chore(monitoring): remove unused monitoring project (#1200)

eeaton · web-flow · commit 7211d87b8aad · 2024-06-05T09:26:43.000-07:00
diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td><a href="../1-org">1-org</a></td>
-<td>Sets up top-level shared folders, monitoring and networking projects, and
+<td>Sets up top-level shared folders, networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
@@ -311,7 +311,7 @@ Each step has instructions for this change.
 | default\_region\_gcs | Case-Sensitive default region to create gcs resources where applicable. | `string` | `"US"` | no |
 | default\_region\_kms | Secondary default region to create kms resources where applicable. | `string` | `"us"` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
-| groups | Contain the details of the Groups to be created. | <pre>object({<br>    create_required_groups = optional(bool, false)<br>    create_optional_groups = optional(bool, false)<br>    billing_project        = optional(string, null)<br>    required_groups = object({<br>      group_org_admins           = string<br>      group_billing_admins       = string<br>      billing_data_users         = string<br>      audit_data_users           = string<br>      monitoring_workspace_users = string<br>    })<br>    optional_groups = optional(object({<br>      gcp_security_reviewer    = optional(string, "")<br>      gcp_network_viewer       = optional(string, "")<br>      gcp_scc_admin            = optional(string, "")<br>      gcp_global_secrets_admin = optional(string, "")<br>      gcp_kms_admin            = optional(string, "")<br>    }), {})<br>  })</pre> | n/a | yes |
+| groups | Contain the details of the Groups to be created. | <pre>object({<br>    create_required_groups = optional(bool, false)<br>    create_optional_groups = optional(bool, false)<br>    billing_project        = optional(string, null)<br>    required_groups = object({<br>      group_org_admins     = string<br>      group_billing_admins = string<br>      billing_data_users   = string<br>      audit_data_users     = string<br>    })<br>    optional_groups = optional(object({<br>      gcp_security_reviewer    = optional(string, "")<br>      gcp_network_viewer       = optional(string, "")<br>      gcp_scc_admin            = optional(string, "")<br>      gcp_global_secrets_admin = optional(string, "")<br>      gcp_kms_admin            = optional(string, "")<br>    }), {})<br>  })</pre> | n/a | yes |
 | initial\_group\_config | Define the group configuration when it is initialized. Valid values are: WITH\_INITIAL\_OWNER, EMPTY and INITIAL\_GROUP\_CONFIG\_UNSPECIFIED. | `string` | `"WITH_INITIAL_OWNER"` | no |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_policy\_admin\_role | Additional Org Policy Admin role for admin group. You can use this for testing purposes. | `bool` | `false` | no |
diff --git a/0-bootstrap/terraform.example.tfvars b/0-bootstrap/terraform.example.tfvars
@@ -25,11 +25,10 @@ groups = {
   # create_optional_groups = false # Change to true to create the optional_groups
   # billing_project        = "REPLACE_ME"  # Fill to create required or optional groups
   required_groups = {
-    group_org_admins           = "REPLACE_ME" # example "gcp-organization-admins@example.com"
-    group_billing_admins       = "REPLACE_ME" # example "gcp-billing-admins@example.com"
-    billing_data_users         = "REPLACE_ME" # example "gcp-billing-data@example.com"
-    audit_data_users           = "REPLACE_ME" # example "gcp-audit-data@example.com"
-    monitoring_workspace_users = "REPLACE_ME" # example "gcp-monitoring-workspace@example.com"
+    group_org_admins     = "REPLACE_ME" # example "gcp-organization-admins@example.com"
+    group_billing_admins = "REPLACE_ME" # example "gcp-billing-admins@example.com"
+    billing_data_users   = "REPLACE_ME" # example "gcp-billing-data@example.com"
+    audit_data_users     = "REPLACE_ME" # example "gcp-audit-data@example.com"
   }
   # optional_groups = {
   #   gcp_security_reviewer      = "" #"gcp_security_reviewer_local_test@example.com"
diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf
@@ -100,11 +100,10 @@ variable "groups" {
     create_optional_groups = optional(bool, false)
     billing_project        = optional(string, null)
     required_groups = object({
-      group_org_admins           = string
-      group_billing_admins       = string
-      billing_data_users         = string
-      audit_data_users           = string
-      monitoring_workspace_users = string
+      group_org_admins     = string
+      group_billing_admins = string
+      billing_data_users   = string
+      audit_data_users     = string
     })
     optional_groups = optional(object({
       gcp_security_reviewer    = optional(string, "")
@@ -139,11 +138,6 @@ variable "groups" {
     condition     = var.groups.required_groups.audit_data_users != ""
     error_message = "The group audit_data_users is invalid, it must be a valid email"
   }
-
-  validation {
-    condition     = var.groups.required_groups.monitoring_workspace_users != ""
-    error_message = "The group monitoring_workspace_users is invalid, it must be a valid email"
-  }
 }
 
 variable "initial_group_config" {
diff --git a/1-org/README.md b/1-org/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td>1-org (this file)</td>
-<td>Sets up top-level shared folders, monitoring and networking projects, and
+<td>Sets up top-level shared folders, networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
@@ -55,7 +55,7 @@ For an overview of the architecture and the parts, see the
 
 ## Purpose
 
-The purpose of this step is to set up top-level shared folders, monitoring and networking projects, organization-level logging, and baseline security settings through organizational policies.
+The purpose of this step is to set up top-level shared folders, networking projects, organization-level logging, and baseline security settings through organizational policies.
 
 ## Prerequisites
 
diff --git a/2-environments/README.md b/2-environments/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td><a href="../1-org">1-org</a></td>
-<td>Sets up top level shared folders, monitoring and networking projects, and
+<td>Sets up top level shared folders, networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
@@ -61,8 +61,6 @@ The purpose of this step is to setup development, nonproduction, and production
 
 1. 0-bootstrap executed successfully.
 1. 1-org executed successfully.
-1. Cloud Identity / Google Workspace group for monitoring admins.
-1. Membership in the monitoring admins group for user running Terraform.
 
 ### Troubleshooting
 
diff --git a/2-environments/envs/development/README.md b/2-environments/envs/development/README.md
@@ -13,6 +13,5 @@
 | env\_folder | Environment folder created under parent. |
 | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment related secrets. |
-| monitoring\_project\_id | Project for monitoring infra. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/2-environments/envs/development/outputs.tf b/2-environments/envs/development/outputs.tf
@@ -19,11 +19,6 @@ output "env_folder" {
   value       = module.env.env_folder
 }
 
-output "monitoring_project_id" {
-  description = "Project for monitoring infra."
-  value       = module.env.monitoring_project_id
-}
-
 output "env_secrets_project_id" {
   description = "Project for environment related secrets."
   value       = module.env.env_secrets_project_id
diff --git a/2-environments/envs/nonproduction/README.md b/2-environments/envs/nonproduction/README.md
@@ -13,6 +13,5 @@
 | env\_folder | Environment folder created under parent. |
 | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment related secrets. |
-| monitoring\_project\_id | Project for monitoring infra. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/2-environments/envs/nonproduction/outputs.tf b/2-environments/envs/nonproduction/outputs.tf
@@ -19,11 +19,6 @@ output "env_folder" {
   value       = module.env.env_folder
 }
 
-output "monitoring_project_id" {
-  description = "Project for monitoring infra."
-  value       = module.env.monitoring_project_id
-}
-
 output "env_secrets_project_id" {
   description = "Project for environment related secrets."
   value       = module.env.env_secrets_project_id
diff --git a/2-environments/envs/production/README.md b/2-environments/envs/production/README.md
@@ -15,7 +15,6 @@
 | env\_folder | Environment folder created under parent. |
 | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment related secrets. |
-| monitoring\_project\_id | Project for monitoring infra. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/2-environments/envs/production/outputs.tf b/2-environments/envs/production/outputs.tf
@@ -19,11 +19,6 @@ output "env_folder" {
   value       = module.env.env_folder
 }
 
