From df5817e908e490077d6a3231ab593a373c09e830 Mon Sep 17 00:00:00 2001 From: eeaton Date: Wed, 26 Jun 2024 16:05:29 +0100 Subject: [PATCH] chore(KMS): cleanup isolated and redundant KMS resources (#1271) --- 0-bootstrap/sa.tf | 1 + 1-org/envs/shared/README.md | 5 ++-- 1-org/envs/shared/cai_monitoring.tf | 13 ----------- 1-org/envs/shared/iam.tf | 2 +- 1-org/envs/shared/outputs.tf | 4 ++-- 1-org/envs/shared/projects.tf | 12 +++++----- 1-org/envs/shared/variables.tf | 13 ++++------- 1-org/modules/cai-monitoring/iam.tf | 10 -------- .../business_unit_1/development/README.md | 1 - .../business_unit_1/development/outputs.tf | 5 ---- .../business_unit_1/nonproduction/README.md | 1 - .../business_unit_1/nonproduction/outputs.tf | 5 ---- .../business_unit_1/production/README.md | 1 - .../business_unit_1/production/outputs.tf | 5 ---- 4-projects/modules/base_env/README.md | 1 - .../modules/base_env/example_storage_cmek.tf | 23 +------------------ 4-projects/modules/base_env/outputs.tf | 5 ---- 4-projects/modules/base_env/remote.tf | 1 + README.md | 20 ++++++---------- .../foundation-deployer/global.tfvars.example | 1 - helpers/foundation-deployer/stages/apply.go | 1 - helpers/foundation-deployer/stages/data.go | 2 -- .../foundation-deployer/stages/validate.go | 3 --- test/integration/org/org_test.go | 6 +---- test/integration/projects/projects_test.go | 1 - 25 files changed, 26 insertions(+), 116 deletions(-) diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf index b18d5c375..da23168b0 100644 --- a/0-bootstrap/sa.tf +++ b/0-bootstrap/sa.tf @@ -62,6 +62,7 @@ locals { "roles/accesscontextmanager.policyAdmin", "roles/resourcemanager.organizationAdmin", "roles/serviceusage.serviceUsageConsumer", + "roles/cloudkms.admin", ], local.common_roles)), } diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index bdd76d5dc..3ef32b23e 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -4,7 +4,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no | -| cai\_monitoring\_kms\_force\_destroy | If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. | `bool` | `false` | no | | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no | | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no | @@ -18,7 +17,7 @@ | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no | | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | 
object({
    is_locked             = bool
    retention_period_days = number
  })
| `null` | no | | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no | -| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    dns_hub_budget_amount                       = optional(number, 1000)
    dns_hub_alert_spent_percents                = optional(list(number), [1.2])
    dns_hub_alert_pubsub_topic                  = optional(string, null)
    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
    base_net_hub_budget_amount                  = optional(number, 1000)
    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])
    base_net_hub_alert_pubsub_topic             = optional(string, null)
    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_net_hub_budget_amount            = optional(number, 1000)
    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])
    restricted_net_hub_alert_pubsub_topic       = optional(string, null)
    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    interconnect_budget_amount                  = optional(number, 1000)
    interconnect_alert_spent_percents           = optional(list(number), [1.2])
    interconnect_alert_pubsub_topic             = optional(string, null)
    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    org_secrets_budget_amount                   = optional(number, 1000)
    org_secrets_alert_spent_percents            = optional(list(number), [1.2])
    org_secrets_alert_pubsub_topic              = optional(string, null)
    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")
    org_billing_export_budget_amount            = optional(number, 1000)
    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])
    org_billing_export_alert_pubsub_topic       = optional(string, null)
    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    org_audit_logs_budget_amount                = optional(number, 1000)
    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
    org_audit_logs_alert_pubsub_topic           = optional(string, null)
    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    org_kms_budget_amount                       = optional(number, 1000)
    org_kms_alert_spent_percents                = optional(list(number), [1.2])
    org_kms_alert_pubsub_topic                  = optional(string, null)
