Google Cloud Security Core Terraform Module

Description

The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources to start deploying the FedRAMP reference architecture. The bootstrap is a dependency for all other deployment components. This module will create:

• Folders and Projects under the Assured Workloads folder
• Activate required APIs & Services in projects
• Create customer-managed encryption keys
• Create cloud storage buckets for Terraform state, installs and backups
• Create an organization log sink and destination
• Configure organization policies
• Enable audit logging

Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.

Usage

module "bootstrap" {
  source = "github.com/Coalfire-CF/terraform-google-security-core"

  org_id           = var.org_id
  aw_folder_id     = var.aw_folder_id
  billing_account  = var.billing_account
  group_org_admins = var.group_org_admins

  management_services = var.management_services
  networking_services = var.networking_services

  region = var.region
}

Requirements

No requirements.

Providers

Name	Version
google	n/a
google-beta	n/a
random	n/a
time	n/a
tls	n/a

Modules

Name	Source	Version
application_folder	github.com/Coalfire-CF/terraform-google-folder	v1.0.3
destination	github.com/Coalfire-CF/terraform-google-log-export//modules/storage	v1.0.4
gcs	github.com/Coalfire-CF/terraform-google-cloud-storage	v1.0.4
kms	github.com/Coalfire-CF/terraform-google-kms	v1.0.4
log_export	github.com/Coalfire-CF/terraform-google-log-export	v1.0.4
management_folder	github.com/Coalfire-CF/terraform-google-folder	v1.0.3
management_project	github.com/Coalfire-CF/terraform-google-project	v1.0.4
networking_folder	github.com/Coalfire-CF/terraform-google-folder	v1.0.3
networking_project	github.com/Coalfire-CF/terraform-google-project	v1.0.4
organization_policies_domain_restricted_sharing	github.com/Coalfire-CF/terraform-google-org-policy	v1.0.3
organization_policies_type_boolean	github.com/Coalfire-CF/terraform-google-org-policy	v1.0.3
winbastion_administrator	github.com/Coalfire-CF/terraform-google-secret-manager	v1.0.6

Resources

Name	Type
google-beta_google_project_service_identity.cloudsql_sa	resource
google-beta_google_project_service_identity.sm_sa	resource
google_compute_project_metadata.metadata	resource
google_kms_crypto_key_iam_binding.cloudsql_sa_kms_crypto	resource
google_kms_crypto_key_iam_binding.cloudsql_sa_viewer	resource
google_kms_crypto_key_iam_member.ce_account	resource
google_kms_crypto_key_iam_member.gcs_account	resource
google_kms_crypto_key_iam_member.ps_account	resource
google_kms_crypto_key_iam_member.sm_account	resource
google_organization_iam_audit_config.org_config	resource
google_organization_iam_member.org_admins	resource
google_project_iam_custom_role.start_stop_role	resource
google_project_iam_member.start_stop_role_member	resource
google_secret_manager_secret.gce_ssh_private_key	resource
google_secret_manager_secret_version.gce_ssh_private_key	resource
google_service_account_iam_member.ce_account_user	resource
random_string.suffix_sink	resource
time_sleep.wait	resource
tls_private_key.ssh_key	resource
google_compute_default_service_account.default	data source
google_folder.aw_folder	data source
google_storage_project_service_account.gcs_account	data source

Inputs

Name	Description	Type	Default	Required
aw_folder_id	Assured Workloads folder ID.	string	n/a	yes
billing_account	The ID of the billing account to associate projects with.	string	n/a	yes
boolean_type_organization_policies	List of boolean type org policies to apply.	list(string)	[ "compute.disableNonFIPSMachineTypes", "compute.skipDefaultNetworkCreation", "sql.restrictPublicIp", "storage.publicAccessPrevention" ]	no
bucket_prefix	Prefix for buckets.	string	"bkt"	no
create_log_export	Whether or not to create log export	bool	true	no
folder_prefix	Prefix for folders.	string	"fldr"	no
group_org_admins	Google Group for GCP Organization Administrators.	string	n/a	yes
keyring_prefix	Prefix for key rings.	string	"kr"	no
log_filter	Log export filter.	string	" logName: /logs/cloudaudit.googleapis.com%2Factivity OR\n logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR\n logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR\n logName: /logs/compute.googleapis.com%2Fvpc_flows OR\n logName: /logs/compute.googleapis.com%2Ffirewall OR\n logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency\n"	no
management_services	APIs & Services to enable for management project.	list(string)	n/a	yes
networking_services	APIs & Services to enable for networking project.	list(string)	n/a	yes
org_admin_roles	List of roles to assign to org admins.	list(string)	[ "roles/assuredworkloads.admin", "roles/billing.user", "roles/cloudkms.admin", "roles/cloudsql.admin", "roles/compute.admin", "roles/compute.instanceAdmin", "roles/compute.networkAdmin", "roles/compute.securityAdmin", "roles/compute.xpnAdmin", "roles/dns.admin", "roles/iam.securityAdmin", "roles/iam.serviceAccountAdmin", "roles/iam.serviceAccountUser", "roles/logging.admin", "roles/orgpolicy.policyAdmin", "roles/pubsub.admin", "roles/resourcemanager.folderAdmin", "roles/resourcemanager.organizationAdmin", "roles/secretmanager.admin", "roles/source.admin", "roles/storage.admin" ]	no
org_id	GCP Organization ID	string	n/a	yes
project_prefix	Prefix for projects.	string	"prj"	no
region	The GCP region to create resources in.	string	n/a	yes
sink_prefix	Prefix for sinks.	string	"sk"	no
ssh_user	Default user for SSH access	string	"gce-user"	no
topic_prefix	Prefix for topics.	string	"ps"	no
workspace_id	Workspace / Cloud Identity ID - get via gcloud organizations list from DIRECTORY_CUSTOMER_ID	string	n/a	yes

Outputs

Name	Description
cs_buckets	n/a
gce_ssh_private_key	n/a
group_org_admins	n/a
kms_key_ring_id	n/a
kms_key_ring_name	n/a
kms_keys	n/a
log_export_bucket	n/a
management_folder	n/a
management_project	n/a
networking_folder	n/a
networking_project	n/a