From 2b2ea42177108cdaf998ca5edb93b8926827862d Mon Sep 17 00:00:00 2001
From: Mike Vanbuskirk <mike.vanbuskirk@trufflesec.com>
Date: Mon, 7 Aug 2023 21:07:42 -0400
Subject: [PATCH] remove deployment-specific configuration

---
 .github/workflows/deploy.yml | 58 ------------------------------------
 README.md                    | 19 +++++++++++-
 terraform/logwarden.tf       |  6 ++--
 terraform/prod.tfvars        |  9 ------
 terraform/provider.tf        |  2 +-
 terraform/terraform.tfvars   | 12 ++++++++
 terraform/variables.tf       |  5 +++-
 7 files changed, 38 insertions(+), 73 deletions(-)
 delete mode 100644 .github/workflows/deploy.yml
 delete mode 100644 terraform/prod.tfvars
 create mode 100644 terraform/terraform.tfvars

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
deleted file mode 100644
index ebc2ce5..0000000
--- a/.github/workflows/deploy.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-name: Deploy
-
-on:
-  workflow_run:
-      # TODO: disable/renable spacelift push policy
-      # This will never run until it's changed to a valid workflow name
-    workflows: [foo]
-    types: [completed]
-
-permissions:
-  contents: write
-  packages: write
-  id-token: write
-  issues: write
-  pull-requests: write
-
-jobs:
-  on-success:
-    runs-on: ubuntu-latest
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    steps:
-      - name: Install spacectl
-        uses: spacelift-io/setup-spacectl@main
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Notify Spacelift of release or secret scan completion (success)
-        env:
-          SPACELIFT_API_KEY_ENDPOINT: https://trufflesec.app.spacelift.io
-          SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }}
-          SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }}
-        run: spacectl run-external-dependency mark-completed --id "${GITHUB_SHA}-release-or-scan" --status finished
-
-  on-failure:
-    runs-on: ubuntu-latest
-    env:
-      DOCKER_CLI_EXPERIMENTAL: "enabled"
-    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
-    steps:
-      - name: Install spacectl
-        uses: spacelift-io/setup-spacectl@main
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Notify Spacelift of release or secret scan completion (failed)
-        env:
-          SPACELIFT_API_KEY_ENDPOINT: https://trufflesec.app.spacelift.io
-          SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }}
-          SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }}
-        run: spacectl run-external-dependency mark-completed --id "${GITHUB_SHA}-release-or-scan" --status failed
diff --git a/README.md b/README.md
index 864f019..032c074 100644
--- a/README.md
+++ b/README.md
@@ -38,8 +38,25 @@ WEBHOOK_URL=https://your.server/post
 Logwarden requires your audit logs to be published to GCP pub/sub via a logging sink.
 We've provided terraform code to deploy Logwarden via Cloud Run, create organization logging sink, a pub/sub topic+subscription, and configure IAM for them to work together.
 
-### Terraform (TODO)
+### Terraform 
 
+Most of the infrastructure configuration is encapsulated within a Terraform module. Dynamic configuration values, such as webhooks or API keys can be passed in via a seprarate Google Secret resource defined in the root module.
+
+An example configuration is available in the `terraform` sub-directory of this repository. The module expects that the OPA policies will be provided in a sub-directory of the repository with the `.rego` extension. The specific directory is passed in as the input variable `policy_source_dir`. Default policies for Google Cloud are available in the `policy/gcp` sub-directory.
+
+Specific deployments can be configured via `terraform.tfvars` files. Input variables are defined as follows:
+
+- `environment`: Environment for a specific deployment, such as "prod" or "dev".
+- `project_id`: ID of a Google Cloud project.
+- `ingress`: Ingress configuration for the Google Cloud Run service.
+- `region`: Google Cloud region for a specific deployment.
+- `organization_id`: Google Cloud organization ID.
+- `logging_sink_filter`: Defines what log types are collected by the log sink. A default value has been provided.
+- `docker_image`: The docker image that contains the logwarden binary.
+- `container_args`: Runtime arguments for logwarden(passed in a container arguments). 
+- `policy_source_dir`: Subdirectory containing OPA policies as rego files.
+
+The configuration can be copied from the `terraform` directory, with the relevant values populated in `terraform.tfvars`. Users will need to configure a separate Google Secret resource.
 
 ## MITRE ATT&CK Tactics
 
diff --git a/terraform/logwarden.tf b/terraform/logwarden.tf
index f419407..376bd51 100644
--- a/terraform/logwarden.tf
+++ b/terraform/logwarden.tf
@@ -10,13 +10,13 @@ resource "google_secret_manager_secret" "config" {
 
 resource "google_secret_manager_secret_version" "config" {
   secret = google_secret_manager_secret.config.id
-  # this is populated from Spacelift
+  # this can be populated from platform tools like Spacelift, or CI.
   secret_data = var.config_values
 }
 
 module "logwarden" {
-  source  = "spacelift.io/trufflesec/logwarden/gcp"
-  version = "0.1.8"
+  source  = "<module_source>"
+  version = ""
 
   # These are defined in per-env tfvars files(see prod.tfvars)
   # expansion to multiple regions/envs will have some variables injected from CI or Spacelift
diff --git a/terraform/prod.tfvars b/terraform/prod.tfvars
deleted file mode 100644
index 059f7ca..0000000
--- a/terraform/prod.tfvars
+++ /dev/null
@@ -1,9 +0,0 @@
-environment         = ""
-project_id          = ""
-ingress             = ""
-region              = ""
-organization_id     = ""
-logging_sink_filter = ""
-docker_image        = ""
-container_args      = [""]
-policy_source_dir   = ""
diff --git a/terraform/provider.tf b/terraform/provider.tf
index b58dbd2..5d75cf8 100644
--- a/terraform/provider.tf
+++ b/terraform/provider.tf
@@ -1,5 +1,5 @@
 locals {
-  project = "<google_project>"
+  project = "<google_project_id>"
 }
 
 terraform {
diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars
new file mode 100644
index 0000000..101b0bd
--- /dev/null
+++ b/terraform/terraform.tfvars
@@ -0,0 +1,12 @@
+environment         = ""
+project_id          = ""
+ingress             = ""
+region              = ""
+organization_id     = ""
+logging_sink_filter = <<EOF
+LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+-protoPayload.serviceName="k8s.io"
+EOF
+docker_image        = ""
+container_args      = [""]
+policy_source_dir   = ""
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 0c6a933..9b10d6b 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -31,7 +31,10 @@ variable "organization_id" {
 variable "logging_sink_filter" {
   description = "The filter to apply for the logging sink"
   type        = string
-  default     = ""
+  default     = <<EOF
+LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
+-protoPayload.serviceName="k8s.io"
+EOF
 }
 
 variable "docker_image" {