    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
    scc_notifications_budget_amount             = optional(number, 1000)
    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
    scc_notifications_alert_pubsub_topic        = optional(string, null)
    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | +| project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    dns_hub_budget_amount                       = optional(number, 1000)
    dns_hub_alert_spent_percents                = optional(list(number), [1.2])
    dns_hub_alert_pubsub_topic                  = optional(string, null)
    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
    base_net_hub_budget_amount                  = optional(number, 1000)
    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])
    base_net_hub_alert_pubsub_topic             = optional(string, null)
    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_net_hub_budget_amount            = optional(number, 1000)
    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])
    restricted_net_hub_alert_pubsub_topic       = optional(string, null)
    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    interconnect_budget_amount                  = optional(number, 1000)
    interconnect_alert_spent_percents           = optional(list(number), [1.2])
    interconnect_alert_pubsub_topic             = optional(string, null)
    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    org_secrets_budget_amount                   = optional(number, 1000)
    org_secrets_alert_spent_percents            = optional(list(number), [1.2])
    org_secrets_alert_pubsub_topic              = optional(string, null)
    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")
    org_billing_export_budget_amount            = optional(number, 1000)
    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])
    org_billing_export_alert_pubsub_topic       = optional(string, null)
    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    org_audit_logs_budget_amount                = optional(number, 1000)
    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
    org_audit_logs_alert_pubsub_topic           = optional(string, null)
    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
    common_kms_budget_amount                    = optional(number, 1000)
    common_kms_alert_spent_percents             = optional(list(number), [1.2])
    common_kms_alert_pubsub_topic               = optional(string, null)
    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
    scc_notifications_budget_amount             = optional(number, 1000)
    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
    scc_notifications_alert_pubsub_topic        = optional(string, null)
    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no | | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe --organization=org_id` to check if it already exists. | `string` | n/a | yes | @@ -35,6 +34,7 @@ | cai\_monitoring\_bucket | CAI Monitoring Cloud Function Source Bucket name. | | cai\_monitoring\_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. | | common\_folder\_name | The common folder name | +| common\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID | | dns\_hub\_project\_id | The DNS hub project ID | | domains\_to\_allow | The list of domains to allow users from in IAM. | | interconnect\_project\_id | The Dedicated Interconnect project ID | @@ -47,7 +47,6 @@ | org\_audit\_logs\_project\_id | The org audit logs project ID. | | org\_billing\_export\_project\_id | The org billing export project ID | | org\_id | The organization id | -| org\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID | | org\_secrets\_project\_id | The org secrets project ID | | parent\_resource\_id | The parent resource id | | parent\_resource\_type | The parent resource type | diff --git a/1-org/envs/shared/cai_monitoring.tf b/1-org/envs/shared/cai_monitoring.tf index ad8e7e545..6b613a3ab 100644 --- a/1-org/envs/shared/cai_monitoring.tf +++ b/1-org/envs/shared/cai_monitoring.tf @@ -14,17 +14,6 @@ * limitations under the License. */ -module "kms" { - source = "terraform-google-modules/kms/google" - version = "~> 2.1" - - project_id = module.scc_notifications.project_id - keyring = "krg-cai-monitoring" - location = local.default_region - keys = ["key-cai-monitoring"] - prevent_destroy = !var.cai_monitoring_kms_force_destroy -} - module "cai_monitoring" { source = "../../modules/cai-monitoring" @@ -32,6 +21,4 @@ module "cai_monitoring" { billing_account = local.billing_account project_id = module.scc_notifications.project_id location = local.default_region - enable_cmek = true - encryption_key = module.kms.keys["key-cai-monitoring"] } diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index 4db64643d..ca01ec678 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -184,7 +184,7 @@ resource "google_project_iam_member" "global_secrets_admin" { resource "google_project_iam_member" "kms_admin" { count = var.gcp_groups.kms_admin != null ? 