Skip to content

Commit

Permalink
Refactor: remove data access logs enabled variable (#1332)
Browse files Browse the repository at this point in the history
  • Loading branch information
mariammartins authored Aug 28, 2024
1 parent 105a0db commit 55a06fa
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 58 deletions.
5 changes: 0 additions & 5 deletions 1-org/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,6 @@ See [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during

## Usage

**Disclaimer:** This step enables [Data Access logs](https://cloud.google.com/logging/docs/audit#data-access) for all services in your organization.
Enabling Data Access logs might result in your project being charged for the additional logs usage.
For details on costs you might incur, go to [Pricing](https://cloud.google.com/stackdriver/pricing).
You can choose not to enable the Data Access logs by setting the variable `data_access_logs_enabled` to false.

Consider the following:

- This module creates a sink to export all logs to a Cloud Logging bucket. It also creates sinks to export a subset of security-related logs
Expand Down
1 change: 0 additions & 1 deletion 1-org/envs/shared/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
| billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no |
| create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
| create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
| data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
| domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
Expand Down
46 changes: 0 additions & 46 deletions 1-org/envs/shared/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,52 +18,6 @@
Audit Logs - IAM
*****************************************/

locals {
enabling_data_logs = var.data_access_logs_enabled ? ["DATA_WRITE", "DATA_READ"] : []
}

resource "google_organization_iam_audit_config" "org_config" {
count = local.parent_folder == "" ? 1 : 0
org_id = local.org_id
service = "allServices"

###################################################################################################
### Audit logs can generate costs, to know more about it,
### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs
### To know more about audit logs, you can find more infos
### here https://cloud.google.com/logging/docs/audit/configure-data-access
### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true
### ADMIN_READ logs are enabled by default.
####################################################################################################
dynamic "audit_log_config" {
for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"])
content {
log_type = audit_log_config.key
}
}
}

resource "google_folder_iam_audit_config" "folder_config" {
count = local.parent_folder != "" ? 1 : 0
folder = "folders/${local.parent_folder}"
service = "allServices"

###################################################################################################
### Audit logs can generate costs, to know more about it,
### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs
### To know more about audit logs, you can find more infos
### here https://cloud.google.com/logging/docs/audit/configure-data-access
### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true
### ADMIN_READ logs are enabled by default.
####################################################################################################
dynamic "audit_log_config" {
for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"])
content {
log_type = audit_log_config.key
}
}
}

resource "google_project_iam_member" "audit_log_logging_viewer" {
project = module.org_audit_logs.project_id
role = "roles/logging.viewer"
Expand Down
6 changes: 0 additions & 6 deletions 1-org/envs/shared/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,6 @@ variable "enforce_allowed_worker_pools" {
default = false
}

variable "data_access_logs_enabled" {
description = "Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default."
type = bool
default = false
}

variable "log_export_storage_location" {
description = "The location of the storage bucket used to export logs."
type = string
Expand Down

0 comments on commit 55a06fa

Please sign in to comment.