From 33f75823165ea74cd3e93628c5239442dad29469 Mon Sep 17 00:00:00 2001
From: thadchais <126650298+thadchais@users.noreply.github.com>
Date: Fri, 8 Nov 2024 15:05:51 +0700
Subject: [PATCH] feat: remove logging bucket [DA-3846] (#32)

* feat: remove logging bucket

* feat: add checkov skip

* fix: Fix terraform dependencies to prevent terratest failures

---------

Co-authored-by: sunilhonest <sunil@honestbank.com>
---
 modules/gcp_gcs_bucket/README.md |  3 ---
 modules/gcp_gcs_bucket/main.tf   | 34 +++-----------------------------
 2 files changed, 3 insertions(+), 34 deletions(-)

diff --git a/modules/gcp_gcs_bucket/README.md b/modules/gcp_gcs_bucket/README.md
index 70b0947..b49c269 100644
--- a/modules/gcp_gcs_bucket/README.md
+++ b/modules/gcp_gcs_bucket/README.md
@@ -17,7 +17,6 @@ This module will create bucket in GCP with enable server-side encryption and log
 |------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | ~> 5.22 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0, < 4.0 |
-| <a name="provider_time"></a> [time](#provider\_time) | >= 0.11, < 1.0 |
 
 ## Modules
 
@@ -31,9 +30,7 @@ No modules.
 | [google_kms_crypto_key_iam_binding.google_kms_crypto_key_iam_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key_iam_binding) | resource |
 | [google_kms_key_ring.google_kms_key_ring](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_key_ring) | resource |
 | [google_storage_bucket.google_storage_bucket](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource |
-| [google_storage_bucket.google_storage_bucket_logging](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource |
 | [random_id.random_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [time_sleep.time_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [google_storage_project_service_account.google_storage_project_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/storage_project_service_account) | data source |
 
 ## Inputs
diff --git a/modules/gcp_gcs_bucket/main.tf b/modules/gcp_gcs_bucket/main.tf
index e7195c0..e5217b1 100644
--- a/modules/gcp_gcs_bucket/main.tf
+++ b/modules/gcp_gcs_bucket/main.tf
@@ -34,46 +34,22 @@ resource "google_kms_crypto_key" "google_kms_crypto_key" {
   rotation_period = "7776000s" # 90 days
 }
 
-resource "time_sleep" "time_sleep" {
-  depends_on = [google_kms_crypto_key.google_kms_crypto_key]
-
-  create_duration = "30s"
-}
-
 data "google_storage_project_service_account" "google_storage_project_service_account" {
   project = var.project_id
 }
 
 resource "google_kms_crypto_key_iam_binding" "google_kms_crypto_key_iam_binding" {
-  depends_on = [time_sleep.time_sleep]
-
   crypto_key_id = google_kms_crypto_key.google_kms_crypto_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
   members = ["serviceAccount:${data.google_storage_project_service_account.google_storage_project_service_account.email_address}"]
 }
 
-resource "google_storage_bucket" "google_storage_bucket_logging" {
-  #checkov:skip=CKV_GCP_62: logging bucket doesn't need a log
-  #checkov:skip=CKV_GCP_78:: logging bucket doesn't need a version
-
+resource "google_storage_bucket" "google_storage_bucket" {
+  # Ensures the storage service account has permission to use the KMS key for encryption/decryption before creating the storage bucket.
   depends_on = [google_kms_crypto_key_iam_binding.google_kms_crypto_key_iam_binding]
-  name       = "${var.name}_logging_${random_id.random_id.hex}"
-  project    = var.project_id
-
-  location                    = var.location
-  force_destroy               = var.force_destroy
-  storage_class               = "ARCHIVE"
-  uniform_bucket_level_access = true
-
-  public_access_prevention = "enforced"
 
-  encryption {
-    default_kms_key_name = google_kms_crypto_key.google_kms_crypto_key.id
-  }
-}
-
-resource "google_storage_bucket" "google_storage_bucket" {
+  #checkov:skip=CKV_GCP_62: "Bucket should log access, however we never use the access log"
   #checkov:skip=CKV_GCP_78: Bucket versioning should be enabled by default however skipping the Checkov rule as it is not a requirement for all buckets with retention policy enabled.
   name          = "${var.name}_${random_id.random_id.hex}"
   location      = var.location
@@ -91,10 +67,6 @@ resource "google_storage_bucket" "google_storage_bucket" {
     enabled = var.object_versioning_enabled
   }
 
-  logging {
-    log_bucket = google_storage_bucket.google_storage_bucket_logging.name
-  }
-
   encryption {
     default_kms_key_name = google_kms_crypto_key.google_kms_crypto_key.id
   }