-output "monitoring_project_id" {
-  description = "Project for monitoring infra."
-  value       = module.env.monitoring_project_id
-}
-
 output "env_secrets_project_id" {
   description = "Project for environment related secrets."
   value       = module.env.env_secrets_project_id
diff --git a/2-environments/modules/env_baseline/README.md b/2-environments/modules/env_baseline/README.md
@@ -19,6 +19,5 @@
 | env\_folder | Environment folder created under parent. |
 | env\_kms\_project\_id | Project for environment Cloud Key Management Service (KMS). |
 | env\_secrets\_project\_id | Project for environment secrets. |
-| monitoring\_project\_id | Project for monitoring infra. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/2-environments/modules/env_baseline/iam.tf b/2-environments/modules/env_baseline/iam.tf
diff --git a/2-environments/modules/env_baseline/monitoring.tf b/2-environments/modules/env_baseline/monitoring.tf
diff --git a/2-environments/modules/env_baseline/outputs.tf b/2-environments/modules/env_baseline/outputs.tf
@@ -19,11 +19,6 @@ output "env_folder" {
   value       = google_folder.env.name
 }
 
-output "monitoring_project_id" {
-  description = "Project for monitoring infra."
-  value       = module.monitoring_project.project_id
-}
-
 output "env_secrets_project_id" {
   description = "Project for environment secrets."
   value       = module.env_secrets.project_id
diff --git a/2-environments/terraform.example.tfvars b/2-environments/terraform.example.tfvars
@@ -14,6 +14,4 @@
  * limitations under the License.
  */
 
-monitoring_workspace_users = "gcp-monitoring-admins@example.com"
-
 remote_state_bucket = "REMOTE_STATE_BUCKET"
diff --git a/3-networks-dual-svpc/README.md b/3-networks-dual-svpc/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td><a href="../1-org">1-org</a></td>
-<td>Sets up top level shared folders, monitoring and networking projects, and
+<td>Sets up top level shared folders, networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
diff --git a/3-networks-hub-and-spoke/README.md b/3-networks-hub-and-spoke/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td><a href="../1-org">1-org</a></td>
-<td>Sets up top level shared folders, monitoring and networking projects, and
+<td>Sets up top level shared folders, networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
diff --git a/4-projects/README.md b/4-projects/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td><a href="../1-org">1-org</a></td>
-<td>Sets up top level shared folders, monitoring and networking projects, and
+<td>Sets up top level shared folders, networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
diff --git a/5-app-infra/README.md b/5-app-infra/README.md
@@ -15,7 +15,7 @@ stages.</td>
 </tr>
 <tr>
 <td><a href="../1-org">1-org</a></td>
-<td>Sets up top-level shared folders, monitoring and networking projects,
+<td>Sets up top-level shared folders, networking projects,
 organization-level logging, and baseline security settings through
 organizational policies.</td>
 </tr>
diff --git a/README.md b/README.md
@@ -126,31 +126,22 @@ This stage only creates the projects and enables the correct APIs, the following
 
 ### [2. environments](./2-environments/)
 
-The purpose of this stage is to set up the environments folders used for projects that contain monitoring and secrets projects.
+The purpose of this stage is to set up the environments folders that contain shared projects for each environemnt.
 This will create the following folder and project structure:
 
 ```
 example-organization
 └── fldr-development
-    ├── prj-d-monitoring
     ├── prj-p-kms
     └── prj-d-secrets
 └── fldr-nonproduction
-    ├── prj-n-monitoring
     ├── prj-n-kms
     └── prj-n-secrets
 └── fldr-production
-    ├── prj-p-monitoring
     ├── prj-p-kms
     └── prj-p-secrets
 ```
 
