This module will deploy a cloud function that can be used by infrastructure developers or a build pipeline to detect security findings during infrastructure development.
The resources/services/activations/deletions that this module will create/trigger are:
- A Cloud function to assess the security findings during infrastructure development
Basic usage of this module is as follows:
module "security_health_checker" {
source = "terraform-google-modules/security-health-checker/google"
version = "~> 0.1"
project_id = "<PROJECT ID>"
org_id = "<Google Cloud Organization ID>"
identity_running_function ="Google group that will have permission to invoke the cloud function"
}Then perform the following commands on the root folder:
terraform initto get the pluginsterraform planto see the infrastructure planterraform applyto apply the infrastructure buildterraform destroyto destroy the built infrastructure
Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| activate_apis | The list of apis to activate for Cloud Function | list(string) |
[ |
no |
| compliance_framework | Compliance framework to base security health check on | string |
"pci" |
no |
| critical_max | Number of critical findings before alerting | string |
"0" |
no |
| disable_dependent_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services | string |
"false" |
no |
| disable_services_on_destroy | Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy | string |
"false" |
no |
| enable_apis | Whether to actually enable the APIs. If false, this module is a no-op. | string |
"true" |
no |
| environment | Unique environment name to link the deployment together | string |
"scc-health" |
no |
| function_entry_point | Name of function in python script | string |
"scc_helper_updated" |
no |
| high_max | Number of high findings before alerting | string |
"10" |
no |
| identity_running_function | Google group that will have permission to invoke the cloud function | string |
n/a | yes |
| medium_max | Number of medium findings before alerting | string |
"20" |
no |
| org_id | Organization ID to monitor Security Health | any |
n/a | yes |
| project_id | Google Cloud Project where Cloud Function will be deployed | any |
n/a | yes |
| region | Region where cloud function is deployed | string |
"us-central1" |
no |
| runtime | Runtime environment for cloud function | string |
"python37" |
no |
No output.
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.13
- Terraform Provider for GCP plugin v3.0
A service account with the following roles must be used to provision the resources of this module:
- Storage Admin:
roles/storage.admin - Cloud Function Admin:
roles/cloudfunctions.admin - Security Admin:
roles/iam.securityAdmin
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Cloud Functions JSON API:
cloudfunctions.googleapis.com - Google Cloud Storage JSON API:
storage-api.googleapis.com - Security Command Center JSON API:
securitycenter.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.
Please see our security disclosure process.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent