Merge branch 'master' into fix/add-local-deployment-instructions

amandakarina · web-flow · commit 8bf7c448849e · 2024-08-29T15:25:13.000-03:00
diff --git a/1-org/README.md b/1-org/README.md
@@ -68,11 +68,6 @@ See [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during
 
 ## Usage
 
-**Disclaimer:** This step enables [Data Access logs](https://cloud.google.com/logging/docs/audit#data-access) for all services in your organization.
-Enabling Data Access logs might result in your project being charged for the additional logs usage.
-For details on costs you might incur, go to [Pricing](https://cloud.google.com/stackdriver/pricing).
-You can choose not to enable the Data Access logs by setting the variable `data_access_logs_enabled` to false.
-
 Consider the following:
 
 - This module creates a sink to export all logs to a Cloud Logging bucket. It also creates sinks to export a subset of security-related logs
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -6,7 +6,6 @@
 | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no |
 | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
-| data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
@@ -18,52 +18,6 @@
   Audit Logs - IAM
 *****************************************/
 
-locals {
-  enabling_data_logs = var.data_access_logs_enabled ? ["DATA_WRITE", "DATA_READ"] : []
-}
-
-resource "google_organization_iam_audit_config" "org_config" {
-  count   = local.parent_folder == "" ? 1 : 0
-  org_id  = local.org_id
-  service = "allServices"
-
-  ###################################################################################################
-  ### Audit logs can generate costs, to know more about it,
-  ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs
-  ### To know more about audit logs, you can find more infos
-  ### here https://cloud.google.com/logging/docs/audit/configure-data-access
-  ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true
-  ### ADMIN_READ logs are enabled by default.
-  ####################################################################################################
-  dynamic "audit_log_config" {
-    for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"])
-    content {
-      log_type = audit_log_config.key
-    }
-  }
-}
-
-resource "google_folder_iam_audit_config" "folder_config" {
-  count   = local.parent_folder != "" ? 1 : 0
-  folder  = "folders/${local.parent_folder}"
-  service = "allServices"
-
-  ###################################################################################################
-  ### Audit logs can generate costs, to know more about it,
-  ### check the official documentation: https://cloud.google.com/stackdriver/pricing#logging-costs
-  ### To know more about audit logs, you can find more infos
-  ### here https://cloud.google.com/logging/docs/audit/configure-data-access
-  ### To enable DATA_READ and DATA_WRITE audit logs, set `data_access_logs_enabled` to true
-  ### ADMIN_READ logs are enabled by default.
-  ####################################################################################################
-  dynamic "audit_log_config" {
-    for_each = setunion(local.enabling_data_logs, ["ADMIN_READ"])
-    content {
-      log_type = audit_log_config.key
-    }
-  }
-}
-
 resource "google_project_iam_member" "audit_log_logging_viewer" {
   project = module.org_audit_logs.project_id
   role    = "roles/logging.viewer"
diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -54,12 +54,6 @@ variable "enforce_allowed_worker_pools" {
   default     = false
 }
 
-variable "data_access_logs_enabled" {
-  description = "Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default."
-  type        = bool
-  default     = false
-}
-
 variable "log_export_storage_location" {
   description = "The location of the storage bucket used to export logs."
   type        = string
diff --git a/helpers/foundation-deployer/go.mod b/helpers/foundation-deployer/go.mod
@@ -2,15 +2,15 @@ module github.com/terraform-google-modules/terraform-example-foundation/helpers/
 
 go 1.22
 
-toolchain go1.22.5
+toolchain go1.22.6
 
 require (
 	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1
 	github.com/gruntwork-io/terratest v0.47.0
 	github.com/hashicorp/hcl/v2 v2.21.0
 	github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770
 	github.com/stretchr/testify v1.9.0
-	github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240530101341-20e72789e0ac
+	github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240808135927-5f1fd0f4104a
 	github.com/tidwall/gjson v1.17.3
 )
 
@@ -55,7 +55,7 @@ require (
 	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/mod v0.19.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/oauth2 v0.22.0 // indirect
 	golang.org/x/sync v0.4.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
diff --git a/helpers/foundation-deployer/go.sum b/helpers/foundation-deployer/go.sum
@@ -410,8 +410,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240530101341-20e72789e0ac h1:hKmWS3gfdchjfK1xC6z0Tll65D+Poxr0aBCgRgGoaNs=
-github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240530101341-20e72789e0ac/go.mod h1:tQ3UD4Hq6eDIfxNp5qKK6UVePeTc+fQBUqjx8jN/NyM=
+github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240808135927-5f1fd0f4104a h1:4Ih0BauwdUTF+YuA55/qY8Q+d5brYKPpae0YWkB9D2A=
+github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240808135927-5f1fd0f4104a/go.mod h1:p8CvVuYRey5Nb8dipH5KM+eY+TnqfLgDnQ5M1a7oHiw=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/gjson v1.17.3 h1:bwWLZU7icoKRG+C+0PNwIKC6FCJO/Q3p2pZvuP0jN94=
 github.com/tidwall/gjson v1.17.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
@@ -567,8 +567,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri
 golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
-golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
-golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/helpers/foundation-deployer/steps/steps_test.go b/helpers/foundation-deployer/steps/steps_test.go
@@ -77,7 +77,7 @@ func TestProcessSteps(t *testing.T) {
 	badStepMsg := "bad step"
 	assert.False(t, s.IsStepComplete("bad"), "check if 'bad' is 'COMPLETED' should be false")
 	err = s.RunStep("bad", func() error {
-		return fmt.Errorf(badStepMsg)
+		return fmt.Errorf("%s", badStepMsg)
 	})
 	assert.Error(t, err)
 	assert.False(t, s.IsStepComplete("bad"), "check if 'bad' is 'COMPLETED' should be false")
@@ -86,7 +86,7 @@ func TestProcessSteps(t *testing.T) {
 	// complete states are not executed again
 	assert.True(t, s.IsStepComplete("good"), "check if 'good' is 'COMPLETED' should be true")
 	err = s.RunStep("good", func() error {
-		return fmt.Errorf("will fail if executed")
+		return fmt.Errorf("%s", "will fail if executed")
 	})
 	assert.NoError(t, err)
 	assert.True(t, s.IsStepComplete("good"), "check if 'good' is 'COMPLETED' should be true")
@@ -103,7 +103,7 @@ func TestProcessSteps(t *testing.T) {
 	assert.NoError(t, err)
 	assert.False(t, s.IsStepDestroyed("destroy"), "check if 'destroy' is 'DESTROYED' should be false")
 	err = s.RunDestroyStep("destroy", func() error {
-		return fmt.Errorf(badStepMsg)
+		return fmt.Errorf("%s", badStepMsg)
 	})
 	assert.Error(t, err)
 	assert.False(t, s.IsStepDestroyed("destroy"), "check if 'destroy' is 'DESTROYED' should be false")
@@ -113,7 +113,7 @@ func TestProcessSteps(t *testing.T) {
 	assert.NoError(t, err)
 	assert.True(t, s.IsStepDestroyed("gone"), "check if 'gone' is 'DESTROYED' should be true")
 	err = s.RunDestroyStep("gone", func() error {
-		return fmt.Errorf("will fail if executed")
+		return fmt.Errorf("%s", "will fail if executed")
 	})
 	assert.NoError(t, err)
 	assert.True(t, s.IsStepDestroyed("gone"), "check if 'gone' is 'DESTROYED' should be true")
diff --git a/test/integration/go.mod b/test/integration/go.mod
@@ -2,7 +2,7 @@ module github.com/terraform-google-modules/terraform-example-foundation/test/int
 
 go 1.22
 
-toolchain go1.22.5
+toolchain go1.22.6
 
 require (
 	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1
