feat(google_project): Include data access logs for additional Google Cloud services

jbuck · jbuck · commit df4c61ec3644 · 2024-09-04T10:54:24.000-04:00
diff --git a/google_project/locals.tf b/google_project/locals.tf
@@ -32,4 +32,7 @@ locals {
     "stackdriver.googleapis.com",
   ]
   all_project_services = setunion(local.default_project_services, var.project_services)
+
+  default_data_access_logs = ["iam.googleapis.com", "secretmanager.googleapis.com", "sts.googleapis.com"]
+  data_access_logs_filter  = join("\n", toset([for v in concat(local.default_data_access_logs, var.additional_data_access_logs) : "AND NOT protoPayload.serviceName=\"${v}\""]))
 }
diff --git a/google_project/main.tf b/google_project/main.tf
@@ -45,15 +45,13 @@ resource "google_project_iam_audit_config" "data_access_high" {
 
 resource "google_logging_project_exclusion" "data_access_exclusions" {
   name        = "exclude-data-access-log-sink"
-  description = "Exclude data access logs except BigQuery, secrets manager, and IAM for this project"
+  description = "Exclude data access logs except BigQuery, IAM, Secret Manager, and STS for this project. Additional services can be included with var.additional_data_access_logs"
   project     = local.project_id
 
   filter = <<EOT
 log_id("cloudaudit.googleapis.com/data_access")
 AND NOT protoPayload.metadata."@type"="type.googleapis.com/google.cloud.audit.BigQueryAuditMetadata"
-AND NOT protoPayload.serviceName="secretmanager.googleapis.com"
-AND NOT protoPayload.serviceName="iam.googleapis.com"
-AND NOT protoPayload.serviceName="sts.googleapis.com"
+${local.data_access_logs_filter}
   EOT
 }
 
diff --git a/google_project/variables.tf b/google_project/variables.tf
@@ -26,6 +26,19 @@ variable "display_name" {
   type        = string
 }
 
+variable "additional_data_access_logs" {
+  default     = []
+  description = "Additional services that data access logs should be included for. Google Cloud services with audit logs: https://cloud.google.com/logging/docs/audit/services ."
+  type        = list(string)
+
+  validation {
+    condition = alltrue([
+      for v in var.additional_data_access_logs : endswith(v, ".googleapis.com")
+    ])
+    error_message = "The Google Cloud service must end with .googleapis.com . Google Cloud services with audit logs: https://cloud.google.com/logging/docs/audit/services ."
+  }
+}
+
 variable "parent_id" {
   description = "Parent folder (with GCP)."
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,7 @@ locals {`
`32`	`32`	`"stackdriver.googleapis.com",`
`33`	`33`	`]`
`34`	`34`	`all_project_services = setunion(local.default_project_services, var.project_services)`
	`35`	`+`
	`36`	`+ default_data_access_logs = ["iam.googleapis.com", "secretmanager.googleapis.com", "sts.googleapis.com"]`
	`37`	`+ data_access_logs_filter = join("\n", toset([for v in concat(local.default_data_access_logs, var.additional_data_access_logs) : "AND NOT protoPayload.serviceName=\"${v}\""]))`
`35`	`38`	`}`