-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Alerts, Logging, Channels Factories #2758
base: master
Are you sure you want to change the base?
Changes from all commits
6a8ae06
2586c54
4e9f75e
5b768a3
9ba92c3
4e8a745
8f16176
44b0bcc
82831ab
f72d382
af1efa1
201912e
8e89eb3
8c81fcb
8a176a8
ce0cd8a
a3eecb5
ba88e56
38ace70
38153c9
414c698
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
route-changes: | ||
display_name: "Network Route Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
network-firewall-config-changes: | ||
display_name: "VPC Network Firewall Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
vpc-network-config-changes: | ||
display_name: "VPC Network Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
cloudsql-changes: | ||
display_name: "CloudSQL Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
cloudstorage-changes: | ||
display_name: "Cloud Storage Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: "gcs_bucket" | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
customrole-changes: | ||
display_name: "IAM Custom Role Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
audit-changes: | ||
display_name: "Audit Configuration Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_MEAN | ||
cross_series_reducer: REDUCE_COUNT | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default | ||
|
||
iam-owner-changes: | ||
display_name: "Owner IAM Configuration Changes" | ||
combiner: OR | ||
alert_strategy: | ||
auto_close: 604800s | ||
conditions: | ||
condition_threshold: | ||
comparison: COMPARISON_GT | ||
duration: "0s" | ||
resource_type: global | ||
trigger: | ||
count: 1 | ||
aggregations: | ||
per_series_aligner: ALIGN_DELTA | ||
cross_series_reducer: REDUCE_SUM | ||
alignment_period: "600s" | ||
notification_channels: | ||
compliance-default |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
compliance-default: | ||
type: email | ||
display_name: "Default Email Notifications" | ||
email_address: [email protected] | ||
labels: | ||
email_address: "[email protected]" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
route-changes: | ||
description: "Monitor VPC network route configuration changes inside GCP projects" | ||
filter: | | ||
resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert") | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
network-firewall-config-changes: | ||
description: "Monitor VPC network firewall configuration changes inside GCP projects" | ||
filter: "resource.type=\"gce_firewall_rule\" AND (protoPayload.methodName:\"compute.firewalls.delete\" OR protoPayload.methodName:\"compute.firewalls.insert\")" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please use "|" syntax for all filters in this file There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've done this in the PR I sent |
||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
vpc-network-config-changes: | ||
description: "Monitor VPC network configuration changes inside GCP projects" | ||
filter: "resource.type=\"gce_network\" AND (protoPayload.methodName:\"compute.networks.insert\" OR protoPayload.methodName:\"compute.networks.patch\" OR protoPayload.methodName:\"compute.networks.delete\" OR protoPayload.methodName:\"compute.networks.removePeering\" OR protoPayload.methodName:\"compute.networks.addPeering\")" | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
cloudsql-changes: | ||
description: "Monitor CloudSQL configuration changes inside GCP projects" | ||
filter: "protoPayload.methodName=\"cloudsql.instances.update\" OR protoPayload.methodName=\"cloudsql.instances.create\" OR protoPayload.methodName=\"cloudsql.instances.delete\"" | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
cloudstorage-changes: | ||
description: "Monitor Cloud Storage configuration changes inside GCP projects" | ||
filter: "resource.type=gcs_bucket AND protoPayload.methodName=\"storage.setIamPermissions\"" | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
customrole-changes: | ||
description: "Monitor IAM Custom Role configuration changes inside GCP projects" | ||
filter: "resource.type=\"iam_role\" AND (protoPayload.methodName=\"google.iam.admin.v1.CreateRole\" OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\")" | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
audit-changes: | ||
description: "Monitor Audit configuration changes inside GCP projects" | ||
filter: "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*" | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" | ||
|
||
iam-owner-changes: | ||
description: "Monitor IAM Owner configuration changes inside GCP projects" | ||
filter: "(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")" | ||
metric_descriptor: | ||
metric_kind: DELTA | ||
value_type: "INT64" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,7 +23,7 @@ locals { | |
# If users give a list of custom audiences we set by default the first element. | ||
# If no audiences are given, we set https://iam.googleapis.com/{PROVIDER_NAME} | ||
audiences = try( | ||
local.cicd_providers[v["identity_provider"]].audiences, "" | ||
local.cicd_providers[v["identity_provider"]].audiences, "e" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
) | ||
identity_provider = try( | ||
local.cicd_providers[v["identity_provider"]].name, "" | ||
|
@@ -109,6 +109,7 @@ locals { | |
vpcsc = module.automation-tf-vpcsc-sa.email | ||
vpcsc-r = module.automation-tf-vpcsc-r-sa.email | ||
} | ||
default_alerts_email = var.default_alerts_email | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this should go in globals, but TBH I would not even pass this down as it's specific to stage 0 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should we export notification channels to the following stages? |
||
} | ||
billing = { | ||
dataset = try(module.billing-export-dataset[0].id, null) | ||
|
@@ -222,8 +223,8 @@ output "tfvars" { | |
|
||
output "tfvars_globals" { | ||
description = "Terraform Globals variable files for the following stages." | ||
sensitive = true | ||
value = local.tfvars_globals | ||
sensitive = false | ||
value = jsonencode(local.tfvars_globals) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's this about? /cc @ludoo There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We mark large outputs as sensitive so as not to pollute the screen at every apply, as they still can be fetched explictly even when sensitive. So I would keep it. As for |
||
} | ||
|
||
output "workforce_identity_pool" { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,3 +23,5 @@ outputs_location = "~/fast-config" | |
|
||
# use something unique and no longer than 9 characters | ||
prefix = "abcd" | ||
|
||
default_alerts_email = "[email protected]" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -102,6 +102,12 @@ variable "custom_roles" { | |
default = {} | ||
} | ||
|
||
variable "default_alerts_email" { | ||
joshw123 marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should we use the existing There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I had a similar thought either using an existing group, or building something with I actually prefer using |
||
description = "Default email address for alerting." | ||
type = string | ||
default = null | ||
} | ||
|
||
variable "environments" { | ||
description = "Environment names. When not defined, short name is set to the key and tag name to lower(name)." | ||
type = map(object({ | ||
|
@@ -145,14 +151,16 @@ variable "essential_contacts" { | |
variable "factories_config" { | ||
description = "Configuration for the resource factories or external data." | ||
type = object({ | ||
alerts = optional(string, "data/alerts") | ||
channels = optional(string, "data/channels") | ||
custom_roles = optional(string, "data/custom-roles") | ||
logging_metrics = optional(string, "data/logging-metrics") | ||
org_policies = optional(string, "data/org-policies") | ||
org_policies_iac = optional(string, "data/org-policies-iac") | ||
}) | ||
nullable = false | ||
default = {} | ||
} | ||
|
||
variable "groups" { | ||
# https://cloud.google.com/docs/enterprise/setup-checklist | ||
description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated." | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
now that we are creating LBMs and alerts, do we need to enable the logging and monitoring APIs?
Same, applies to all projects