From 173c998a8f55c80e139d0aca85cba6715846bb69 Mon Sep 17 00:00:00 2001
From: Michael Scribellito <mscribellito@gmail.com>
Date: Thu, 22 Feb 2024 15:37:22 -0500
Subject: [PATCH 1/5] Submodule for snapshots

---
 .gitignore                    | 36 +++++++++++--------
 README.md                     |  7 ++--
 modules/snapshot/README.md    | 10 ++++++
 modules/snapshot/main.tf      | 31 ++++++++++++++++
 modules/snapshot/outputs.tf   | 14 ++++++++
 modules/snapshot/variables.tf | 68 +++++++++++++++++++++++++++++++++++
 6 files changed, 147 insertions(+), 19 deletions(-)
 create mode 100644 modules/snapshot/README.md
 create mode 100644 modules/snapshot/main.tf
 create mode 100644 modules/snapshot/outputs.tf
 create mode 100644 modules/snapshot/variables.tf

diff --git a/.gitignore b/.gitignore
index 2dc4453..a1af5ba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,8 @@
+# Ignore IDE directories
+.idea
+.vscode
+.DS_Store
+
 # Local .terraform directories
 **/.terraform/*
 
@@ -7,6 +12,14 @@
 
 # Crash log files
 crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -15,22 +28,15 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
-.idea
-.idea/*
-.vscode
-.vscode/
-*.iml
-*.zip
-.DS_Store
-
-# NessusBurp Install files are too large to commit
-**/nessusburp/*.exe
-**/nessusburp/*.msi
-**/nessusburp/*.txt
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
 
-# Ansible
-*.pub
-*.ppk
+# Ignore Terraform lock files
+.terraform.lock.hcl
\ No newline at end of file
diff --git a/README.md b/README.md
index 3c770de..eace957 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,10 @@
 ![Coalfire](coalfire_logo.png)
 
-
-# GCP VM Terraform Module
+# Google Cloud VM Terraform Module
 
 ## Description
 
-This GCP Virtual Machine module allows you to easily configure and deploy any needed instances. This module will create the virtual machine as well as setup a snapshot schedule. Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.
+This Google Cloud Virtual Machine module allows you to easily configure and deploy any needed instances. This module will create the virtual machine as well as setup a snapshot schedule. Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.
 
 FedRAMP Compliance: High
 
@@ -18,7 +17,7 @@ data "google_compute_image" "rhel_9" {
 }
 
 module "linux-bastion" {
-  source = "github.com/Coalfire-CF/terraform-gcp-vm"
+  source = "github.com/Coalfire-CF/terraform-google-vm"
 
