feat: create projects for KMS resources (#1032)

Co-authored-by: Grant Sorbo <gtsorbo@google.com>
terraform-google-modules · Dec 20, 2023 · f16e805 · f16e805
1 parent ed04795
commit f16e805
Show file tree

Hide file tree

Showing 34 changed files with 258 additions and 113 deletions.
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -21,7 +21,7 @@
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `"US"` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
 | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
-| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_logs_budget_amount              = optional(number, 1000)<br>    org_billing_logs_alert_spent_percents       = optional(list(number), [1.2])<br>    org_billing_logs_alert_pubsub_topic         = optional(string, null)<br>    org_billing_logs_budget_alert_spend_basis   = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
+| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_logs_budget_amount              = optional(number, 1000)<br>    org_billing_logs_alert_spent_percents       = optional(list(number), [1.2])<br>    org_billing_logs_alert_pubsub_topic         = optional(string, null)<br>    org_billing_logs_budget_alert_spend_basis   = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    org_kms_budget_amount                       = optional(number, 1000)<br>    org_kms_alert_spent_percents                = optional(list(number), [1.2])<br>    org_kms_alert_pubsub_topic                  = optional(string, null)<br>    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
 | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
@@ -49,6 +49,7 @@
 | org\_audit\_logs\_project\_id | The org audit logs project ID. |
 | org\_billing\_logs\_project\_id | The org billing logs project ID |
 | org\_id | The organization id |
+| org\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID |
 | org\_secrets\_project\_id | The org secrets project ID |
 | parent\_resource\_id | The parent resource id |
 | parent\_resource\_type | The parent resource type |

diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf
@@ -59,6 +59,11 @@ output "org_secrets_project_id" {
   description = "The org secrets project ID"
 }
 
+output "org_kms_project_id" {
+  value       = module.org_kms.project_id
+  description = "The org Cloud Key Management Service (KMS) project ID"
+}
+
 output "interconnect_project_id" {
   value       = module.interconnect.project_id
   description = "The Dedicated Interconnect project ID"

diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf
@@ -88,6 +88,39 @@ module "org_billing_logs" {
   budget_alert_spend_basis    = var.project_budget.org_billing_logs_budget_alert_spend_basis
 }
 
+/******************************************
+  Project for Org-wide KMS
+*****************************************/
+
+module "org_kms" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 14.0"
+
+  random_project_id        = true
+  random_project_id_length = 4
+  default_service_account  = "deprivilege"
+  name                     = "${local.project_prefix}-c-kms"
+  org_id                   = local.org_id
+  billing_account          = local.billing_account
+  folder_id                = google_folder.common.id
+  activate_apis            = ["logging.googleapis.com", "cloudkms.googleapis.com", "billingbudgets.googleapis.com"]
+
+  labels = {
+    environment       = "production"
+    application_name  = "org-kms"
+    billing_code      = "1234"
+    primary_contact   = "example1"
+    secondary_contact = "example2"
+    business_code     = "abcd"
+    env_code          = "p"
+  }
+
+  budget_alert_pubsub_topic   = var.project_budget.org_kms_alert_pubsub_topic
+  budget_alert_spent_percents = var.project_budget.org_kms_alert_spent_percents
+  budget_amount               = var.project_budget.org_kms_budget_amount
+  budget_alert_spend_basis    = var.project_budget.org_kms_budget_alert_spend_basis
+}
+
 /******************************************
   Project for Org-wide Secrets
 *****************************************/

diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -142,6 +142,10 @@ variable "project_budget" {
     org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
     org_audit_logs_alert_pubsub_topic           = optional(string, null)
     org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
+    org_kms_budget_amount                       = optional(number, 1000)
+    org_kms_alert_spent_percents                = optional(list(number), [1.2])
+    org_kms_alert_pubsub_topic                  = optional(string, null)
+    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
     scc_notifications_budget_amount             = optional(number, 1000)
     scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
     scc_notifications_alert_pubsub_topic        = optional(string, null)

diff --git a/2-environments/envs/development/README.md b/2-environments/envs/development/README.md
@@ -12,6 +12,7 @@
 | Name | Description |
 |------|-------------|
 | env\_folder | Environment folder created under parent. |
+| env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment related secrets. |
 | monitoring\_project\_id | Project for monitoring infra. |
 

