Skip to content

Coalfire-CF/terraform-google-security-core

BranchesTags

Repository files navigation

Coalfire

Google Cloud Security Core Terraform Module

Description

The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources to start deploying the FedRAMP reference architecture. The bootstrap is a dependency for all other deployment components. This module will create:

  • Folders and Projects under the Assured Workloads folder
  • Activate required APIs & Services in projects
  • Create customer-managed encryption keys
  • Create cloud storage buckets for Terraform state, installs and backups
  • Create an organization log sink and destination
  • Configure organization policies
  • Enable audit logging

Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.

Usage

module "bootstrap" {
  source = "github.com/Coalfire-CF/terraform-google-security-core"

  org_id           = var.org_id
  aw_folder_id     = var.aw_folder_id
  billing_account  = var.billing_account
  group_org_admins = var.group_org_admins

  management_services = var.management_services
  networking_services = var.networking_services

  region = var.region
}

Requirements

No requirements.

Providers

Name Version
google n/a
google-beta n/a
random n/a
time n/a
tls n/a

Modules

Name Source Version
application_folder github.com/Coalfire-CF/terraform-google-folder v1.0.3
application_project github.com/Coalfire-CF/terraform-google-project v1.0.4
destination github.com/Coalfire-CF/terraform-google-log-export//modules/storage v1.0.4
gcs github.com/Coalfire-CF/terraform-google-cloud-storage v1.0.4
kms github.com/Coalfire-CF/terraform-google-kms v1.0.4
log_export github.com/Coalfire-CF/terraform-google-log-export v1.0.4
management_folder github.com/Coalfire-CF/terraform-google-folder v1.0.3
management_project github.com/Coalfire-CF/terraform-google-project v1.0.4
networking_folder github.com/Coalfire-CF/terraform-google-folder v1.0.3
networking_project github.com/Coalfire-CF/terraform-google-project v1.0.4
organization_policies_domain_restricted_sharing github.com/Coalfire-CF/terraform-google-org-policy v1.0.3
organization_policies_type_boolean github.com/Coalfire-CF/terraform-google-org-policy v1.0.3
winbastion_administrator github.com/Coalfire-CF/terraform-google-secret-manager v1.0.6

Resources

Name Type
google-beta_google_project_service_identity.cloudsql_sa resource
google-beta_google_project_service_identity.sm_sa resource
google_compute_project_metadata.metadata resource
google_kms_crypto_key_iam_binding.cloudsql_sa_kms_crypto resource
google_kms_crypto_key_iam_binding.cloudsql_sa_viewer resource
google_kms_crypto_key_iam_member.ce_account resource
google_kms_crypto_key_iam_member.gcs_account resource
google_kms_crypto_key_iam_member.ps_account resource
google_kms_crypto_key_iam_member.sm_account resource
google_organization_iam_audit_config.org_config resource
google_organization_iam_member.org_admins resource
google_project_iam_custom_role.start_stop_role resource
google_project_iam_member.start_stop_role_member resource
google_secret_manager_secret.gce_ssh_private_key resource
google_secret_manager_secret_version.gce_ssh_private_key resource
google_service_account_iam_member.ce_account_user resource
random_string.suffix_sink resource
time_sleep.wait resource
tls_private_key.ssh_key resource
google_compute_default_service_account.default data source
google_folder.aw_folder data source
google_storage_project_service_account.gcs_account data source

