Policy Setting: GCP > IAM > Service Account > Approved > Custom
Policies
This policy setting is dependent on the following policy types:
Source
resource "turbot_policy_setting" "gcp_iam_service_account_approved_custom" { resource = turbot_policy_pack.main.id type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountApprovedCustom" note = "GCP CIS v2.0.0 - Control: 1.5" template_input = <<-EOT - | { project: project { id: get(path: "projectId") } } - | { iamPolicy: resource(id: "gcp://cloudresourcemanager.googleapis.com/projects/{{ $.project.id }}/iamPolicy", options: {notFound: RETURN_NULL}) { bindings: get(path: "bindings") } serviceAccount: serviceAccount { email: get(path: "email") } } EOT template = <<-EOT {%- set role = '' -%} {%- set userServiceAccount = "serviceAccount:" + $.serviceAccount.email -%}
{%- if userServiceAccount.endsWith("iam.gserviceaccount.com") -%}
{%- for binding in $.iamPolicy.bindings -%}
{%- for member in binding.members -%}
{%- if member == userServiceAccount -%}
{%- set role = binding.role -%}
{%- endif -%}
{%- endfor -%}
{%- endfor -%}
{%- if role == "roles/owner" or role == "roles/admin" or role == "roles/editor" -%}
{%- set data = { "title": "Admin Privileges", "result": "Not approved", "message": "Service account has admin privileges" } -%}
{%- elif role != "roles/owner" and role != "roles/admin" and role != "roles/editor" -%}
{%- set data = { "title": "Admin Privileges", "result": "Approved", "message": "Service account does not have admin privileges" } -%}
{%- else -%}
{%- set data = { "title": "Admin Privileges", "result": "Skip", "message": "No data for admin privileges yet" } -%}
{%- endif -%}
{%- endif -%}
{{ data | json }} EOT}