remove deployment-specific configuration

README.md

@@ -38,8 +38,25 @@ WEBHOOK_URL=https://your.server/post
 Logwarden requires your audit logs to be published to GCP pub/sub via a logging sink.
 We've provided terraform code to deploy Logwarden via Cloud Run, create organization logging sink, a pub/sub topic+subscription, and configure IAM for them to work together.
 
-### Terraform (TODO)
+### Terraform 
 
+Most of the infrastructure configuration is encapsulated within a Terraform module. Dynamic configuration values, such as webhooks or API keys can be passed in via a seprarate Google Secret resource defined in the root module.
+
+An example configuration is available in the `terraform` sub-directory of this repository. The module expects that the OPA policies will be provided in a sub-directory of the repository with the `.rego` extension. The specific directory is passed in as the input variable `policy_source_dir`. Default policies for Google Cloud are available in the `policy/gcp` sub-directory.
+
+Specific deployments can be configured via `terraform.tfvars` files. Input variables are defined as follows:
+
+- `environment`: Environment for a specific deployment, such as "prod" or "dev".
+- `project_id`: ID of a Google Cloud project.
+- `ingress`: Ingress configuration for the Google Cloud Run service.
+- `region`: Google Cloud region for a specific deployment.
+- `organization_id`: Google Cloud organization ID.
+- `logging_sink_filter`: Defines what log types are collected by the log sink. A default value has been provided.
+- `docker_image`: The docker image that contains the logwarden binary.
+- `container_args`: Runtime arguments for logwarden(passed in a container arguments). 
+- `policy_source_dir`: Subdirectory containing OPA policies as rego files.
+
+The configuration can be copied from the `terraform` directory, with the relevant values populated in `terraform.tfvars`. Users will need to configure a separate Google Secret resource.
 
 ## MITRE ATT&CK Tactics
 

terraform/logwarden.tf

@@ -10,13 +10,13 @@ resource "google_secret_manager_secret" "config" {
 
 resource "google_secret_manager_secret_version" "config" {
   secret = google_secret_manager_secret.config.id
-  # this is populated from Spacelift
+  # this can be populated from platform tools like Spacelift, or CI.
   secret_data = var.config_values
 }
 
 module "logwarden" {
-  source  = "spacelift.io/trufflesec/logwarden/gcp"
-  version = "0.1.8"
+  source  = "<module_source>"
+  version = ""
 
   # These are defined in per-env tfvars files(see prod.tfvars)
   # expansion to multiple regions/envs will have some variables injected from CI or Spacelift

terraform/provider.tf

@@ -1,5 +1,5 @@
 locals {
-  project = "<google_project>"
+  project = "<google_project_id>"
 }
 
 terraform {

terraform/terraform.tfvars

@@ -0,0 +1,12 @@
+environment         = ""
+project_id          = ""
+ingress             = ""
+region              = ""
+organization_id     = ""
+logging_sink_filter = <<EOF
+LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+-protoPayload.serviceName="k8s.io"
+EOF
+docker_image        = ""
+container_args      = [""]
+policy_source_dir   = ""

terraform/variables.tf

@@ -31,7 +31,10 @@ variable "organization_id" {
 variable "logging_sink_filter" {
   description = "The filter to apply for the logging sink"
   type        = string
-  default     = ""
+  default     = <<EOF
+LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+-protoPayload.serviceName="k8s.io"
+EOF
 }
 
 variable "docker_image" {