chore: disabling SCC notifications for now #1304
Conversation
lpezet
requested review from
rjerrems,
gtsorbo,
eeaton,
sleighton2022 and
a team
as code owners
|
@lpezet the results of the Lint test show specific errors in your code changes: Once you get the Lint tests passing I'll review the specific changes |
1-org/envs/shared/iam.tf
Outdated
| role = "roles/securitycenter.adminEditor" | ||
| member = "group:${var.gcp_groups.scc_admin}" | ||
| } | ||
|
|
||
| resource "google_project_iam_member" "global_secrets_admin" { | ||
| count = var.gcp_groups.global_secrets_admin != null ? 1 : 0 | ||
| count = var.gcp_groups.global_secrets_admin && var.enable_scc_notifications != null ? 1 : 0 |
There was a problem hiding this comment.
This resource is unrelated SCC notificaitons, please revert this change.
1-org/envs/shared/iam.tf
Outdated
| @@ -162,21 +162,21 @@ resource "google_project_iam_member" "audit_bq_data_viewer" { | |||
| } | |||
|
|
|||
| resource "google_organization_iam_member" "org_scc_admin" { | |||
| count = var.gcp_groups.scc_admin != null && local.parent_folder == "" ? 1 : 0 | |||
| count = var.gcp_groups.scc_admin != null && local.parent_folder == "" && var.enable_scc_notifications ? 1 : 0 | |||
There was a problem hiding this comment.
This role is still required even if we remove the SCC notification config (somebody still has to use and configure SCC, not all of which can be automated through Terraform). Please revert this change.
1-org/envs/shared/variables.tf
Outdated
| @@ -20,6 +20,12 @@ variable "enable_hub_and_spoke" { | |||
| default = false | |||
| } | |||
|
|
|||
| variable "enable_scc_notifications" { | |||
| description = "Enable Security Command Center Notifications." | |||
There was a problem hiding this comment.
This is one variable that handles two distinct sets of functionality and use cases. (SCC notification is to export findings, the cai_monitoring module is to generate custom findings from an asset feed that are then fed into SCC and subsequently through the notification config). Both use cases are affected by the same bug, but logically I would want to control enablement of them separately, and the description/name are misleading.
To make it clear that this is a tech workaround and not about enabling features, how about rewriting it like the following:
variable "enable_scc_resources_in_terraform" { description = "Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context."
1-org/envs/shared/iam.tf
Outdated
| "roles/storage.objectViewer", | ||
| "roles/artifactregistry.writer", | ||
| ]) | ||
| project = module.scc_notifications[0].project_id |
There was a problem hiding this comment.
Is there a reason to set the boolean logic inside the for_each block, instead of using a count argument like other resources?
There was a problem hiding this comment.
You might have overlooked this comment, bump :)
1-org/envs/shared/projects.tf
Outdated
|
|
||
| source = "terraform-google-modules/project-factory/google" | ||
| version = "~> 15.0" | ||
| count = var.enable_scc_notifications ? 1 : 0 |
There was a problem hiding this comment.
For consistent conventions, I suggest to leave this module (which just creates a placeholder project) untouched. Here's my reasoning:
- Even if the blueprint user does not configure notification configs as part of the automated blueprint, there are still various use cases in the written guide that assume this placeholder project exists. Removing it completely goes against the written recommendations.
- This is also cleaner because it reduces a number of places you've modified "module.scc_notifications[0].project_id" to accommodate the changed array structure when using count arguments.
- The convention used in the centralized logging module is to use the project created in this file even though several modules there are turned on or off based on variables.
|
/gcbrun |
|
@eeaton I believe I addressed everything you reported. On my own setup, I'm still getting that |
|
/gcbrun |
1-org/envs/shared/iam.tf
Outdated
| "roles/storage.objectViewer", | ||
| "roles/artifactregistry.writer", | ||
| ]) | ||
| project = module.scc_notifications[0].project_id |
There was a problem hiding this comment.
You might have overlooked this comment, bump :)
1-org/envs/shared/iam.tf
Outdated
| org_id = local.org_id | ||
| role = "roles/securitycenter.adminEditor" | ||
| member = "group:${var.gcp_groups.scc_admin}" | ||
| } | ||
|
|
||
| resource "google_project_iam_member" "project_scc_admin" { | ||
| count = var.gcp_groups.scc_admin != null && var.enable_scc_notifications ? 1 : 0 | ||
| count = var.gcp_groups.scc_admin != null && var.enable_scc_resources_in_terraform ? 1 : 0 | ||
| project = module.scc_notifications[0].project_id |
There was a problem hiding this comment.
There are still 3 references to module.scc_notifications[0].project_id that will throw an error now that we removed the count argument from the module scc_notifications in projects.tf. Revert these 3 references back to module.scc_notifications.project_id.
Somehow this passed Lint tests (can't explain why, though? This definitely throws an invalid index error when running Terraform plan in my local environment). I've kicked off the full CI build, takes some hours but I expect it will fail with the same invalid index error.
|
/gcbrun |
|
Code changes look good, but the unit tests in CI are failing with the error below. We have an internal environment to automatically build and test all the resources before. The logs and errors from this are internal-only as a control against leaked secrets, so unfortunately there's a bit of back-and-forth required to convey the error and fix it. To recreate these tests in your local environment, see contributing. The relevant test for the scope of changes in this PR is just In this case, I think the simplest fix is to comment out the lines that assert the resources related to SCC and CAI-monitoring have been created. Since we're now treating them as optional, it makes sense to disable the tests that require these resources. Add a commit that comments out these lines from org_test.go:
I haven't yet run this myself, I'm just comparing the test file against the resources I know we've changed, give that a try. If you're having a hard time with the tests locally I'll try to recreate it in my environment to confirm what's missing in the tests. |
|
@eeaton I'm trying to go through the tests myself, but the My SA has the roles mentioned in the CONTRIBUTING file. I tried adding more roles (Service Usage Admin and Service Management Admin) but no luck. |
|
The issue you're encountering is about the CSR deprecation. It looks like the docker tests also have a dependency on CSR that needs to be unpicked. Docker tests don't meaningfully use CSR, but there are places where the CSR API is enabled, which will now fail. CSR is still available to orgs that used it prior to deprecation, but not to new orgs who hadn't used it. So unfortunately that means your environment and mine have different behavior so it hasn't been caught by our automated tests. I expect you can get around this by removing / commenting out any references to "sourcerepo.googleapis.com". The following files are likely culprits (there are a few more in later stages, but those aren't blockers for tests in the Bootstrap and Org stages.
I recreated the tests with changes from your branch in my local environment, confirmed that the suggested lines to comment out in org_test.go do indeed allow the CI tests to pass. So if you're getting stuck recreating the CI in your local environment, just add a commit with those changes to org_test.go and the remote automated CI should be able to run and validate the changes. |
|
/gcbrun |
No description provided.