1 : 0 - project = module.org_kms.project_id + project = module.common_kms.project_id role = "roles/cloudkms.viewer" member = "group:${var.gcp_groups.kms_admin}" } diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf index 410c5fff1..5c705f50f 100644 --- a/1-org/envs/shared/outputs.tf +++ b/1-org/envs/shared/outputs.tf @@ -59,8 +59,8 @@ output "org_secrets_project_id" { description = "The org secrets project ID" } -output "org_kms_project_id" { - value = module.org_kms.project_id +output "common_kms_project_id" { + value = module.common_kms.project_id description = "The org Cloud Key Management Service (KMS) project ID" } diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index ce3be31cb..60e9e9e87 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -95,10 +95,10 @@ module "org_billing_export" { } /****************************************** - Project for Org-wide KMS + Project for Common-folder KMS *****************************************/ -module "org_kms" { +module "common_kms" { source = "terraform-google-modules/project-factory/google" version = "~> 15.0" @@ -122,10 +122,10 @@ module "org_kms" { vpc = "none" } - budget_alert_pubsub_topic = var.project_budget.org_kms_alert_pubsub_topic - budget_alert_spent_percents = var.project_budget.org_kms_alert_spent_percents - budget_amount = var.project_budget.org_kms_budget_amount - budget_alert_spend_basis = var.project_budget.org_kms_budget_alert_spend_basis + budget_alert_pubsub_topic = var.project_budget.common_kms_alert_pubsub_topic + budget_alert_spent_percents = var.project_budget.common_kms_alert_spent_percents + budget_amount = var.project_budget.common_kms_budget_amount + budget_alert_spend_basis = var.project_budget.common_kms_budget_alert_spend_basis } /****************************************** diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 66c0a9a77..43d5fdaa0 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -133,10 +133,10 @@ variable "project_budget" { org_audit_logs_alert_spent_percents = optional(list(number), [1.2]) org_audit_logs_alert_pubsub_topic = optional(string, null) org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") - org_kms_budget_amount = optional(number, 1000) - org_kms_alert_spent_percents = optional(list(number), [1.2]) - org_kms_alert_pubsub_topic = optional(string, null) - org_kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") + common_kms_budget_amount = optional(number, 1000) + common_kms_alert_spent_percents = optional(list(number), [1.2]) + common_kms_alert_pubsub_topic = optional(string, null) + common_kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND") scc_notifications_budget_amount = optional(number, 1000) scc_notifications_alert_spent_percents = optional(list(number), [1.2]) scc_notifications_alert_pubsub_topic = optional(string, null) @@ -187,11 +187,6 @@ variable "create_unique_tag_key" { type = bool default = false } -variable "cai_monitoring_kms_force_destroy" { - description = "If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present." - type = bool - default = false -} variable "tfc_org_name" { description = "Name of the TFC organization" diff --git a/1-org/modules/cai-monitoring/iam.tf b/1-org/modules/cai-monitoring/iam.tf index af723709c..48226d04b 100644 --- a/1-org/modules/cai-monitoring/iam.tf +++ b/1-org/modules/cai-monitoring/iam.tf @@ -46,15 +46,6 @@ data "google_storage_project_service_account" "gcs_sa" { project = var.project_id } -// Encrypter/Decrypter role -resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" { - for_each = var.enable_cmek ? local.identities : {} - - crypto_key_id = var.encryption_key - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = each.value -} - // Cloud Function SA resource "google_service_account" "cloudfunction" { account_id = "cai-monitoring" @@ -80,7 +71,6 @@ resource "google_project_iam_member" "cloudfunction_iam" { resource "time_sleep" "wait_kms_iam" { create_duration = "60s" depends_on = [ - google_kms_crypto_key_iam_member.encrypter_decrypter, google_organization_iam_member.cloudfunction_findings_editor, google_project_iam_member.cloudfunction_iam ] diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index 05729e0b1..e1fa6e324 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -21,7 +21,6 @@ | base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | default\_region | The default region for the project. | -| env\_kms\_project | Project sample for KMS usage project ID. | | floating\_project | Project sample floating project. | | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. | | keyring | The name of the keyring. | diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index feef5c507..92a332bc6 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -79,11 +79,6 @@ output "peering_complete" { value = module.env.peering_complete } -output "env_kms_project" { - description = "Project sample for KMS usage project ID." - value = module.env.env_kms_project -} - output "keyring" { description = "The name of the keyring." value = module.env.keyring diff --git a/4-projects/business_unit_1/nonproduction/README.md b/4-projects/business_unit_1/nonproduction/README.md index 05729e0b1..e1fa6e324 100644 --- a/4-projects/business_unit_1/nonproduction/README.md +++ b/4-projects/business_unit_1/nonproduction/README.md @@ -21,7 +21,6 @@ | base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | default\_region | The default region for the project. | -| env\_kms\_project | Project sample for KMS usage project ID. | | floating\_project | Project sample floating project. | | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. | | keyring | The name of the keyring. | diff --git a/4-projects/business_unit_1/nonproduction/outputs.tf b/4-projects/business_unit_1/nonproduction/outputs.tf index feef5c507..92a332bc6 100644 --- a/4-projects/business_unit_1/nonproduction/outputs.tf +++ b/4-projects/business_unit_1/nonproduction/outputs.tf @@ -79,11 +79,6 @@ output "peering_complete" { value = module.env.peering_complete } -output "env_kms_project" { - description = "Project sample for KMS usage project ID." - value = module.env.env_kms_project -} - output "keyring" { description = "The name of the keyring." value = module.env.keyring diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index 05729e0b1..e1fa6e324 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -21,7 +21,6 @@ | base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | | default\_region | The default region for the project. | -| env\_kms\_project | Project sample for KMS usage project ID. | | floating\_project | Project sample floating project. | | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. | | keyring | The name of the keyring. | diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index e8a821c7b..55b839cb4 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -79,11 +79,6 @@ output "peering_complete" { value = module.env.peering_complete } -output "env_kms_project" { - description = "Project sample for KMS usage project ID." - value = module.env.env_kms_project -} - output "keyring" { description = "The name of the keyring." value = module.env.keyring diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md index 8e3acc392..9c4897ef3 100644 --- a/4-projects/modules/base_env/README.md +++ b/4-projects/modules/base_env/README.md @@ -36,7 +36,6 @@ | base\_shared\_vpc\_project\_sa | Project sample base project SA. | | base\_subnets\_self\_links | The self-links of subnets from base environment. | | bucket | The created storage bucket. | -| env\_kms\_project | Project sample for KMS usage project ID. | | floating\_project | Project sample floating project. | | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. | | keyring | The name of the keyring. | diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf index f72e15d42..8b40250a7 100644 --- a/4-projects/modules/base_env/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -14,27 +14,6 @@ * limitations under the License. */ -module "env_kms_project" { - source = "../single_project" - - org_id = local.org_id - billing_account = local.billing_account - folder_id = google_folder.env_business_unit.name - environment = var.env - project_budget = var.project_budget - project_suffix = var.kms_prj_suffix - project_prefix = local.project_prefix - - activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] - - # Metadata - application_name = "${var.business_code}-sample-application" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = var.business_code -} - data "google_storage_project_service_account" "gcs_account" { project = module.base_shared_vpc_project.project_id } @@ -43,7 +22,7 @@ module "kms" { source = "terraform-google-modules/kms/google" version = "~> 2.1" - project_id = module.env_kms_project.project_id + project_id = local.kms_project_id keyring = var.keyring_name location = var.location_kms keys = [var.key_name] diff --git a/4-projects/modules/base_env/outputs.tf