bool
+  default     = false
+}

modules/configmap/README.md

@@ -89,6 +89,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_data"></a> [data](#input\_data) | The data to place in the secret. | `string` | n/a | yes |
+| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the secret. | `string` | n/a | yes |
 | <a name="input_notification-channels"></a> [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |

modules/configmap/main.tf

@@ -30,6 +30,8 @@ data "google_client_openid_userinfo" "me" {}
 
 // Create an alert policy to notify if the secret is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  count = var.enable_lasers ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"

modules/configmap/variables.tf

@@ -21,3 +21,9 @@ variable "notification-channels" {
   description = "The channels to notify if the configuration data is improperly accessed."
   type        = list(string)
 }
+
+variable "enable_lasers" {
+  description = "Whether to enable alert policy for abnormal access to resource."
+  type        = bool
+  default     = false
+}

modules/cron/README.md

@@ -101,6 +101,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_base_image"></a> [base\_image](#input\_base\_image) | The base image that will be used to build the container image. | `string` | `"cgr.dev/chainguard/static:latest-glibc"` | no |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | The CPU limit for the job. | `string` | `"1000m"` | no |
+| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_enable_otel_sidecar"></a> [enable\_otel\_sidecar](#input\_enable\_otel\_sidecar) | Enable otel sidecar for metrics | `bool` | `false` | no |
 | <a name="input_env"></a> [env](#input\_env) | A map of custom environment variables (e.g. key=value) | `map` | `{}` | no |
 | <a name="input_exec"></a> [exec](#input\_exec) | Whether to execute job on modify. | `bool` | `false` | no |

modules/cron/main.tf

@@ -252,6 +252,8 @@ data "google_client_openid_userinfo" "me" {}
 
 // Create an alert policy to notify if the job is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-job-access" {
+  count = var.enable_lasers ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"

modules/cron/variables.tf

@@ -197,3 +197,9 @@ variable "scheduled_env_overrides" {
   default     = []
   description = "List of env object overrides."
 }
+
+variable "enable_lasers" {
+  description = "Whether to enable alert policy for abnormal access to resource."
+  type        = bool
+  default     = false
+}

modules/regional-service/README.md

@@ -86,6 +86,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_containers"></a> [containers](#input\_containers) | The containers to run in the service.  Each container will be run in each region. | <pre>map(object({<br>    image = string<br>    args  = optional(list(string), [])<br>    ports = optional(list(object({<br>      name           = optional(string, "http1")<br>      container_port = number<br>    })), [])<br>    resources = optional(<br>      object(<br>        {<br>          limits = optional(object(<br>            {<br>              cpu    = string<br>              memory = string<br>            }<br>          ), null)<br>          cpu_idle          = optional(bool, true)<br>          startup_cpu_boost = optional(bool, true)<br>        }<br>      ),<br>      {<br>        cpu_idle = true<br>      }<br>    )<br>    env = optional(list(object({<br>      name  = string<br>      value = optional(string)<br>      value_source = optional(object({<br>        secret_key_ref = object({<br>          secret  = string<br>          version = string<br>        })<br>      }), null)<br>    })), [])<br>    regional-env = optional(list(object({<br>      name  = string<br>      value = map(string)<br>    })), [])<br>    volume_mounts = optional(list(object({<br>      name       = string<br>      mount_path = string<br>    })), [])<br>  }))</pre> | n/a | yes |
 | <a name="input_egress"></a> [egress](#input\_egress) | Which type of egress traffic to send through the VPC.<br><br>- ALL\_TRAFFIC sends all traffic through regional VPC network<br>- PRIVATE\_RANGES\_ONLY sends only traffic to private IP addresses through regional VPC network | `string` | `"ALL_TRAFFIC"` | no |
+| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_enable_profiler"></a> [enable\_profiler](#input\_enable\_profiler) | Enable cloud profiler. | `bool` | `false` | no |
 | <a name="input_execution_environment"></a> [execution\_environment](#input\_execution\_environment) | The execution environment for the service | `string` | `"EXECUTION_ENVIRONMENT_GEN1"` | no |
 | <a name="input_ingress"></a> [ingress](#input\_ingress) | Which type of ingress traffic to accept for the service.<br><br>- INGRESS\_TRAFFIC\_ALL accepts all traffic, enabling the public .run.app URL for the service<br>- INGRESS\_TRAFFIC\_INTERNAL\_LOAD\_BALANCER accepts traffic only from a load balancer<br>- INGRESS\_TRAFFIC\_INTERNAL\_ONLY accepts internal traffic only | `string` | `"INGRESS_TRAFFIC_INTERNAL_ONLY"` | no |

modules/regional-service/main.tf

@@ -268,6 +268,8 @@ data "google_client_openid_userinfo" "me" {}
 
 // Create an alert policy to notify if the service is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-service-access" {
+  count = var.enable_lasers ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"
@@ -288,35 +290,35 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" {
       logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
       protoPayload.serviceName="run.googleapis.com"
       protoPayload.resourceName=("${join("\" OR \"", concat([
-        "namespaces/${var.project_id}/services/${var.name}"
-      ],
-      [
-        for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
-      ]))}")
+      "namespaces/${var.project_id}/services/${var.name}"
+    ],
+    [
+      for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
+    ]))}")
 
       -- Allow CI to reconcile services and their IAM policies.
       -(
         protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
         protoPayload.methodName=("${join("\" OR \"", [
-          "google.cloud.run.v2.Services.CreateService",
-          "google.cloud.run.v2.Services.UpdateService",
-          "google.cloud.run.v2.Services.SetIamPolicy",
-        ])}")
+    "google.cloud.run.v2.Services.CreateService",
+    "google.cloud.run.v2.Services.UpdateService",
+    "google.cloud.run.v2.Services.SetIamPolicy",
+])}")
       )
       EOT
 
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-      }
-    }
-  }
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
+}
 
-  notification_channels = var.notification_channels
+notification_channels = var.notification_channels
 
-  enabled = "true"
-  project = var.project_id
+enabled = "true"
+project = var.project_id
 }
 
 // When the service is behind a load balancer, then it is publicly exposed and responsible

modules/regional-service/variables.tf

@@ -174,3 +174,9 @@ variable "enable_profiler" {
   default     = false
   description = "Enable cloud profiler."
 }
+
+variable "enable_lasers" {
+  description = "Whether to enable alert policy for abnormal access to resource."
+  type        = bool
+  default     = false
+}

modules/serverless-gclb/README.md

@@ -103,6 +103,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_dns_zone"></a> [dns\_zone](#input\_dns\_zone) | The managed DNS zone in which to create record sets. | `string` | n/a | yes |
+| <a name="input_enable_lasers"></a> [enable\_lasers](#input\_enable\_lasers) | Whether to enable alert policy for abnormal access to resource. | `bool` | `false` | no |
 | <a name="input_iap"></a> [iap](#input\_iap) | IAP configuration for the load balancer. | <pre>object({<br>    oauth2_client_id     = string<br>    oauth2_client_secret = string<br>  })</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
 | <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | The set of notification channels to which to send alerts. | `list(string)` | `[]` | no |

modules/serverless-gclb/main.tf

@@ -163,6 +163,8 @@ locals {
 }
 
 resource "google_monitoring_alert_policy" "abnormal-gclb-access" {
+  count = var.enable_lasers ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"

modules/serverless-gclb/variables.tf

@@ -43,3 +43,9 @@ variable "iap" {
   })
   default = null
 }
+
+variable "enable_lasers" {
+  description = "Whether to enable alert policy for abnormal access to resource."
+  type        = bool
+  default     = false
+}