Feat: enable kms centralized key usage tracking

1-org/README.md

@@ -82,6 +82,8 @@ to Bigquery and Pub/Sub. This will result in additional charges for those copies
 
 - To use the **hub-and-spoke** architecture described in the **Networking** section of the [Google Cloud security foundations guide](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke), set the `enable_hub_and_spoke` variable to `true`.
 
+- As a KMS Administrator, you can [view all the keys in your organization from a centralized location](https://cloud.google.com/kms/docs/view-key-usage) by setting the `enable_kms_key_usage_tracking` variable to true.
+
 - If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant
 commands. The `-T` flag is required for Linux, but causes problems for MacOS.
 

1-org/envs/shared/README.md

@@ -8,12 +8,13 @@
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_kms\_key\_usage\_tracking | Enable KMS centralized key usage tracking system. | `bool` | `false` | no |
 | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
 | folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
-| gcp\_groups | Groups to grant specific roles in the Organization.<br>  platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.<br>  security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security<br>  network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.<br>  scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.<br>  audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.<br>  global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage | <pre>object({<br>    audit_viewer         = optional(string, null)<br>    security_reviewer    = optional(string, null)<br>    network_viewer       = optional(string, null)<br>    scc_admin            = optional(string, null)<br>    global_secrets_admin = optional(string, null)<br>    kms_admin            = optional(string, null)<br>  })</pre> | `{}` | no |
+| gcp\_groups | Groups to grant specific roles in the Organization.<br>  platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.<br>  security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security<br>  network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.<br>  scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.<br>  audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.<br>  global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management.<br>  kms\_protected\_resources\_viewer: Google Workspace or Cloud Identity group that can search for kms protected resources. | <pre>object({<br>    audit_viewer                   = optional(string, null)<br>    security_reviewer              = optional(string, null)<br>    network_viewer                 = optional(string, null)<br>    scc_admin                      = optional(string, null)<br>    global_secrets_admin           = optional(string, null)<br>    kms_admin                      = optional(string, null)<br>    kms_protected_resources_viewer = optional(string, null)<br>  })</pre> | `{}` | no |
 | log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no |
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |

1-org/envs/shared/iam.tf

@@ -62,6 +62,18 @@ resource "google_organization_iam_member" "billing_viewer" {
   member = "group:${local.required_groups["billing_data_users"]}"
 }
 
+/******************************************
+  Enable KMS Usage Tracking
+*****************************************/
+
+resource "google_organization_iam_member" "kms_usage_tracking" {
+  count = var.enable_kms_key_usage_tracking ? 1 : 0
+
+  org_id = local.org_id
+  role   = "roles/cloudkms.orgServiceAgent"
+  member = "serviceAccount:service-org-${local.org_id}@gcp-sa-cloudkms.iam.gserviceaccount.com"
+}
+
 /******************************************
  Groups permissions
 *****************************************/
@@ -154,3 +166,10 @@ resource "google_project_iam_member" "cai_monitoring_builder" {
   role   = each.key
   member = "serviceAccount:${google_service_account.cai_monitoring_builder[0].email}"
 }
+
+resource "google_organization_iam_member" "kms_protected_resources_viewer" {
+  count  = var.gcp_groups.kms_protected_resources_viewer != null && var.enable_kms_key_usage_tracking ? 1 : 0
+  org_id = local.org_id
+  role   = "roles/cloudkms.protectedResourcesViewer"
+  member = "group:${var.gcp_groups.kms_protected_resources_viewer}"
+}

1-org/envs/shared/terraform.example.tfvars

@@ -30,6 +30,7 @@ billing_export_dataset_location = "US"
 //scc_notification_filter = "state=\\\"ACTIVE\\\""
 
 //enable_hub_and_spoke = true
+//enable_kms_key_usage_tracking = true
 
 //create_access_context_manager_access_policy = false
 

1-org/envs/shared/variables.tf

@@ -26,6 +26,12 @@ variable "enable_scc_resources_in_terraform" {
   default     = false
 }
 
+variable "enable_kms_key_usage_tracking" {
+  description = "Enable KMS centralized key usage tracking system."
+  type        = bool
+  default     = false
+}
+
 variable "domains_to_allow" {
   description = "The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy."
   type        = list(string)
@@ -141,15 +147,17 @@ variable "gcp_groups" {
   network_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.
   scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.
   audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.
-  global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage
+  global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management.
+  kms_protected_resources_viewer: Google Workspace or Cloud Identity group that can search for kms protected resources.
   EOT
   type = object({
-    audit_viewer         = optional(string, null)
-    security_reviewer    = optional(string, null)
-    network_viewer       = optional(string, null)
-    scc_admin            = optional(string, null)
-    global_secrets_admin = optional(string, null)
-    kms_admin            = optional(string, null)
+    audit_viewer                   = optional(string, null)
+    security_reviewer              = optional(string, null)
+    network_viewer                 = optional(string, null)
+    scc_admin                      = optional(string, null)
+    global_secrets_admin           = optional(string, null)
+    kms_admin                      = optional(string, null)
+    kms_protected_resources_viewer = optional(string, null)
   })
   default = {}
 }