Merge pull request #57 from trufflesecurity/remove-trufflesec-config

Remove trufflesec config
trufflesecurity · Aug 10, 2023 · 08c9e33 · 08c9e33
2 parents 99f178e + 06fcfb0
commit 08c9e33
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 83 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
diff --git a/README.md b/README.md
@@ -38,8 +38,25 @@ WEBHOOK_URL=https://your.server/post
 Logwarden requires your audit logs to be published to GCP pub/sub via a logging sink.
 We've provided terraform code to deploy Logwarden via Cloud Run, create organization logging sink, a pub/sub topic+subscription, and configure IAM for them to work together.
 
-### Terraform (TODO)
+### Terraform 
 
+Most of the infrastructure configuration is encapsulated within a Terraform module. Dynamic configuration values, such as webhooks or API keys can be passed in via a seprarate Google Secret resource defined in the root module.
+
+An example configuration is available in the `terraform` sub-directory of this repository. The module expects that the OPA policies will be provided in a sub-directory of the repository with the `.rego` extension. The specific directory is passed in as the input variable `policy_source_dir`. Default policies for Google Cloud are available in the `policy/gcp` sub-directory.
+
+Specific deployments can be configured via `terraform.tfvars` files. Input variables are defined as follows:
+
+- `environment`: Environment for a specific deployment, such as "prod" or "dev".
+- `project_id`: ID of a Google Cloud project.
+- `ingress`: Ingress configuration for the Google Cloud Run service.
+- `region`: Google Cloud region for a specific deployment.
+- `organization_id`: Google Cloud organization ID.
+- `logging_sink_filter`: Defines what log types are collected by the log sink. A default value has been provided.
+- `docker_image`: The docker image that contains the logwarden binary.
+- `container_args`: Runtime arguments for logwarden(passed in a container arguments). 
+- `policy_source_dir`: Subdirectory containing OPA policies as rego files.
+
+The configuration can be copied from the `terraform` directory, with the relevant values populated in `terraform.tfvars`. Users will need to configure a separate Google Secret resource.
 
 ## MITRE ATT&CK Tactics
 

diff --git a/gcp-auditor b/gcp-auditor
diff --git a/terraform/logwarden.tf b/terraform/logwarden.tf
@@ -1,7 +1,7 @@
 resource "google_secret_manager_secret" "config" {
-  secret_id = "logwarden"
+  secret_id = var.env_secret_id
   labels = {
-    secretmanager = "logwarden"
+    secretmanager = var.env_secret_id
   }
   replication {
     automatic = true
@@ -10,13 +10,13 @@ resource "google_secret_manager_secret" "config" {
 
 resource "google_secret_manager_secret_version" "config" {
   secret = google_secret_manager_secret.config.id
-  # this is populated from Spacelift
+  # this can be populated from platform tools like Spacelift, or CI.
   secret_data = var.config_values
 }
 
 module "logwarden" {
-  source  = "spacelift.io/trufflesec/logwarden/gcp"
-  version = "0.1.8"
+  source  = "<module_source>"
+  version = ""
 
   # These are defined in per-env tfvars files(see prod.tfvars)
   # expansion to multiple regions/envs will have some variables injected from CI or Spacelift

diff --git a/terraform/prod.tfvars b/terraform/prod.tfvars
diff --git a/terraform/provider.tf b/terraform/provider.tf
@@ -1,5 +1,5 @@
 locals {
-  project = "truffle-audit"
+  project = "<google_project_id>"
 }
 
 terraform {

diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars
@@ -0,0 +1,12 @@
+environment         = ""
+project_id          = ""
+ingress             = ""
+region              = ""
+organization_id     = ""
+logging_sink_filter = <<EOF
+LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+-protoPayload.serviceName="k8s.io"
+EOF
+docker_image        = ""
+container_args      = [""]
+policy_source_dir   = ""
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -1,5 +1,5 @@
 variable "environment" {
-  description = "The environment in which the infrastructure will be deployed"
+  description = "The environment in which the infrastructure will be deployed(dev, prod etc.)"
   type        = string
   default     = ""
 }
@@ -11,7 +11,7 @@ variable "project_id" {
 }
 
 variable "ingress" {
-  description = "The ingress settings for the network"
+  description = "The ingress settings for the google cloud run function"
   type        = string
   default     = ""
 }
@@ -47,19 +47,19 @@ variable "env_secret_id" {
 }
 
 variable "container_args" {
-  description = "Arguments to pass to the container at startup"
+  description = "Arguments to pass to the logwarden container at startup"
   type        = list(string)
   default     = []
 }
 
 variable "policy_source_dir" {
-  description = "Directory containing IAM policy files"
+  description = "Repo directory containing rego policy files"
   type        = string
   default     = ""
 }
 
 variable "config_values" {
-  description = "Application configuration variables."
+  description = "Application configuration variables, stored in GSM."
   type        = string
   default     = ""
 }