diff --git a/2-environments/envs/development/outputs.tf b/2-environments/envs/development/outputs.tf
@@ -28,3 +28,8 @@ output "env_secrets_project_id" {
   description = "Project for environment related secrets."
   value       = module.env.env_secrets_project_id
 }
+
+output "env_kms_project_id" {
+  description = "Project for environment Cloud Key Management Service (KMS)."
+  value       = module.env.env_kms_project_id
+}
diff --git a/2-environments/envs/non-production/README.md b/2-environments/envs/non-production/README.md
@@ -12,6 +12,7 @@
 | Name | Description |
 |------|-------------|
 | env\_folder | Environment folder created under parent. |
+| env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment related secrets. |
 | monitoring\_project\_id | Project for monitoring infra. |
 

diff --git a/2-environments/envs/non-production/outputs.tf b/2-environments/envs/non-production/outputs.tf
@@ -28,3 +28,8 @@ output "env_secrets_project_id" {
   description = "Project for environment related secrets."
   value       = module.env.env_secrets_project_id
 }
+
+output "env_kms_project_id" {
+  description = "Project for environment Cloud Key Management Service (KMS)."
+  value       = module.env.env_kms_project_id
+}
diff --git a/2-environments/envs/production/README.md b/2-environments/envs/production/README.md
@@ -14,6 +14,7 @@
 | assured\_workload\_id | Assured Workload ID. |
 | assured\_workload\_resources | Resources associated with the Assured Workload. |
 | env\_folder | Environment folder created under parent. |
+| env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment related secrets. |
 | monitoring\_project\_id | Project for monitoring infra. |
 

diff --git a/2-environments/envs/production/outputs.tf b/2-environments/envs/production/outputs.tf
@@ -29,6 +29,11 @@ output "env_secrets_project_id" {
   value       = module.env.env_secrets_project_id
 }
 
+output "env_kms_project_id" {
+  description = "Project for environment Cloud Key Management Service (KMS)."
+  value       = module.env.env_kms_project_id
+}
+
 output "assured_workload_id" {
   description = "Assured Workload ID."
   value       = module.env.assured_workload_id

diff --git a/2-environments/modules/env_baseline/README.md b/2-environments/modules/env_baseline/README.md
@@ -7,7 +7,7 @@
 | env | The environment to prepare (ex. development) | `string` | n/a | yes |
 | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes |
 | monitoring\_workspace\_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | `string` | n/a | yes |
-| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    monitoring_budget_amount                    = optional(number, 1000)<br>    monitoring_alert_spent_percents             = optional(list(number), [1.2])<br>    monitoring_alert_pubsub_topic               = optional(string, null)<br>    monitoring_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")<br>    secret_budget_amount                        = optional(number, 1000)<br>    secret_alert_spent_percents                 = optional(list(number), [1.2])<br>    secret_alert_pubsub_topic                   = optional(string, null)<br>    secret_budget_alert_spend_basis             = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
+| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    monitoring_budget_amount                    = optional(number, 1000)<br>    monitoring_alert_spent_percents             = optional(list(number), [1.2])<br>    monitoring_alert_pubsub_topic               = optional(string, null)<br>    monitoring_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")<br>    secret_budget_amount                        = optional(number, 1000)<br>    secret_alert_spent_percents                 = optional(list(number), [1.2])<br>    secret_alert_pubsub_topic                   = optional(string, null)<br>    secret_budget_alert_spend_basis             = optional(string, "FORECASTED_SPEND")<br>    kms_budget_amount                           = optional(number, 1000)<br>    kms_alert_spent_percents                    = optional(list(number), [1.2])<br>    kms_alert_pubsub_topic                      = optional(string, null)<br>    kms_budget_alert_spend_basis                = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | n/a | yes |
 
@@ -18,6 +18,7 @@
 | assured\_workload\_id | Assured Workload ID. |
 | assured\_workload\_resources | Resources associated with the Assured Workload. |
 | env\_folder | Environment folder created under parent. |
+| env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment secrets. |
 | monitoring\_project\_id | Project for monitoring infra. |