fix: BigQuery Log Alerting (#90)

* Fix README hyperlinks, split region variable in two variables, one for BQ and one for the CF, update required provider versions

* add link to BigQuery and Cloud Function locations

* adjust terraform version

* simplify readme

* change Requirements section

* Chnage required version in example to 0.13.66

* revert required version change

Author: daniel-cit

examples/bq-log-alerting/README.md

@@ -2,29 +2,17 @@
 
 This example deploys the BigQuery Log Alerting submodule in an existing project.
 
-## Prerequisites
+## Requirements
 
-To run this example, you'll need:
+Make sure you have the requirements listed in the submodule [README](../../modules/bq-log-alerting/README.md) Before running this example.
 
-- An existing "logging" project
-- A [Log export](https://github.com/terraform-google-modules/terraform-google-log-export) with a [BigQuery destination](https://github.com/terraform-google-modules/terraform-google-log-export/tree/master/modules/bigquery) in the logging project. The export filter should include at least:
-  - "logName: /logs/cloudaudit.googleapis.com%2Factivity"
-  - "logName: /logs/cloudaudit.googleapis.com%2Fdata_access"
-  - "logName: /logs/compute.googleapis.com%2Fvpc_flows"
-- A Terraform Service Account with the [IAM Roles](../../../modules/bq-log-alerting/README.md) listed in the submodule documentation.
-- To enable in the logging project the [APIs](../../../modules/bq-log-alerting/README.md) listed in the submodule documentation.
-- To enable in the logging project [Google App Engine](https://cloud.google.com/appengine).
-To enable it manually use:
-
-```shell
-gcloud app create \
---region=<REGION> \
---project=<LOGGING_PROJECT>
-```
+## Instructions
 
-**Note 1:** The selected Google App Engine region cannot be changed after creation and only project Owners (`role/owner`) can enable Google App Engine.
+### Check if the Source "BQ Log Alerts" exist
 
-**Note 2:** On deployment a Security Command Center Source called "BQ Log Alerts" will be created. If this source already exist due to the submodule been deployed at least once before, you need to obtain the existing Source name to be informed in the terraform variable **source_name**.
+On deployment a Security Command Center Source called "BQ Log Alerts" will be created.
+If this source already exist due to the submodule been deployed at least once before,
+you need to obtain the existing Source name to be informed in the terraform variable **source_name**.
 Run:
 
 ```shell
@@ -36,22 +24,59 @@ gcloud scc sources describe <ORG_ID> \
 
 The source name format is `organizations/<ORG_ID>/sources/<SOURCE_ID>`.
 
-The [terraform-example-foundation](https://github.com/terraform-google-modules/terraform-example-foundation) can be used as a reference for the creation of the logging project, the service account and the log export.
+### Activate impersonation of the service account
 
-## Instructions
+To activate impersonation on the service account you can:
+
+Set the `gcloud` config auth impersonation:
+
+```shell
+gcloud config set auth/impersonate_service_account <TERRAFORM_SERVICE_ACCOUNT_EMAIL>
+```
+
+Or
+
+Change the [versions.tf](./versions.tf) file to set [impersonation on the provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#impersonate_service_account):
+
+From
+
+```terraform
+provider "google" {
+  version = "~> 3.53.0"
+}
+
+```
+
+To
+
+```terraform
+provider "google" {
+  version = "~> 3.53.0"
+
+  impersonate_service_account = "<TERRAFORM_SERVICE_ACCOUNT_EMAIL>"
+}
+
+```
+
+### Run Terraform
 
 1. Run `terraform init`
 1. Run `terraform plan` provide the requested variables values and review the output.
 1. Run `terraform apply`
 
+### Deploy Use Cases
+
+Deploy the [Use Cases](../../modules/bq-log-alerting/use-cases) that will provide the data for the Security Command Center findings.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| bigquery\_location | Location for BigQuery resources. See https://cloud.google.com/bigquery/docs/locations for valid values. | `string` | `"US"` | no |
+| function\_region | Region for the Cloud function resources. See https://cloud.google.com/functions/docs/locations for valid values. | `string` | n/a | yes |
 | logging\_project | The project to deploy the submodule | `string` | n/a | yes |
 | org\_id | The organization ID for the associated services | `string` | n/a | yes |
-| region | Region for BigQuery resources. | `string` | n/a | yes |
 | source\_name | The Security Command Center Source name for the "BQ Log Alerts" Source if the source had been created before. The format is `organizations/<ORG_ID>/sources/<SOURCE_ID>` | `string` | `""` | no |
 
 ## Outputs

examples/bq-log-alerting/main.tf

@@ -14,18 +14,12 @@
  * limitations under the License.
  */
 
-/*****************************
-  Provider configuration
- ****************************/
-provider "google" {
-  version = "~> 3.30"
-}
-
 module "bq-log-alerting" {
-  source          = "../..//modules/bq-log-alerting"
-  logging_project = var.logging_project
-  region          = var.region
-  org_id          = var.org_id
-  source_name     = var.source_name
-  dry_run         = false
+  source            = "../..//modules/bq-log-alerting"
+  logging_project   = var.logging_project
+  bigquery_location = var.bigquery_location
+  function_region   = var.function_region
+  org_id            = var.org_id
+  source_name       = var.source_name
+  dry_run           = false
 }

examples/bq-log-alerting/variables.tf

@@ -19,11 +19,17 @@ variable "org_id" {
   type        = string
 }
 
-variable "region" {
-  description = "Region for BigQuery resources."
+variable "function_region" {
+  description = "Region for the Cloud function resources. See https://cloud.google.com/functions/docs/locations for valid values."
   type        = string
 }
 
+variable "bigquery_location" {
+  description = "Location for BigQuery resources. See https://cloud.google.com/bigquery/docs/locations for valid values."
+  type        = string
+  default     = "US"
+}
+
 variable "source_name" {
   description = "The Security Command Center Source name for the \"BQ Log Alerts\" Source if the source had been created before. The format is `organizations/<ORG_ID>/sources/<SOURCE_ID>`"
   type        = string

examples/bq-log-alerting/versions.tf

@@ -15,5 +15,9 @@
  */
 
 terraform {
-  required_version = ">=0.12.6, <0.14"
+  required_version = ">=0.12.6"
+}
+
+provider "google" {
+  version = "~> 3.53.0"
 }