Policy Setting: GCP > IAM > API Key > Approved > Custom
Policies
This policy setting is dependent on the following policy types:
Source
resource "turbot_policy_setting" "gcp_iam_api_key_approved_custom" { resource = turbot_policy_pack.main.id type = "tmod:@turbot/gcp-iam#/policy/types/apiKeyApprovedCustom" note = "GCP CIS v2.0.0 - Control: 1.12, 1.13 and 1.14" template_input = <<-EOT { item: apiKey { name: get(path: "name") apiTargets: get(path: "restrictions.apiTargets") createTime: get(path: "createTime") browserKeyRestrictions: get(path: "restrictions.browserKeyRestrictions") serverKeyRestrictions: get(path: "restrictions.serverKeyRestrictions") androidKeyRestrictions: get(path: "restrictions.androidKeyRestrictions") iosKeyRestrictions: get(path: "restrictions.iosKeyRestrictions") } } EOT template = <<-EOT {%- set results = [] -%}
{%- set apiTargets = $.item.apiTargets | default([]) -%}
{%- set name = $.item.name -%}
{%- set containsCloudApi = false -%}
{%- for item in apiTargets -%}
{%- if not containsCloudApi and item.service == "cloudapis.googleapis.com" -%}
{%- set containsCloudApi = true -%}
{%- endif -%}
{%- endfor -%}
{%- if containsCloudApi -%}
{%- set data = { "title": "Access to Specific APIs", "result": "Not approved", "message": "API Key is restricted to only APIs that application needs access" } -%}
{%- elif not containsCloudApi -%}
{%- set data = { "title": "Access to Specific APIs", "result": "Approved", "message": "API Key is not restricted to only APIs that application needs access" } -%}
{%- else -%}
{%- set data = { "title": "Access to Specific APIs", "result": "Skip", "message": "No data for API Key restriction yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- if name | length > 0 -%}
{%- set data = { "title": "API Key Exists", "result": "Not approved", "message": "API Key should not exist for any active services" } -%}
{%- else -%}
{%- set data = { "title": "API Key Exists", "result": "Skip", "message": "No data for API Key yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- set browserKeyRestrictions = $.item.browserKeyRestrictions -%}
{%- set serverKeyRestrictions = $.item.serverKeyRestrictions -%}
{%- set androidKeyRestrictions = $.item.androidKeyRestrictions -%}
{%- set iosKeyRestrictions = $.item.iosKeyRestrictions -%}
{%- set applicationRestrictions = true -%}
{%- if browserKeyRestrictions == null and serverKeyRestrictions == null and androidKeyRestrictions == null and iosKeyRestrictions == null -%}
{%- set applicationRestrictions = false -%}
{%- elif browserKeyRestrictions != null -%}
{%- for referrer in browserKeyRestrictions.allowedReferrers -%}
{%- if "*" in referrer -%}
{%- set applicationRestrictions = false -%}
{%- endif -%}
{%- endfor -%}
{%- elif serverKeyRestrictions != null -%}
{%- set invalidIps = ['0.0.0.0', '0.0.0.0/0', '::0'] -%}
{%- for ip in serverKeyRestrictions.allowedIps -%}
{%- if ip in invalidIps -%}
{%- set applicationRestrictions = false -%}
{%- endif -%}
{%- endfor -%}
{%- endif -%}
{%- if applicationRestrictions -%}
{%- set data = { "title": "Access to Specific Hosts & Apps", "result": "Approved", "message": "API keys are restricted to use by only specified hosts and apps" } -%}
{%- elif not applicationRestrictions -%}
{%- set data = { "title": "Access to Specific Hosts & Apps", "result": "Not approved", "message": "API keys are not restricted to use by only specified hosts and apps" } -%}
{%- else -%}
{%- set data = { "title": "Access to Specific Hosts & Apps", "result": "Skip", "message": "No data for key restrictions yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{{ results | json }} EOT}