Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ [DO NOT MERGE] Return full GCP IAM policy instead of just bindings #824

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

✨ [DO NOT MERGE] Return full GCP IAM policy instead of just bindings #824

wants to merge 3 commits into from

Conversation

imilchev
Copy link
Member

Updated for:

  • organization
  • project
./cnquery run gcp -c "gcp.project{iamPolicy}"discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
gcp.project: {
  iamPolicy: gcp.iamPolicy bindings=[
  0: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/0
  1: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/1
  2: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/2
  3: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/3
  4: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/4
  5: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/5
  6: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/6
  7: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/7
  8: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/8
  9: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/9
  10: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/10
  11: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/11
  12: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/12
  13: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/13
  14: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/14
  15: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/15
  16: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/16
  17: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/17
  18: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/18
  19: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/19
  20: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/20
  21: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/21
  22: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/22
  23: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/23
  24: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/24
  25: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/25
  26: gcp.resourcemanager.binding id = gcp.project/mondoo-dev-262313/gcp.iamPolicy/bindings/26
]
}
  • storage buckets
./cnquery run gcp -c "gcp.project.storage.buckets[0]{iamPolicy}"discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
gcp.project.storage.buckets[0]: {
  iamPolicy: gcp.iamPolicy bindings=[
  0: gcp.resourcemanager.binding id = gcp.project.storageService.bucket/artifacts.mondoo-dev-262313.appspot.com/gcp.iamPolicy/bindings/0
  1: gcp.resourcemanager.binding id = gcp.project.storageService.bucket/artifacts.mondoo-dev-262313.appspot.com/gcp.iamPolicy/bindings/1
]
}
  • KMS crypto keys
./cnquery run gcp -c "gcp.project.kms.keyrings[0]{cryptokeys{iamPolicy}}"discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
gcp.project.kms.keyrings[0]: {
  cryptokeys: [
    0: {
      iamPolicy: gcp.iamPolicy bindings=[]
    }
  ]
}

@imilchev imilchev requested a review from a team as a code owner January 23, 2023 14:18
chris-rock
chris-rock reviewed Jan 23, 2023
View reviewed changes
resources/packs/gcp/gcp.lr Outdated
// Cloud audit logging configuration
auditConfigs []dict
// List of bindings associating lists of members, or principals, to roles
bindings []gcp.resourcemanager.binding
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should consider renaming gcp.resourcemanager.binding. It feels like it should be under iam

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In their own definitions it's under resourcemanager and that's why I kept it. I could map it to iam for us, since I agree it makes more sense

@imilchev imilchev changed the title ✨ Return full GCP IAM policy instead of just bindings ✨ [DO NOT MERGE] Return full GCP IAM policy instead of just bindings Jan 23, 2023
@mm-weber mm-weber mentioned this pull request Jan 26, 2023
Open
@mm-weber
Copy link
Contributor

After this PR has been released quickly release those two PRs to avoid breaking queries:
-> https://github.com/mondoohq/cnspec-enterprise-policies/pull/33
-> mondoohq/cnspec-policies#111

@imilchev imilchev force-pushed the ivan/gcp-iam-policy branch from 86c1c30 to 54efc47 Compare January 27, 2023 16:28
chris-rock
chris-rock requested changes Feb 4, 2023
View reviewed changes
Copy link
Member

@chris-rock chris-rock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the prototype and for exploring options. I do not think this is the right way forward. The current implementation has two main disadvantages:

  1. The resource definition is not inline with all the other services and iam policies should be under the iam service
  2. it breaks existing users, it would only be acceptable if it is the right move

Therefore this implementation breaks users and is not the right way moving forward. Instead I propose the following:

// GCP IAM Resources
private gcp.project.iamService {
  // Project ID
  projectId string
  // List of service accounts
  serviceAccounts() []gcp.project.iamService.serviceAccount
  // List of policies
  policy gcp.iam.policy
}

gcp.iam.policy {
  // Policy ID
  id string
  // Project ID
  projectId string
  // Policy name
  name string
  // Creation timestamp
  created time
  // Last update timestamp
  updated time
  // Policy version
  version int
}

Note that this is not the full lr file and just illustrates where things belong. We should also use the proper iam policy api call then:

import (
  	iamv2 "cloud.google.com/go/iam/apiv2"
	iamv2pb "google.golang.org/genproto/googleapis/iam/v2"
)

func (g *mqlGcpProjectIamService) GetPolicy() (interface{}, error) {
        ...
        policiesSvc, err := iamv2.NewPoliciesClient(ctx, option.WithCredentials(creds))
	if err != nil {
		return nil, err
	}
	defer policiesSvc.Close()

	policyObj := policiesSvc.GetPolicy(ctx, &iamv2pb.GetPolicyRequest{})

}

This way has a few advantage:

  • we call the right list policies call and get potentially multiple policies
  • users have full access to the policy object

The old gcp.project.iamPolicy should stay as is and should be deprecated with the new implementation so that it can be fully removed in v9.

@imilchev
Copy link
Member Author

imilchev commented Feb 6, 2023
edited
Loading

The confusing bit for me is the following. If we take as an example the GetIamPolicy for a KMS cryptokey (it is implemented here). The return type is apiv1/iampb.Policy.

The API we want to use for listing policies is iam/v2.Policy. They come from different packages and they seem completely different. One thing I know is that for the CIS GCP policy we require some checks on the AuditConfigs property of the IAM policy. That property is not even present in the second API. I am wondering if those are complementary to each other or they are supposed to replace each other....

Also one returns Bindings for service account to roles and the other one is returning Rules which seems to be a list of deny rules. Might be the case that v2 is incomplete

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chris-rock chris-rock chris-rock requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imilchev @mm-weber @chris-rock