From a554e2a01a57d0a1d75e4da6158bf4d3410be999 Mon Sep 17 00:00:00 2001 From: Grzegorz Rygielski Date: Fri, 22 Nov 2024 09:25:46 +0100 Subject: [PATCH] gcp-log-export: prevent auditlogs caused by pantheon GSA --- terraform/modules/aws-policies/main.tf | 16 ++++++++-------- terraform/modules/gcp-log-export/main.tf | 1 + terraform/modules/gcp-log-export/variable.tf | 5 +++++ 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/terraform/modules/aws-policies/main.tf b/terraform/modules/aws-policies/main.tf index 2c6ed24..6affdae 100644 --- a/terraform/modules/aws-policies/main.tf +++ b/terraform/modules/aws-policies/main.tf @@ -4,21 +4,21 @@ locals { } data "aws_iam_policy_document" "federation" { statement { - effect = "Allow" + effect = "Allow" actions = [ "sts:AssumeRoleWithWebIdentity", ] condition { test = "StringEquals" variable = "accounts.google.com:sub" - values = [ + values = [ tostring(var.pantheon_service_account_id) ] } condition { test = "StringEquals" variable = "accounts.google.com:oaud" - values = [ + values = [ local.cf-document["Resources"]["Role"]["Properties"]["AssumeRolePolicyDocument"]["Statement"][0]["Condition"]["StringEquals"]["accounts.google.com:oaud"] ] } @@ -63,19 +63,19 @@ data "aws_iam_policy_document" "override" { locals { // 1 pantheon_full_policy_document = local.cf-document["Resources"]["PantheonFullPolicy0"]["Properties"]["PolicyDocument"] - pantheon_full_policy = { + pantheon_full_policy = { Statement : local.pantheon_full_policy_document["Statement"] Version : local.pantheon_full_policy_document["Version"] } // 2 pantheon_full_policy2_document = local.cf-document["Resources"]["PantheonFullPolicy1"]["Properties"]["PolicyDocument"] - pantheon_full_policy2 = { + pantheon_full_policy2 = { Statement : local.pantheon_full_policy2_document["Statement"] Version : local.pantheon_full_policy2_document["Version"] } // 3 pantheon_full_policy3_document = local.cf-document["Resources"]["PantheonFullPolicy2"]["Properties"]["PolicyDocument"] - pantheon_full_policy3 = { + pantheon_full_policy3 = { Statement : local.pantheon_full_policy3_document["Statement"] Version : local.pantheon_full_policy3_document["Version"] } @@ -126,13 +126,13 @@ resource "aws_iam_policy_attachment" "attach_PantheonFullPolicy3_to_gcp_federati } // deny actions resource "aws_iam_policy" "pantheon_deny_policy1" { - count = length(var.pantheon_full_access_policy_deny_actions) > 0 ? 1 : 0 + count = length(var.pantheon_full_access_policy_deny_actions) > 0 ? 1 : 0 name = "${var.pantheon_full_access_policy_name}DenyActions1" path = "/" policy = jsonencode(local.pantheon_deny_actions1) } resource "aws_iam_policy_attachment" "attach_PantheonDenyActionsPolicy1_to_gcp_federation" { - count = length(var.pantheon_full_access_policy_deny_actions) > 0 ? 1 : 0 + count = length(var.pantheon_full_access_policy_deny_actions) > 0 ? 1 : 0 policy_arn = aws_iam_policy.pantheon_deny_policy1[0].arn name = "pantheon-has-not-full-access-on-1" roles = [aws_iam_role.gcp_federation.name] diff --git a/terraform/modules/gcp-log-export/main.tf b/terraform/modules/gcp-log-export/main.tf index 81696a1..93ba827 100644 --- a/terraform/modules/gcp-log-export/main.tf +++ b/terraform/modules/gcp-log-export/main.tf @@ -66,6 +66,7 @@ locals { AND NOT protoPayload.serviceName="speech.googleapis.com" AND NOT protoPayload.serviceName="websecurityscanner.googleapis.com" AND NOT protoPayload.serviceName="admin.googleapis.com" + AND NOT protoPayload.authenticationInfo.principalEmail="${var.pantheon_service_account}" EOT } diff --git a/terraform/modules/gcp-log-export/variable.tf b/terraform/modules/gcp-log-export/variable.tf index 049a7a6..90279b5 100644 --- a/terraform/modules/gcp-log-export/variable.tf +++ b/terraform/modules/gcp-log-export/variable.tf @@ -12,3 +12,8 @@ variable "destination_uri" { type = string description = "The full qualified destination URI of the PubSub topic the logging sink should write to in the form 'pubsub.googleapis.com/projects//topics/'. Will be provided by the team." } + +variable "pantheon_service_account" { + type = string + description = "The service account used to scan resources. Will be provided by the team." +}