From 55a06face29add943cb2778724ad746049706289 Mon Sep 17 00:00:00 2001 From: Duda Martins <109083465+mariammartins@users.noreply.github.com> Date: Wed, 28 Aug 2024 20:48:28 -0300 Subject: [PATCH] Refactor: remove data access logs enabled variable (#1332) --- 1-org/README.md | 5 ---- 1-org/envs/shared/README.md | 1 - 1-org/envs/shared/iam.tf | 46 ---------------------------------- 1-org/envs/shared/variables.tf | 6 ----- 4 files changed, 58 deletions(-) diff --git a/1-org/README.md b/1-org/README.md index 1be58e521..2c0b16e00 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -68,11 +68,6 @@ See [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during ## Usage -**Disclaimer:** This step enables [Data Access logs](https://cloud.google.com/logging/docs/audit#data-access) for all services in your organization. -Enabling Data Access logs might result in your project being charged for the additional logs usage. -For details on costs you might incur, go to [Pricing](https://cloud.google.com/stackdriver/pricing). -You can choose not to enable the Data Access logs by setting the variable `data_access_logs_enabled` to false. - Consider the following: - This module creates a sink to export all logs to a Cloud Logging bucket. It also creates sinks to export a subset of security-related logs diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 671157da3..e260c67ca 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -6,7 +6,6 @@ | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no | | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no | | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | -| data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no | | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no | diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index 3a0cca12b..b5c627705 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -18,52 +18,6 @@ Audit Logs - IAM *****************************************/ -locals { - enabling_data_logs = var.data_access_logs_enabled ? ["DATA_WRITE", "DATA_READ"] : [] -} - -resource "google_organization_iam_audit_config" "org_config" { - count = local.parent_folder == "" ? 1 : 0 - org_id = local.org_id - service = "allServices" - - ################################################################################################### - ### Audit logs can generate costs, to know more about it, - ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs - ### To know more about audit logs, you can find more infos - ### here https://cloud.google.com/logging/docs/audit/configure-data-access - ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true - ### ADMIN_READ logs are enabled by default. - #################################################################################################### - dynamic "audit_log_config" { - for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"]) - content { - log_type = audit_log_config.key - } - } -} - -resource "google_folder_iam_audit_config" "folder_config" { - count = local.parent_folder != "" ? 1 : 0 - folder = "folders/${local.parent_folder}" - service = "allServices" - - ################################################################################################### - ### Audit logs can generate costs, to know more about it, - ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs - ### To know more about audit logs, you can find more infos - ### here https://cloud.google.com/logging/docs/audit/configure-data-access - ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true - ### ADMIN_READ logs are enabled by default. - #################################################################################################### - dynamic "audit_log_config" { - for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"]) - content { - log_type = audit_log_config.key - } - } -} - resource "google_project_iam_member" "audit_log_logging_viewer" { project = module.org_audit_logs.project_id role = "roles/logging.viewer" diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 24d454e6e..01ba2a832 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -54,12 +54,6 @@ variable "enforce_allowed_worker_pools" { default = false } -variable "data_access_logs_enabled" { - description = "Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default." - type = bool - default = false -} - variable "log_export_storage_location" { description = "The location of the storage bucket used to export logs." type = string