terraform-google-modules · Jul 27, 2021 · Jul 29, 2021 · Aug 3, 2021 · Aug 3, 2021 · Aug 5, 2021
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,97 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "terraform"
+    directory: "0-bootstrap"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "0-bootstrap/modules/jenkins-agent"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "2-environments/modules/env_baseline"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "3-networks/modules/base_shared_vpc"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "3-networks/modules/dedicated_interconnect"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "3-networks/modules/restricted_shared_vpc"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "3-networks/modules/transitivity"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "3-networks/modules/vpn-ha"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "4-projects/modules/single_project"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
+  - package-ecosystem: "terraform"
+    directory: "5-app-infra/modules/env_base"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    commit-message:
+      prefix: "chore(deps): "
+    rebase-strategy: "disabled"
diff --git a/0-bootstrap/README-Jenkins.md b/0-bootstrap/README-Jenkins.md
@@ -30,6 +30,11 @@ It is a best practice to have two separate projects here (`prj-b-seed` and `prj-
 
 Please see the **[requirements](./modules/jenkins-agent/README.md#Requirements)** of Software, Infrastructure and Permissions before following the instructions below.
 
+## Usage
+
+**Note:** If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant
+commands. The `-T` flag is needed for Linux, but causes problems for MacOS.
+
 ## Instructions
 
 You arrived to these instructions because you are using the `jenkins_bootstrap` to run the 0-bootstrap step instead of `cloudbuild_bootstrap`. Please follow the indications below:

diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md
@@ -15,35 +15,30 @@ step also configures a CI/CD pipeline for foundations code in subsequent
 stages.</td>
 </tr>
 <tr>
-<td><a
-href="../1-org">1-org</a></td>
+<td><a href="../1-org">1-org</a></td>
 <td>Sets up top level shared folders, monitoring and networking projects, and
 organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
 <tr>
-<td><a
-href="../2-environments"><span style="white-space: nowrap;">2-environments</span></a></td>
+<td><a href="../2-environments"><span style="white-space: nowrap;">2-environments</span></a></td>
 <td>Sets up development, non-production, and production environments within the
 Google Cloud organization that you've created.</td>
 </tr>
 <tr>
-<td><a
-href="../3-networks">3-networks</a></td>
+<td><a href="../3-networks">3-networks</a></td>
 <td>Sets up base and restricted shared VPCs with default DNS, NAT (optional),
 Private Service networking, VPC service controls, on-premises Dedicated
 Interconnect, and baseline firewall rules for each environment. Also sets
 up the global DNS hub.</td>
 </tr>
 <tr>
-<td><a
-href="../4-projects">4-projects</a></td>
+<td><a href="../4-projects">4-projects</a></td>
 <td>Set up a folder structure, projects, and application infrastructure pipeline for applications,
  which are connected as service projects to the shared VPC created in the previous stage.</td>
 </tr>
 <tr>
-<td><a
-href="../5-app-infra">5-app-infra</a></td>
+<td><a href="../5-app-infra">5-app-infra</a></td>
 <td>Deploy a simple <a href="https://cloud.google.com/compute/">Compute Engine</a> instance in one of the business unit projects using the infra pipeline set up in 4-projects.</td>
 </tr>
 </tbody>
@@ -113,7 +108,7 @@ your current Jenkins manager (master) environment.
     ```
 1. Run `terraform init`.
 1. Run `terraform plan` and review the output.
-1. To run terraform-validator steps please follow the [instructions](https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#install-terraform-validator) in the **Install Terraform Validator** section and install version `2021-03-22`. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator`and the terraform-validator binary must be in your PATH.
+1. To run terraform-validator steps please follow the [instructions](https://github.com/GoogleCloudPlatform/terraform-validator/blob/main/docs/install.md) in the **Install Terraform Validator** section and install version `v0.4.0`. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator` and the terraform-validator binary must be in your PATH.
     1. Run `terraform plan -input=false -out bootstrap.tfplan`
     1. Run `terraform show -json bootstrap.tfplan > bootstrap.json`
     1. Run `terraform-validator validate bootstrap.json --policy-path="../policy-library" --project <A-VALID-PROJECT-ID>` and check for violations (`<A-VALID-PROJECT-ID>` must be an existing project you have access to, this is necessary because Terraform-validator needs to link resources to a valid Google Cloud Platform project).

diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf
@@ -31,7 +31,7 @@ resource "google_folder" "bootstrap" {
 
 module "seed_bootstrap" {
   source                         = "terraform-google-modules/bootstrap/google"
-  version                        = "~> 2.1"
+  version                        = "~> 3.0"
   org_id                         = var.org_id
   folder_id                      = google_folder.bootstrap.id
   project_id                     = "${var.project_prefix}-b-seed"
@@ -102,7 +102,7 @@ resource "google_billing_account_iam_member" "tf_billing_admin" {
 // Comment-out the cloudbuild_bootstrap module and its outputs if you want to use Jenkins instead of Cloud Build
 module "cloudbuild_bootstrap" {
   source                      = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
-  version                     = "~> 2.1"
+  version                     = "~> 3.0"
   org_id                      = var.org_id
   folder_id                   = google_folder.bootstrap.id
   project_id                  = "${var.project_prefix}-b-cicd"
@@ -117,7 +117,7 @@ module "cloudbuild_bootstrap" {
   cloudbuild_apply_filename   = "cloudbuild-tf-apply.yaml"
   project_prefix              = var.project_prefix
   cloud_source_repos          = var.cloud_source_repos
-  terraform_validator_release = "2021-03-22"
+  terraform_validator_release = "v0.4.0"
   terraform_version           = "0.13.7"
   terraform_version_sha256sum = "4a52886e019b4fdad2439da5ff43388bbcc6cce9784fde32c53dcd0e28ca9957"
 

diff --git a/0-bootstrap/modules/jenkins-agent/files/jenkins_gce_startup_script.sh b/0-bootstrap/modules/jenkins-agent/files/jenkins_gce_startup_script.sh
@@ -42,7 +42,7 @@ wget "https://releases.hashicorp.com/terraform/${tpl_TERRAFORM_VERSION}/terrafor
     rm -rf /var/lib/apt/lists/*
 
 echo "**** Startup Step 6/9: Download and install the Terraform validator ****"
-gsutil cp gs://terraform-validator/releases/2021-03-22/terraform-validator-linux-amd64 .
+gsutil cp gs://terraform-validator/releases/v0.4.0/terraform-validator-linux-amd64 .
 chmod 755 "${tpl_TERRAFORM_DIR}terraform-validator-linux-amd64"
 mv "${tpl_TERRAFORM_DIR}terraform-validator-linux-amd64" "${tpl_TERRAFORM_DIR}terraform-validator"
 

diff --git a/0-bootstrap/modules/jenkins-agent/versions.tf b/0-bootstrap/modules/jenkins-agent/versions.tf
@@ -18,7 +18,13 @@ terraform {
   required_version = ">= 0.13"
 
   required_providers {
-    google      = "~> 3.5"
-    google-beta = "~> 3.5"
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.50"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 3.50"
+    }
   }
 }
diff --git a/0-bootstrap/versions.tf b/0-bootstrap/versions.tf
@@ -21,19 +21,10 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 3.50"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 2.1"
-    }
-
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 2.3"
-    }
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v2.2.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v2.3.0"
   }
 
 }
diff --git a/1-org/README.md b/1-org/README.md
@@ -8,8 +8,7 @@ the example.com reference architecture described in
 <table>
 <tbody>
 <tr>
-<td><a
-href="../0-bootstrap">0-bootstrap</a></td>
+<td><a href="../0-bootstrap">0-bootstrap</a></td>
 <td>Bootstraps a Google Cloud organization, creating all the required resources
 and permissions to start using the Cloud Foundation Toolkit (CFT). This
 step also configures a CI/CD pipeline for foundations code in subsequent
@@ -22,28 +21,24 @@ organization-level logging, and sets baseline security settings through
 organizational policy.</td>
 </tr>
 <tr>
-<td><a
-href="../2-environments"><span style="white-space: nowrap;">2-environments</span></a></td>
+<td><a href="../2-environments"><span style="white-space: nowrap;">2-environments</span></a></td>
 <td>Sets up development, non-production, and production environments within the
 Google Cloud organization that you've created.</td>
 </tr>
 <tr>
-<td><a
-href="../3-networks">3-networks</a></td>
+<td><a href="../3-networks">3-networks</a></td>
 <td>Sets up base and restricted shared VPCs with default DNS, NAT (optional),
 Private Service networking, VPC service controls, on-premises Dedicated
 Interconnect, and baseline firewall rules for each environment. It also sets
 up the global DNS hub.</td>
 </tr>
 <tr>
-<td><a
-href="../4-projects">4-projects</a></td>
+<td><a href="../4-projects">4-projects</a></td>
 <td>Sets up a folder structure, projects, and application infrastructure pipeline for applications,
  which are connected as service projects to the shared VPC created in the previous stage.</td>
 </tr>
 <tr>
-<td><a
-href="../5-app-infra">5-app-infra</a></td>
+<td><a href="../5-app-infra">5-app-infra</a></td>
 <td>Deploy a simple <a href="https://cloud.google.com/compute/">Compute Engine</a> instance in one of the business unit projects using the infra pipeline set up in 4-projects.</td>
 </tr>
 </tbody>
@@ -89,6 +84,9 @@ If those limitations do not apply to your workload/environment, you can choose t
 
 **Note:** You need to set variable `enable_hub_and_spoke` to `true` to be able to used the **Hub-and-Spoke** architecture detailed in the **Networking** section of the [google cloud security foundations guide](https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf).
 
+**Note:** If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant
+commands. The `-T` flag is needed for Linux, but causes problems for MacOS.
+
 **Note:** This module creates a Security Command Center Notification.
 The notification name must be unique in the organization.
 The suggested name in the `terraform.tfvars` file is **scc-notify**.
@@ -106,7 +104,9 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to see
    ```
    gcloud source repos clone gcp-policies --project=YOUR_CLOUD_BUILD_PROJECT_ID
    ```
-1. Navigate into the repo.
+1. Navigate into the repo. All subsequent steps assume you are running them
+   from the gcp-policies directory. If you run them from another directory,
+   adjust your copy paths accordingly.
    ```
    cd gcp-policies
    ```
@@ -132,7 +132,9 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to see
    ```
    gcloud source repos clone gcp-org --project=YOUR_CLOUD_BUILD_PROJECT_ID
    ```
-1. Navigate into the repo and change to a non-production branch.
+1. Navigate into the repo and change to a non-production branch. All subsequent
+   steps assume you are running them from the gcp-environments directory. If
+   you run them from another directory, adjust your copy paths accordingly.
    ```
    cd gcp-org
    git checkout -b plan
@@ -190,7 +192,9 @@ to run the command as the Terraform service account.
    ```
    git clone <YOUR_NEW_REPO-1-org>
    ```
-1. Navigate into the repo and change to a non-production branch.
+1. Navigate into the repo and change to a non-production branch. All subsequent
+   steps assume you are running them from the gcp-environments directory. If
+   you run them from another directory, adjust your copy paths accordingly.
    ```
    cd YOUR_NEW_REPO_CLONE-1-org
    git checkout -b plan
@@ -264,7 +268,7 @@ to run the command as the Terraform service account.
 We will now deploy our environment (production) using this script.
 When using Cloud Build or Jenkins as your CI/CD tool each environment corresponds to a branch is the repository for 1-org step and only the corresponding environment is applied.
 
-To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#install-terraform-validator) in the **Install Terraform Validator** section and install version `2021-03-22` in your system. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator` and the `terraform-validator` binary must be in your `PATH`.
+To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://github.com/GoogleCloudPlatform/terraform-validator/blob/main/docs/install.md) in the **Install Terraform Validator** section and install version `v0.4.0` in your system. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator` and the `terraform-validator` binary must be in your `PATH`.
 
 1. Run `./tf-wrapper.sh init production`.
 1. Run `./tf-wrapper.sh plan production` and review output.

diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -52,7 +52,7 @@
 | restricted\_net\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the restricted net hub project. | `string` | `null` | no |
 | restricted\_net\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the restricted net hub project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | restricted\_net\_hub\_project\_budget\_amount | The amount to use as the budget for the restricted net hub project. | `number` | `1000` | no |
-| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state=\\\"ACTIVE\\\""` | no |
+| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
 | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
 | scc\_notifications\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the SCC notifications project. | `string` | `null` | no |
 | scc\_notifications\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the SCC notifications project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |

diff --git a/1-org/envs/shared/scc_notification.tf b/1-org/envs/shared/scc_notification.tf
@@ -29,28 +29,13 @@ resource "google_pubsub_subscription" "scc_notification_subscription" {
   project = module.scc_notifications.project_id
 }
 
-module "scc_notification" {
-  source  = "terraform-google-modules/gcloud/google"
-  version = "~> 1.1.0"
+resource "google_scc_notification_config" "scc_notification_config" {
+  config_id    = var.scc_notification_name
+  organization = var.org_id
+  description  = "SCC Notification for all active findings"
+  pubsub_topic = google_pubsub_topic.scc_notification_topic.id
 
-  additional_components = var.skip_gcloud_download ? [] : ["alpha"]
-
-  create_cmd_entrypoint = "gcloud"
-  create_cmd_body       = <<-EOF
-    scc notifications create ${var.scc_notification_name} --organization ${var.org_id} \
-    --description "SCC Notification for all active findings" \
-    --pubsub-topic projects/${module.scc_notifications.project_id}/topics/${google_pubsub_topic.scc_notification_topic.name} \
-    --filter "${var.scc_notification_filter}" \
-    --project "${module.scc_notifications.project_id}" \
-    --impersonate-service-account=${var.terraform_service_account}
-EOF
-
-  destroy_cmd_entrypoint = "gcloud"
-  destroy_cmd_body       = <<-EOF
-  scc notifications delete organizations/${var.org_id}/notificationConfigs/${var.scc_notification_name} \
-  --impersonate-service-account ${var.terraform_service_account} \
-  --project "${module.scc_notifications.project_id}" \
-  --quiet
-  EOF
-  skip_download          = var.skip_gcloud_download
+  streaming_config {
+    filter = var.scc_notification_filter
+  }
 }
diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -81,7 +81,7 @@ variable "skip_gcloud_download" {
 variable "scc_notification_filter" {
   description = "Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter"
   type        = string
-  default     = "state=\\\"ACTIVE\\\""
+  default     = "state = \"ACTIVE\""
 }
 
 variable "parent_folder" {