b/4-projects/modules/base_env/outputs.tf index 469ddd7f8..565910d96 100644 --- a/4-projects/modules/base_env/outputs.tf +++ b/4-projects/modules/base_env/outputs.tf @@ -79,11 +79,6 @@ output "peering_complete" { value = module.peering.complete } -output "env_kms_project" { - description = "Project sample for KMS usage project ID." - value = module.env_kms_project.project_id -} - output "keyring" { description = "The name of the keyring." value = module.kms.keyring diff --git a/4-projects/modules/base_env/remote.tf b/4-projects/modules/base_env/remote.tf index c49c9f0b8..36a78f2d7 100644 --- a/4-projects/modules/base_env/remote.tf +++ b/4-projects/modules/base_env/remote.tf @@ -29,6 +29,7 @@ locals { env_folder_name = data.terraform_remote_state.environments_env.outputs.env_folder app_infra_pipeline_service_accounts = data.terraform_remote_state.business_unit_shared.outputs.terraform_service_accounts enable_cloudbuild_deploy = data.terraform_remote_state.business_unit_shared.outputs.enable_cloudbuild_deploy + kms_project_id = data.terraform_remote_state.environments_env.outputs.env_kms_project_id } data "terraform_remote_state" "bootstrap" { diff --git a/README.md b/README.md index a9aad504d..71f5f004f 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,7 @@ This will create the following folder and project structure: ``` example-organization └── fldr-development - ├── prj-p-kms + ├── prj-d-kms └── prj-d-secrets └── fldr-nonproduction ├── prj-n-kms @@ -202,39 +202,33 @@ Running this code as-is should generate a structure as shown below: example-organization/ └── fldr-development └── fldr-development-bu1 - ├── prj-d-bu1-kms ├── prj-d-bu1-sample-floating ├── prj-d-bu1-sample-base ├── prj-d-bu1-sample-restrict ├── prj-d-bu1-sample-peering └── fldr-development-bu2 - ├── prj-d-bu2-kms ├── prj-d-bu2-sample-floating ├── prj-d-bu2-sample-base ├── prj-d-bu2-sample-restrict └── prj-d-bu2-sample-peering └── fldr-nonproduction └── fldr-nonproduction-bu1 - ├── prj-n-bu1-kms ├── prj-n-bu1-sample-floating ├── prj-n-bu1-sample-base ├── prj-n-bu1-sample-restrict ├── prj-n-bu1-sample-peering └── fldr-nonproduction-bu2 - ├── prj-n-bu2-kms ├── prj-n-bu2-sample-floating ├── prj-n-bu2-sample-base ├── prj-n-bu2-sample-restrict └── prj-n-bu2-sample-peering └── fldr-production └── fldr-production-bu1 - ├── prj-p-bu1-kms ├── prj-p-bu1-sample-floating ├── prj-p-bu1-sample-base ├── prj-p-bu1-sample-restrict ├── prj-p-bu1-sample-peering └── fldr-production-bu2 - ├── prj-p-bu2-kms ├── prj-p-bu2-sample-floating ├── prj-p-bu2-sample-base ├── prj-p-bu2-sample-restrict @@ -285,13 +279,13 @@ example-organization ├── prj-d-kms └── prj-d-secrets └── fldr-development-bu1 - ├── prj-d-bu1-kms + ├── prj-d-bu1-sample-floating ├── prj-d-bu1-sample-base ├── prj-d-bu1-sample-restrict ├── prj-d-bu1-sample-peering └── fldr-development-bu2 - ├── prj-d-bu2-kms + ├── prj-d-bu2-sample-floating ├── prj-d-bu2-sample-base ├── prj-d-bu2-sample-restrict @@ -300,13 +294,13 @@ example-organization ├── prj-n-kms └── prj-n-secrets └── fldr-nonproduction-bu1 - ├── prj-n-bu1-kms + ├── prj-n-bu1-sample-floating ├── prj-n-bu1-sample-base ├── prj-n-bu1-sample-restrict ├── prj-n-bu1-sample-peering └── fldr-nonproduction-bu2 - ├── prj-n-bu2-kms + ├── prj-n-bu2-sample-floating ├── prj-n-bu2-sample-base ├── prj-n-bu2-sample-restrict @@ -315,13 +309,13 @@ example-organization ├── prj-p-kms └── prj-p-secrets └── fldr-production-bu1 - ├── prj-p-bu1-kms + ├── prj-p-bu1-sample-floating ├── prj-p-bu1-sample-base ├── prj-p-bu1-sample-restrict ├── prj-p-bu1-sample-peering └── fldr-production-bu2 - ├── prj-p-bu2-kms + ├── prj-p-bu2-sample-floating ├── prj-p-bu2-sample-base ├── prj-p-bu2-sample-restrict diff --git a/helpers/foundation-deployer/global.tfvars.example b/helpers/foundation-deployer/global.tfvars.example index 4ab6193e3..0347e625e 100644 --- a/helpers/foundation-deployer/global.tfvars.example +++ b/helpers/foundation-deployer/global.tfvars.example @@ -86,7 +86,6 @@ domains_to_allow = ["example.com"] # Must include the domain essential_contacts_domains_to_allow = ["@example.com"] scc_notification_name = "scc-notify" -cai_monitoring_kms_force_destroy = false audit_logs_table_delete_contents_on_destroy = false log_export_storage_force_destroy = false log_export_storage_location = "US" diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go index cb3625b41..90b6a9537 100644 --- a/helpers/foundation-deployer/stages/apply.go +++ b/helpers/foundation-deployer/stages/apply.go @@ -201,7 +201,6 @@ func DeployOrgStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outputs Bo EnableHubAndSpoke: tfvars.EnableHubAndSpoke, CreateACMAPolicy: