This module will deploy a cloud function that can be used by infrastructure developers or a build pipeline to detect security findings during infrastructure development.
The resources/services/activations/deletions that this module will create/trigger are:
- A Cloud function to assess the security findings during infrastructure development
Basic usage of this module is as follows:
module "security_health_checker" {
source = "terraform-google-modules/security-health-checker/google"
version = "~> 0.1"
project_id = "<PROJECT ID>"
org_id = "<Google Cloud Organization ID>"
identity_running_function ="Google group that will have permission to invoke the cloud function"
}Then perform the following commands on the root folder:
terraform initto get the pluginsterraform planto see the infrastructure planterraform applyto apply the infrastructure buildterraform destroyto destroy the built infrastructure
Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| activate_apis | The list of apis to activate for Cloud Function | list(string) |
[ |
no |
| compliance_framework | Compliance framework to base security health check on | string |
"pci" |
no |
| critical_max | Number of critical findings before alerting | string |
"0" |
no |
| disable_dependent_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services | string |
"false" |
no |
| disable_services_on_destroy | Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy | string |
"false" |
no |
| enable_apis | Whether to actually enable the APIs. If false, this module is a no-op. | string |
"true" |
no |
| environment | Unique environment name to link the deployment together | string |
"scc-health" |
no |
| function_entry_point | Name of function in python script | string |
"scc_helper_updated" |
no |
| high_max | Number of high findings before alerting | string |
"10" |
no |
| identity_running_function | Google group that will have permission to invoke the cloud function | string |
n/a | yes |
| medium_max | Number of medium findings before alerting | string |
"20" |
no |
| org_id | Organization ID to monitor Security Health | any |
n/a | yes |
| project_id | Google Cloud Project where Cloud Function will be deployed | any |
n/a | yes |
| region | Region where cloud function is deployed | string |
"us-central1" |
no |
| runtime | Runtime environment for cloud function | string |
"python37" |
no |
No output.
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.13
- Terraform Provider for GCP plugin v3.0
A service account with the following roles must be used to provision the resources of this module:
- Storage Admin:
roles/storage.admin - Cloud Function Admin:
roles/cloudfunctions.admin - Security Admin:
roles/iam.securityAdmin
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Cloud Functions JSON API:
cloudfunctions.googleapis.com - Google Cloud Storage JSON API:
storage-api.googleapis.com - Security Command Center JSON API:
securitycenter.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.
Please see our security disclosure process.