Policy Setting: GCP > IAM > Project User > Approved > Custom
Policies
This policy setting is dependent on the following policy types:
Source
resource "turbot_policy_setting" "gcp_iam_project_user_approved_custom" { resource = turbot_policy_pack.main.id type = "tmod:@turbot/gcp-iam#/policy/types/projectUserApprovedCustom" note = "GCP CIS v2.0.0 - Control: 1.6, 1.8 and 1.11" template_input = <<-EOT { projectUser: projectUser { roles: get(path: "roles") userId: get(path: "userId") } } EOT template = <<-EOT {%- set results = [] -%} {%- set userRoles = $.projectUser.roles -%}
{%- set hasSAUserRole = "roles/iam.serviceAccountUser" in userRoles -%} {%- set hasSATokenCreator = "roles/iam.serviceAccountTokenCreator" in userRoles -%}
{%- if hasSAUserRole or hasSATokenCreator -%}
{%- set data = { "title": "SA User or Token Creator Role", "result": "Not approved", "message": "User is assigned with service account user or token creator role" } -%}
{%- elif not hasSAUserRole or not hasSATokenCreator -%}
{%- set data = { "title": "SA User or Token Creator Role", "result": "Approved", "message": "User is not assigned with service account user or token creator role" } -%}
{%- else -%}
{%- set data = { "title": "SA User or Token Creator Role", "result": "Skip", "message": "No data for user yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- set hasKmsAdminRole = false -%} {%- set hasCryptoKeyRole = false -%}
{%- for role in userRoles -%}
{%- if role == "roles/cloudkms.admin" -%}
{%- set hasKmsAdminRole = true -%}
{%- elif role == "roles/cloudkms.cryptoKeyDecrypter" or role == "roles/cloudkms.cryptoKeyEncrypter" or role == "roles/cloudkms.cryptoKeyEncrypterDecrypter" -%}
{%- set hasCryptoKeyRole = true -%}
{%- endif -%}
{%- endfor -%}
{%- if not hasKmsAdminRole and not hasCryptoKeyRole -%}
{%- set data = { "title": "KMS Admin and Crypto Key Roles", "result": "Approved", "message": "User does not have KMS admin and crypto key roles" } -%}
{%- elif hasKmsAdminRole and hasCryptoKeyRole -%}
{%- set data = { "title": "KMS Admin and Crypto Key Roles", "result": "Not approved", "message": "User has KMS admin and crypto key roles" } -%}
{%- else -%}
{%- set data = { "title": "KMS Admin and Crypto Key Roles", "result": "Skip", "message": "No data available for KMS admin and crypto key roles yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- set hasServiceAccountAdminRole = "roles/iam.serviceAccountAdmin" in userRoles -%} {%- set hasServiceAccountUserRole = "roles/iam.serviceAccountUser" in userRoles -%}
{%- if not hasServiceAccountAdminRole and not hasServiceAccountUserRole -%}
{%- set data = { "title": "SA Admin and User Roles", "result": "Approved", "message": "User does not have service account admin and user roles" } -%}
{%- elif hasServiceAccountAdminRole and hasServiceAccountUserRole -%}
{%- set data = { "title": "SA Admin and User Roles", "result": "Not approved", "message": "User has service account admin and user roles" } -%}
{%- else -%}
{%- set data = { "title": "SA Admin and User Roles", "result": "Skip", "message": "No data available for service account admin and user roles yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{{ results | json }} EOT}