Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Policy Packs
GCP CIS v2.0.0 - Section 1 - Identity and Access Management
  • GCP > Dataproc > Cluster > Approved
  • GCP > Dataproc > Cluster > Approved > Custom
  • GCP > IAM > API Key > Active
  • GCP > IAM > API Key > Active > Age
  • GCP > IAM > API Key > Approved
  • GCP > IAM > API Key > Approved > Custom
  • GCP > IAM > Project User > Approved
  • GCP > IAM > Project User > Approved > Custom
  • GCP > IAM > Service Account > Approved
  • GCP > IAM > Service Account > Approved > Custom
  • GCP > IAM > Service Account Key > Active
  • GCP > IAM > Service Account Key > Active > Age
  • GCP > IAM > Service Account Key > Approved
  • GCP > IAM > Service Account Key > Approved > Custom
  • GCP > KMS > Crypto Key > Approved
  • GCP > KMS > Crypto Key > Approved > Custom
  • GCP > KMS > Crypto Key > Policy > Trusted Access
  • GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated
  • GCP > KMS > Crypto Key > Policy > Trusted Access > All Users
Get Involved
Discuss on Slack

Policy Setting: GCP > IAM > Service Account > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

  • GCP > IAM > Service Account > Approved > Custom

Source

resource "turbot_policy_setting" "gcp_iam_service_account_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountApprovedCustom"
  note           = "GCP CIS v2.0.0 - Control: 1.5"
  template_input = <<-EOT
  - |
    {
      project: project {
        id: get(path: "projectId")
      }
    }
  - |
    {
      iamPolicy: resource(id: "gcp://cloudresourcemanager.googleapis.com/projects/{{ $.project.id }}/iamPolicy", options: {notFound: RETURN_NULL}) {
        bindings: get(path: "bindings")
      }
      serviceAccount: serviceAccount {
        email: get(path: "email")
      }
    }
    EOT
  template       = <<-EOT
    {%- set role = '' -%}
    {%- set userServiceAccount = "serviceAccount:" + $.serviceAccount.email -%}


    {%- if userServiceAccount.endsWith("iam.gserviceaccount.com") -%}


      {%- for binding in $.iamPolicy.bindings -%}


        {%- for member in binding.members -%}


          {%- if member == userServiceAccount -%}


            {%- set role = binding.role -%}


          {%- endif -%}


        {%- endfor -%}


      {%- endfor -%}


      {%- if role == "roles/owner" or role == "roles/admin" or role == "roles/editor" -%}


        {%- set data = {
            "title": "Admin Privileges",
            "result": "Not approved",
            "message": "Service account has admin privileges"
        } -%}


      {%- elif role != "roles/owner" and role != "roles/admin" and role != "roles/editor" -%}


        {%- set data = {
            "title": "Admin Privileges",
            "result": "Approved",
            "message": "Service account does not have admin privileges"
        } -%}


      {%- else -%}


        {%- set data = {
            "title": "Admin Privileges",
            "result": "Skip",
            "message": "No data for admin privileges yet"
        } -%}


      {%- endif -%}


    {%- endif -%}


    {{ data | json }}
    EOT
}
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy