chore(KMS): cleanup isolated and redundant KMS resources (#1271)

Author: eeaton

0-bootstrap/sa.tf

@@ -62,6 +62,7 @@ locals {
       "roles/accesscontextmanager.policyAdmin",
       "roles/resourcemanager.organizationAdmin",
       "roles/serviceusage.serviceUsageConsumer",
+      "roles/cloudkms.admin",
     ], local.common_roles)),
   }
 

1-org/envs/shared/README.md

@@ -4,7 +4,6 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no |
-| cai\_monitoring\_kms\_force\_destroy | If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. | `bool` | `false` | no |
 | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
@@ -18,7 +17,7 @@
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
 | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
-| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_export_budget_amount            = optional(number, 1000)<br>    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])<br>    org_billing_export_alert_pubsub_topic       = optional(string, null)<br>    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    org_kms_budget_amount                       = optional(number, 1000)<br>    org_kms_alert_spent_percents                = optional(list(number), [1.2])<br>    org_kms_alert_pubsub_topic                  = optional(string, null)<br>    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
+| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_export_budget_amount            = optional(number, 1000)<br>    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])<br>    org_billing_export_alert_pubsub_topic       = optional(string, null)<br>    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    common_kms_budget_amount                    = optional(number, 1000)<br>    common_kms_alert_spent_percents             = optional(list(number), [1.2])<br>    common_kms_alert_pubsub_topic               = optional(string, null)<br>    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
 | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
@@ -35,6 +34,7 @@
 | cai\_monitoring\_bucket | CAI Monitoring Cloud Function Source Bucket name. |
 | cai\_monitoring\_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. |
 | common\_folder\_name | The common folder name |
+| common\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID |
 | dns\_hub\_project\_id | The DNS hub project ID |
 | domains\_to\_allow | The list of domains to allow users from in IAM. |
 | interconnect\_project\_id | The Dedicated Interconnect project ID |
@@ -47,7 +47,6 @@
 | org\_audit\_logs\_project\_id | The org audit logs project ID. |
 | org\_billing\_export\_project\_id | The org billing export project ID |
 | org\_id | The organization id |
-| org\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID |
 | org\_secrets\_project\_id | The org secrets project ID |
 | parent\_resource\_id | The parent resource id |
 | parent\_resource\_type | The parent resource type |

1-org/envs/shared/cai_monitoring.tf

@@ -14,24 +14,11 @@
  * limitations under the License.
  */
 
-module "kms" {
-  source  = "terraform-google-modules/kms/google"
-  version = "~> 2.1"
-
-  project_id      = module.scc_notifications.project_id
-  keyring         = "krg-cai-monitoring"
-  location        = local.default_region
-  keys            = ["key-cai-monitoring"]
-  prevent_destroy = !var.cai_monitoring_kms_force_destroy
-}
-
 module "cai_monitoring" {
   source = "../../modules/cai-monitoring"
 
   org_id          = local.org_id
   billing_account = local.billing_account
   project_id      = module.scc_notifications.project_id
   location        = local.default_region
-  enable_cmek     = true
-  encryption_key  = module.kms.keys["key-cai-monitoring"]
 }

1-org/envs/shared/iam.tf

@@ -184,7 +184,7 @@ resource "google_project_iam_member" "global_secrets_admin" {
 
 resource "google_project_iam_member" "kms_admin" {
   count   = var.gcp_groups.kms_admin != null ? 1 : 0
-  project = module.org_kms.project_id
+  project = module.common_kms.project_id
   role    = "roles/cloudkms.viewer"
   member  = "group:${var.gcp_groups.kms_admin}"
 }

1-org/envs/shared/outputs.tf

@@ -59,8 +59,8 @@ output "org_secrets_project_id" {
   description = "The org secrets project ID"
 }
 
-output "org_kms_project_id" {
-  value       = module.org_kms.project_id
+output "common_kms_project_id" {
+  value       = module.common_kms.project_id
   description = "The org Cloud Key Management Service (KMS) project ID"
 }
 

1-org/envs/shared/projects.tf

@@ -95,10 +95,10 @@ module "org_billing_export" {
 }
 
 /******************************************
-  Project for Org-wide KMS
+  Project for Common-folder KMS
 *****************************************/
 
-module "org_kms" {
+module "common_kms" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 15.0"
 
@@ -122,10 +122,10 @@ module "org_kms" {
     vpc               = "none"
   }
 
-  budget_alert_pubsub_topic   = var.project_budget.org_kms_alert_pubsub_topic
-  budget_alert_spent_percents = var.project_budget.org_kms_alert_spent_percents
-  budget_amount               = var.project_budget.org_kms_budget_amount
-  budget_alert_spend_basis    = var.project_budget.org_kms_budget_alert_spend_basis
+  budget_alert_pubsub_topic   = var.project_budget.common_kms_alert_pubsub_topic
+  budget_alert_spent_percents = var.project_budget.common_kms_alert_spent_percents
+  budget_amount               = var.project_budget.common_kms_budget_amount
+  budget_alert_spend_basis    = var.project_budget.common_kms_budget_alert_spend_basis
 }
 
 /******************************************

1-org/envs/shared/variables.tf

@@ -133,10 +133,10 @@ variable "project_budget" {
     org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
     org_audit_logs_alert_pubsub_topic           = optional(string, null)
     org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
-    org_kms_budget_amount                       = optional(number, 1000)
-    org_kms_alert_spent_percents                = optional(list(number), [1.2])
-    org_kms_alert_pubsub_topic                  = optional(string, null)
-    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
+    common_kms_budget_amount                    = optional(number, 1000)
+    common_kms_alert_spent_percents             = optional(list(number), [1.2])
+    common_kms_alert_pubsub_topic               = optional(string, null)
+    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
     scc_notifications_budget_amount             = optional(number, 1000)
     scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
     scc_notifications_alert_pubsub_topic        = optional(string, null)
@@ -187,11 +187,6 @@ variable "create_unique_tag_key" {
   type        = bool
   default     = false
 }
-variable "cai_monitoring_kms_force_destroy" {
-  description = "If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present."
-  type        = bool
-  default     = false
-}
 
 variable "tfc_org_name" {
   description = "Name of the TFC organization"

1-org/modules/cai-monitoring/iam.tf

@@ -46,15 +46,6 @@ data "google_storage_project_service_account" "gcs_sa" {
   project = var.project_id
 }
 
-// Encrypter/Decrypter role
-resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" {
-  for_each = var.enable_cmek ? local.identities : {}
-
-  crypto_key_id = var.encryption_key
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = each.value
-}
-
 // Cloud Function SA
 resource "google_service_account" "cloudfunction" {
   account_id                   = "cai-monitoring"
@@ -80,7 +71,6 @@ resource "google_project_iam_member" "cloudfunction_iam" {
 resource "time_sleep" "wait_kms_iam" {
   create_duration = "60s"
   depends_on = [
-    google_kms_crypto_key_iam_member.encrypter_decrypter,
     google_organization_iam_member.cloudfunction_findings_editor,
     google_project_iam_member.cloudfunction_iam
   ]

4-projects/business_unit_1/development/README.md

@@ -21,7 +21,6 @@
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
 | bucket | The created storage bucket. |
 | default\_region | The default region for the project. |
-| env\_kms\_project | Project sample for KMS usage project ID. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |

4-projects/business_unit_1/development/outputs.tf

@@ -79,11 +79,6 @@ output "peering_complete" {
   value       = module.env.peering_complete
 }
 
-output "env_kms_project" {
-  description = "Project sample for KMS usage project ID."
-  value       = module.env.env_kms_project
-}
-
 output "keyring" {
   description = "The name of the keyring."
   value       = module.env.keyring