   project_id = data.terraform_remote_state.bootstrap.outputs.management_project_id
 
diff --git a/modules/snapshot/README.md b/modules/snapshot/README.md
new file mode 100644
index 0000000..26b3141
--- /dev/null
+++ b/modules/snapshot/README.md
@@ -0,0 +1,10 @@
+# Google Cloud VM Snapshot
+
+## Description
+
+This module is used to create a resource policy for scheduling persistent disk snapshots.
+
+## Usage
+
+```hcl
+```
\ No newline at end of file
diff --git a/modules/snapshot/main.tf b/modules/snapshot/main.tf
new file mode 100644
index 0000000..da1505b
--- /dev/null
+++ b/modules/snapshot/main.tf
@@ -0,0 +1,31 @@
+resource "google_compute_resource_policy" "policy" {
+
+  name    = var.name
+  project = var.project_id
+  region  = var.region
+
+  snapshot_schedule_policy {
+    retention_policy {
+      max_retention_days    = var.max_retention_days
+      on_source_disk_delete = var.on_source_disk_delete
+    }
+
+    schedule {
+
+      dynamic "daily_schedule" {
+        for_each = var.schedule == "daily" ? [1] : []
+        content {
+          days_in_cycle = var.days_in_cycle
+          start_time    = var.start_time
+        }
+      }
+
+    }
+
+    snapshot_properties {
+      labels            = var.labels
+      storage_locations = var.storage_locations != null ? var.storage_locations : [var.region]
+      guest_flush       = var.guest_flush
+    }
+  }
+}
diff --git a/modules/snapshot/outputs.tf b/modules/snapshot/outputs.tf
new file mode 100644
index 0000000..65d5db9
--- /dev/null
+++ b/modules/snapshot/outputs.tf
@@ -0,0 +1,14 @@
+output "policy" {
+  description = "Resource snapshot policy details."
+  value       = google_compute_resource_policy.policy
+}
+
+output "id" {
+  description = "Resource snapshot ID."
+  value       = google_compute_resource_policy.policy.id
+}
+
+output "self_link" {
+  description = "Resource snapshot self-link."
+  value       = google_compute_resource_policy.policy.self_link
+}
diff --git a/modules/snapshot/variables.tf b/modules/snapshot/variables.tf
new file mode 100644
index 0000000..347a173
--- /dev/null
+++ b/modules/snapshot/variables.tf
@@ -0,0 +1,68 @@
+variable "project_id" {
+  type        = string
+  description = "The project ID where the resources will be created."
+}
+
+variable "region" {
+  type        = string
+  description = "Region where resource policy resides."
+}
+
+variable "name" {
+  type        = string
+  description = "Name of the resource policy to create."
+}
+
+# Retention Policy
+
+variable "max_retention_days" {
+  type        = number
+  description = "Maximum age of the snapshot that is allowed to be kept."
+  default     = 14
+}
+
+variable "on_source_disk_delete" {
+  type        = string
+  description = "Specifies the behavior to apply to scheduled snapshots when the source disk is deleted."
+  default     = "KEEP_AUTO_SNAPSHOTS"
+}
+
+# Schedule
+
+variable "schedule" {
+  type        = string
+  description = "Specifies the schedule frequency."
+  default     = "daily"
+}
+
+variable "days_in_cycle" {
+  type        = number
+  description = "Defines a schedule with units measured in days. The value determines how many days pass between the start of each cycle. Days in cycle for snapshot schedule policy must be 1."
+  default     = 1
+}
+
+variable "start_time" {
+  type        = string
+  description = "This must be in UTC format that resolves to one of 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, both 13:00-5 and 08:00 are valid."
+  default     = "00:00"
+}
+
+# Snapthot Properties
+
+variable "labels" {
+  type        = map(string)
+  description = "Labels, provided as a map"
+  default     = null
+}
+
+variable "storage_locations" {
+  type        = list(string)
+  description = "Cloud Storage bucket location to store the auto snapshot (regional or multi-regional)."
+  default     = null
+}
+
+variable "guest_flush" {
+  type        = bool
+  description = "Whether to perform a 'guest aware' snapshot."
+  default     = true
+}

From 142eebbd2a8c69abfdc5f2549bf971209956b08f Mon Sep 17 00:00:00 2001
From: Michael Scribellito <mscribellito@gmail.com>
Date: Thu, 22 Feb 2024 15:39:31 -0500
Subject: [PATCH 2/5] recursive terraform-docs

---
 .github/workflows/org-terraform-docs.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/org-terraform-docs.yml b/.github/workflows/org-terraform-docs.yml
index 273ff8a..d6317b5 100644
--- a/.github/workflows/org-terraform-docs.yml
+++ b/.github/workflows/org-terraform-docs.yml
@@ -5,4 +5,6 @@ on:
 
 jobs:
   terraform-docs:
-    uses: Coalfire-CF/Actions/.github/workflows/org-terraform-docs.yml@main
\ No newline at end of file
+    uses: Coalfire-CF/Actions/.github/workflows/org-terraform-docs.yml@main
+    with:
+      recursive: true
\ No newline at end of file

From 9538fecd6d776629407f9991a4773abf09011405 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 22 Feb 2024 20:39:48 +0000
Subject: [PATCH 3/5] terraform-docs: automated action