-#### Monitoring
-
-Under the environment folder, a project is created per environment (`development`, `nonproduction`, and `production`), which is intended to be used as a [Cloud Monitoring workspace](https://cloud.google.com/monitoring/workspaces) for all projects in that environment.
-Please note that creating the [workspace and linking projects](https://cloud.google.com/monitoring/workspaces/create) can currently only be completed through the Cloud Console.
-If you have strong IAM requirements for these monitoring workspaces, it is worth considering creating these at a more granular level, such as per business unit or per application.
-
 #### KMS
 
 Under the environment folder, a project is created per environment (`development`, `nonproduction`, and `production`), which is intended to be used by [Cloud Key Management](https://cloud.google.com/security-key-management) for KMS resources shared by the environment.
@@ -275,7 +266,6 @@ example-organization
     ├── prj-p-shared-base
     └── prj-p-shared-restricted
 └── fldr-development
-    ├── prj-d-monitoring
     ├── prj-d-kms
     └── prj-d-secrets
     └── fldr-development-bu1
@@ -291,7 +281,6 @@ example-organization
         ├── prj-d-bu2-sample-restrict
         └── prj-d-bu2-sample-peering
 └── fldr-nonproduction
-    ├── prj-n-monitoring
     ├── prj-n-kms
     └── prj-n-secrets
     └── fldr-nonproduction-bu1
@@ -307,7 +296,6 @@ example-organization
         ├── prj-n-bu2-sample-restrict
         └── prj-n-bu2-sample-peering
 └── fldr-production
-    ├── prj-p-monitoring
     ├── prj-p-kms
     └── prj-p-secrets
     └── fldr-production-bu1
diff --git a/helpers/foundation-deployer/global.tfvars.example b/helpers/foundation-deployer/global.tfvars.example
@@ -69,7 +69,6 @@ groups = {
     group_billing_admins       = "REPLACE_ME" # "gcp-billing-admins@example.com"
     billing_data_users         = "REPLACE_ME" #"billing_data_users_local_test@example.com"
     audit_data_users           = "REPLACE_ME" #"audit_data_users_local_test@example.com"
-    monitoring_workspace_users = "REPLACE_ME" #"monitoring_workspace_users_local_test@example.com"
   }
   optional_groups = {
     gcp_security_reviewer      = "" #"gcp_security_reviewer_local_test@example.com"
diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go
@@ -96,11 +96,10 @@ type ServerAddress struct {
 }
 
 type RequiredGroups struct {
-	GroupOrgAdmins           string `cty:"group_org_admins"`
-	GroupBillingAdmins       string `cty:"group_billing_admins"`
-	BillingDataUsers         string `cty:"billing_data_users"`
-	AuditDataUsers           string `cty:"audit_data_users"`
-	MonitoringWorkspaceUsers string `cty:"monitoring_workspace_users"`
+	GroupOrgAdmins     string `cty:"group_org_admins"`
+	GroupBillingAdmins string `cty:"group_billing_admins"`
+	BillingDataUsers   string `cty:"billing_data_users"`
+	AuditDataUsers     string `cty:"audit_data_users"`
 }
 
 type OptionalGroups struct {
diff --git a/test/integration/envs/envs_test.go b/test/integration/envs/envs_test.go
diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf

-Original file line number
+Diff line change
   # create_optional_groups = false # Change to true to create the optional_groups
   # billing_project        = "REPLACE_ME"  # Fill to create required or optional groups
   required_groups = {
 -    group_org_admins           = "REPLACE_ME" # example "[email protected]"
 -    group_billing_admins       = "REPLACE_ME" # example "[email protected]"
 -    billing_data_users         = "REPLACE_ME" # example "[email protected]"
 -    audit_data_users           = "REPLACE_ME" # example "[email protected]"
 -    monitoring_workspace_users = "REPLACE_ME" # example "[email protected]"
 +    group_org_admins     = "REPLACE_ME" # example "[email protected]"
 +    group_billing_admins = "REPLACE_ME" # example "[email protected]"
 +    billing_data_users   = "REPLACE_ME" # example "[email protected]"
 +    audit_data_users     = "REPLACE_ME" # example "[email protected]"
+  }
   # optional_groups = {
   #   gcp_security_reviewer      = "" #"[email protected]"