createACMAPolicy, CreateUniqueTagKey: tfvars.CreateUniqueTagKey, - CaiMonitoringKmsForceDestroy: tfvars.CaiMonitoringKmsForceDestroy, AuditLogsTableDeleteContentsOnDestroy: tfvars.AuditLogsTableDeleteContentsOnDestroy, LogExportStorageForceDestroy: tfvars.LogExportStorageForceDestroy, LogExportStorageLocation: tfvars.LogExportStorageLocation, diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go index 3a8adb1eb..6a40fed9f 100644 --- a/helpers/foundation-deployer/stages/data.go +++ b/helpers/foundation-deployer/stages/data.go @@ -143,7 +143,6 @@ type GlobalTFVars struct { SccNotificationName string `hcl:"scc_notification_name"` ProjectPrefix *string `hcl:"project_prefix"` FolderPrefix *string `hcl:"folder_prefix"` - CaiMonitoringKmsForceDestroy *bool `hcl:"cai_monitoring_kms_force_destroy"` BucketForceDestroy *bool `hcl:"bucket_force_destroy"` BucketTfstateKmsForceDestroy *bool `hcl:"bucket_tfstate_kms_force_destroy"` AuditLogsTableDeleteContentsOnDestroy *bool `hcl:"audit_logs_table_delete_contents_on_destroy"` @@ -216,7 +215,6 @@ type OrgTfvars struct { EnableHubAndSpoke bool `hcl:"enable_hub_and_spoke"` CreateACMAPolicy bool `hcl:"create_access_context_manager_access_policy"` CreateUniqueTagKey bool `hcl:"create_unique_tag_key"` - CaiMonitoringKmsForceDestroy *bool `hcl:"cai_monitoring_kms_force_destroy"` AuditLogsTableDeleteContentsOnDestroy *bool `hcl:"audit_logs_table_delete_contents_on_destroy"` LogExportStorageForceDestroy *bool `hcl:"log_export_storage_force_destroy"` LogExportStorageLocation string `hcl:"log_export_storage_location"` diff --git a/helpers/foundation-deployer/stages/validate.go b/helpers/foundation-deployer/stages/validate.go index 2a3aac52a..2f8a6d15b 100644 --- a/helpers/foundation-deployer/stages/validate.go +++ b/helpers/foundation-deployer/stages/validate.go @@ -108,9 +108,6 @@ func ValidateDestroyFlags(t testing.TB, g GlobalTFVars) { if g.BucketTfstateKmsForceDestroy == nil || !*g.BucketTfstateKmsForceDestroy { flags = append(flags, "bucket_tfstate_kms_force_destroy") } - if g.CaiMonitoringKmsForceDestroy == nil || !*g.CaiMonitoringKmsForceDestroy { - flags = append(flags, "cai_monitoring_kms_force_destroy") - } if len(flags) > 0 { fmt.Println("# To use the feature to destroy the deployment created by this helper,") diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index fe31369d4..e5606e42b 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -41,7 +41,6 @@ func TestOrg(t *testing.T) { vars := map[string]interface{}{ "remote_state_bucket": backend_bucket, "log_export_storage_force_destroy": "true", - "cai_monitoring_kms_force_destroy": "true", } backendConfig := map[string]interface{}{ @@ -301,7 +300,6 @@ func TestOrg(t *testing.T) { caiTopic := org.GetStringOutput("cai_monitoring_topic") caiSaEmail := fmt.Sprintf("cai-monitoring@%s.iam.gserviceaccount.com", sccProjectID) - caiKmsKey := fmt.Sprintf("projects/%s/locations/%s/keyRings/krg-cai-monitoring/cryptoKeys/key-cai-monitoring", sccProjectID, defaultRegion) caiTopicFullName := fmt.Sprintf("projects/%s/topics/%s", sccProjectID, caiTopic) // Cloud Function @@ -313,12 +311,10 @@ func TestOrg(t *testing.T) { // Cloud Function Storage Bucket bktArgs := gcloud.WithCommonArgs([]string{"--project", sccProjectID, "--json"}) opSrcBucket := gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s", caiBucket), bktArgs).Array() - assert.Equal(caiKmsKey, opSrcBucket[0].Get("metadata.encryption.defaultKmsKeyName").String(), fmt.Sprintf("Should have same KMS key: %s", caiKmsKey)) assert.Equal("true", opSrcBucket[0].Get("metadata.iamConfiguration.bucketPolicyOnly.enabled").String(), "Should have Bucket Policy Only enabled.") // Cloud Function Artifact Registry opAR := gcloud.Runf(t, "artifacts repositories describe %s --project %s --location %s", caiAr, sccProjectID, defaultRegion) - assert.Equal(caiKmsKey, opAR.Get("kmsKeyName").String(), fmt.Sprintf("Should have KMS Key: %s", caiKmsKey)) assert.Equal("DOCKER", opAR.Get("format").String(), "Should have type: DOCKER") // Cloud Function Pub/Sub @@ -417,7 +413,7 @@ func TestOrg(t *testing.T) { }, }, { - output: "org_kms_project_id", + output: "common_kms_project_id", apis: []string{ "logging.googleapis.com", "cloudkms.googleapis.com", diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go index 2812a50a7..1b50e507e 100644 --- a/test/integration/projects/projects_test.go +++ b/test/integration/projects/projects_test.go @@ -146,7 +146,6 @@ func TestProjects(t *testing.T) { "base_shared_vpc_project", "floating_project", "peering_project", - "env_kms_project", "restricted_shared_vpc_project", } { projectID := projects.GetStringOutput(projectOutput)