Refactor: remove data access logs enabled variable (#1332)

terraform-google-modules · Aug 28, 2024 · 55a06fa · 55a06fa
1 parent 105a0db
commit 55a06fa
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 58 deletions.
diff --git a/1-org/README.md b/1-org/README.md
@@ -68,11 +68,6 @@ See [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during
 
 ## Usage
 
-**Disclaimer:** This step enables [Data Access logs](https://cloud.google.com/logging/docs/audit#data-access) for all services in your organization.
-Enabling Data Access logs might result in your project being charged for the additional logs usage.
-For details on costs you might incur, go to [Pricing](https://cloud.google.com/stackdriver/pricing).
-You can choose not to enable the Data Access logs by setting the variable `data_access_logs_enabled` to false.
-
 Consider the following:
 
 - This module creates a sink to export all logs to a Cloud Logging bucket. It also creates sinks to export a subset of security-related logs

diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -6,7 +6,6 @@
 | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no |
 | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
-| data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |

diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
@@ -18,52 +18,6 @@
   Audit Logs - IAM
 *****************************************/
 
-locals {
-  enabling_data_logs = var.data_access_logs_enabled ? ["DATA_WRITE", "DATA_READ"] : []
-}
-
-resource "google_organization_iam_audit_config" "org_config" {
-  count   = local.parent_folder == "" ? 1 : 0
-  org_id  = local.org_id
-  service = "allServices"
-
-  ###################################################################################################
-  ### Audit logs can generate costs, to know more about it,
-  ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs
-  ### To know more about audit logs, you can find more infos
-  ### here https://cloud.google.com/logging/docs/audit/configure-data-access
-  ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true
-  ### ADMIN_READ logs are enabled by default.
-  ####################################################################################################
-  dynamic "audit_log_config" {
-    for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"])
-    content {
-      log_type = audit_log_config.key
-    }
-  }
-}
-
-resource "google_folder_iam_audit_config" "folder_config" {
-  count   = local.parent_folder != "" ? 1 : 0
-  folder  = "folders/${local.parent_folder}"
-  service = "allServices"
-
-  ###################################################################################################
-  ### Audit logs can generate costs, to know more about it,
-  ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs
-  ### To know more about audit logs, you can find more infos
-  ### here https://cloud.google.com/logging/docs/audit/configure-data-access
-  ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true
-  ### ADMIN_READ logs are enabled by default.
-  ####################################################################################################
-  dynamic "audit_log_config" {
-    for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"])
-    content {
-      log_type = audit_log_config.key
-    }
-  }
-}
-
 resource "google_project_iam_member" "audit_log_logging_viewer" {
   project = module.org_audit_logs.project_id
   role    = "roles/logging.viewer"

diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -54,12 +54,6 @@ variable "enforce_allowed_worker_pools" {
   default     = false
 }
 
-variable "data_access_logs_enabled" {
-  description = "Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default."
-  type        = bool
-  default     = false
-}
-
 variable "log_export_storage_location" {
   description = "The location of the storage bucket used to export logs."
   type        = string