Inputs

Name Description Type Default Required
application_folder Boolean value to determine if folder should be created. bool true no
application_services APIs & Services to enable for application project. list(string) 
[
  "cloudkms.googleapis.com",
  "compute.googleapis.com",
  "logging.googleapis.com",
  "monitoring.googleapis.com",
  "pubsub.googleapis.com",
  "secretmanager.googleapis.com",
  "sourcerepo.googleapis.com",
  "privateca.googleapis.com",
  "iap.googleapis.com",
  "websecurityscanner.googleapis.com",
  "osconfig.googleapis.com",
  "certificatemanager.googleapis.com"
]
 no
aw_folder_id Assured Workloads folder ID. string n/a yes
billing_account The ID of the billing account to associate projects with. string n/a yes
boolean_type_organization_policies List of boolean type org policies to apply. list(string) 
[
  "compute.disableNonFIPSMachineTypes",
  "compute.skipDefaultNetworkCreation",
  "sql.restrictPublicIp",
  "storage.publicAccessPrevention"
]
 no
bucket_prefix Prefix for buckets. string "bkt" no
create_log_export Whether or not to create log export bool true no
folder_prefix Prefix for folders. string "fldr" no
group_org_admins Google Group for GCP Organization Administrators. string n/a yes
keyring_prefix Prefix for key rings. string "kr" no
log_filter Log export filter. string " logName: /logs/cloudaudit.googleapis.com%2Factivity OR\n logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR\n logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR\n logName: /logs/compute.googleapis.com%2Fvpc_flows OR\n logName: /logs/compute.googleapis.com%2Ffirewall OR\n logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency\n" no
management_services APIs & Services to enable for management project. list(string) 
[
  "cloudkms.googleapis.com",
  "compute.googleapis.com",
  "logging.googleapis.com",
  "monitoring.googleapis.com",
  "pubsub.googleapis.com",
  "secretmanager.googleapis.com",
  "sourcerepo.googleapis.com",
  "privateca.googleapis.com",
  "iap.googleapis.com",
  "websecurityscanner.googleapis.com",
  "osconfig.googleapis.com",
  "certificatemanager.googleapis.com"
]
 no
networking_folder Boolean value to determine if folder should be created. bool true no
networking_services APIs & Services to enable for networking project. list(string) 
[
  "compute.googleapis.com",
  "dns.googleapis.com",
  "logging.googleapis.com",
  "servicenetworking.googleapis.com",
  "secretmanager.googleapis.com",
  "pubsub.googleapis.com",
  "cloudkms.googleapis.com",
  "certificatemanager.googleapis.com"
]
 no
org_admin_roles List of roles to assign to org admins. list(string) 
[
  "roles/assuredworkloads.admin",
  "roles/billing.user",
  "roles/cloudkms.admin",
  "roles/cloudsql.admin",
  "roles/compute.admin",
  "roles/compute.instanceAdmin",
  "roles/compute.networkAdmin",
  "roles/compute.securityAdmin",
  "roles/compute.xpnAdmin",
  "roles/dns.admin",
  "roles/iam.securityAdmin",
  "roles/iam.serviceAccountAdmin",
  "roles/iam.serviceAccountUser",
  "roles/logging.admin",
  "roles/orgpolicy.policyAdmin",
  "roles/pubsub.admin",
  "roles/resourcemanager.folderAdmin",
  "roles/resourcemanager.organizationAdmin",
  "roles/secretmanager.admin",
  "roles/source.admin",
  "roles/storage.admin"
]
 no
org_id GCP Organization ID string n/a yes
project_prefix Prefix for projects. string "prj" no
region The GCP region to create resources in. string n/a yes
sink_prefix Prefix for sinks. string "sk" no
ssh_user Default user for SSH access string "gce-user" no
topic_prefix Prefix for topics. string "ps" no
winbastion_administrator_secret Boolean value to determine if WinBastion Administrator secret should be created. bool false no
workspace_id Workspace / Cloud Identity ID - get via gcloud organizations list from DIRECTORY_CUSTOMER_ID string n/a yes

Outputs

Name Description
application_folder n/a
application_project n/a
cs_buckets n/a
gce_ssh_private_key n/a
group_org_admins n/a
kms_key_ring_id n/a
kms_key_ring_name n/a
kms_keys n/a
log_export_bucket n/a
management_folder n/a
management_project n/a
networking_folder n/a
networking_project n/a

About

Coalfire GCP Security Core Terraform Module

coalfire.com/opensource

Topics

gcp compliance fedramp terraform-module

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

1 star

Watchers

4 watching

Forks

0 forks
Report repository

Releases 18

Release v1.0.17 Latest
Apr 16, 2025
+ 17 releases

Contributors 6

Languages