---
 modules/snapshot/README.md | 47 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/modules/snapshot/README.md b/modules/snapshot/README.md
index 26b3141..485ad6b 100644
--- a/modules/snapshot/README.md
+++ b/modules/snapshot/README.md
@@ -7,4 +7,49 @@ This module is used to create a resource policy for scheduling persistent disk s
 ## Usage
 
 ```hcl
-```
\ No newline at end of file
+```
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_resource_policy.policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_resource_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_days_in_cycle"></a> [days\_in\_cycle](#input\_days\_in\_cycle) | Defines a schedule with units measured in days. The value determines how many days pass between the start of each cycle. Days in cycle for snapshot schedule policy must be 1. | `number` | `1` | no |
+| <a name="input_guest_flush"></a> [guest\_flush](#input\_guest\_flush) | Whether to perform a 'guest aware' snapshot. | `bool` | `true` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | Labels, provided as a map | `map(string)` | `null` | no |
+| <a name="input_max_retention_days"></a> [max\_retention\_days](#input\_max\_retention\_days) | Maximum age of the snapshot that is allowed to be kept. | `number` | `14` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of the resource policy to create. | `string` | n/a | yes |
+| <a name="input_on_source_disk_delete"></a> [on\_source\_disk\_delete](#input\_on\_source\_disk\_delete) | Specifies the behavior to apply to scheduled snapshots when the source disk is deleted. | `string` | `"KEEP_AUTO_SNAPSHOTS"` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID where the resources will be created. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | Region where resource policy resides. | `string` | n/a | yes |
+| <a name="input_schedule"></a> [schedule](#input\_schedule) | Specifies the schedule frequency. | `string` | `"daily"` | no |
+| <a name="input_start_time"></a> [start\_time](#input\_start\_time) | This must be in UTC format that resolves to one of 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, both 13:00-5 and 08:00 are valid. | `string` | `"00:00"` | no |
+| <a name="input_storage_locations"></a> [storage\_locations](#input\_storage\_locations) | Cloud Storage bucket location to store the auto snapshot (regional or multi-regional). | `list(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | Resource snapshot ID. |
+| <a name="output_policy"></a> [policy](#output\_policy) | Resource snapshot policy details. |
+| <a name="output_self_link"></a> [self\_link](#output\_self\_link) | Resource snapshot self-link. |
+<!-- END_TF_DOCS -->
\ No newline at end of file

From 4f7a82300c9a70e0ca5919a4436586079c7a7e39 Mon Sep 17 00:00:00 2001
From: Michael Scribellito <mscribellito@gmail.com>
Date: Thu, 22 Feb 2024 15:49:05 -0500
Subject: [PATCH 4/5] Add example usage

---
 modules/snapshot/README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/snapshot/README.md b/modules/snapshot/README.md
index 485ad6b..8213ab7 100644
--- a/modules/snapshot/README.md
+++ b/modules/snapshot/README.md
@@ -6,7 +6,17 @@ This module is used to create a resource policy for scheduling persistent disk s
 
 ## Usage
 
+The below example creates a daily snapshot schedule with a default max retention time of 14 days.
+
 ```hcl
+module "snapshot_schedule" {
+  source = "github.com/Coalfire-CF/terraform-google-vm//modules/snapshot"
+
+  project_id = "your-project-id"
+  region     = "your-region"
+  name       = "daily-snapshot"
+}
+
 ```
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

From fd77c184a280a944467f184ea04737282324875c Mon Sep 17 00:00:00 2001
From: Michael Scribellito <mscribellito@gmail.com>
Date: Mon, 26 Feb 2024 10:32:30 -0500
Subject: [PATCH 5/5] Add example usage

---
 README.md                  | 2 +-
 modules/snapshot/README.md | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index eace957..4902336 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ data "google_compute_image" "rhel_9" {
   filter  = "name=rhel-9-v20231010"
 }
 
-module "linux-bastion" {
+module "linux_bastion" {
   source = "github.com/Coalfire-CF/terraform-google-vm"
 
   project_id = data.terraform_remote_state.bootstrap.outputs.management_project_id
diff --git a/modules/snapshot/README.md b/modules/snapshot/README.md
index 8213ab7..bd33a78 100644
--- a/modules/snapshot/README.md
+++ b/modules/snapshot/README.md
@@ -17,7 +17,15 @@ module "snapshot_schedule" {
   name       = "daily-snapshot"
 }
 
+module "linux_bastion" {
+  ...
+
+  snapshot_schedule = module.snapshot_schedule.self_link
+}
 ```
+
+To assign the snapshot schedule to a VM, use the `self_link` output from this module and pass that into the `snapshot_schedule` variable of the VM module.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements