# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: name: audit-bucket-sink namespace: common labels: resource-group: common spec: organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "${ORG_ID?}" # kpt-set: ${org-id} includeChildren: true destination: storageBucketRef: # StorageBucket names must be globally unique. Replace ${PROJECT_ID?} with your project ID. name: audit-sink # kpt-set: audit-${audit-prj-id} filter: "severity >= WARNING" --- apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: annotations: cnrm.cloud.google.com/force-destroy: "true" cnrm.cloud.google.com/project-id: "Audit" # kpt-set: ${audit-prj-id} labels: resource-group: common # StorageBucket names must be globally unique. Replace ${PROJECT_ID?} with your project ID. name: audit-sink-audit-prj-id # kpt-set: audit-${audit-prj-id} namespace: common spec: lifecycleRule: - action: type: Delete condition: age: 365 withState: "ANY" - action: type: "SetStorageClass" storageClass: "COLDLINE" condition: age: 180 withState: "ANY" storageClass: "STANDARD" location: northamerica-northeast1 retentionPolicy: isLocked: true retentionPeriod: 1 versioning: enabled: false uniformBucketLevelAccess: true publicAccessPrevention: "enforced" --- # Audit Bucket Viewer apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: # kpt-merge: config-control/bq-audit-data-viewer name: audit-sink-writer namespace: config-control # kpt-set: ${management-namespace} spec: resourceRef: apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket name: audit-sink-audit-prj-id # kpt-set: audit-${audit-prj-id} bindings: - role: roles/storage.objectCreator members: - memberFrom: logSinkRef: name: audit-bucket-sink