diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index fa0a0e116..bb5daa091 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -100,6 +100,22 @@ repos: pass_filenames: false files: ^fast entry: tools/check_names.py --prefix-length=10 --failed-only fast/stages + - id: check-yaml-schema + name: Check schema for YAML files + language: python + additional_dependencies: + - click + - deepdiff + - ghapi + - iso8601 + - marko + - requests + - yamale + - jsonschema + - BeautifulSoup4 + pass_filenames: false + files: ^(fast|modules) + entry: tools/check_yaml_schema.py modules fast - id: check-links name: Check links in markdown files language: python @@ -128,7 +144,11 @@ repos: hooks: - id: yamllint args: ["-c=.yamllint", "--no-warnings"] - exclude: (/templates/|modules/cloud-config-container/) + exclude: | + (?x)^( + /templates/.*| + modules/cloud-config-container/.*| + )$ - repo: https://github.com/jumanjihouse/pre-commit-hooks rev: "3.0.0" @@ -146,7 +166,11 @@ repos: - id: check-yaml args: - --allow-multiple-documents - exclude: (/templates/|modules/cloud-config-container/) + exclude: | + (?x)^( + /templates/.*| + modules/cloud-config-container/.*| + )$ - repo: https://github.com/google/yapf/ rev: v0.40.2 diff --git a/fast/stages/0-org-setup/datasets/classic/observability/iac-0/impersonation.yaml b/fast/stages/0-org-setup/datasets/classic/observability/iac-0/impersonation.yaml index a02f7ffad..e2524191e 100644 --- a/fast/stages/0-org-setup/datasets/classic/observability/iac-0/impersonation.yaml +++ b/fast/stages/0-org-setup/datasets/classic/observability/iac-0/impersonation.yaml @@ -14,50 +14,58 @@ # yaml-language-server: $schema=../../../../schemas/observability.schema.json -notification_channels: - email-security: - type: email - display_name: Security Team Email - labels: - email_address: $email_addresses:gcp-organization-admins - enabled: true +# On first apply, alerts may return an error: +# AlertPolicy: googleapi: Error 404: Cannot find metric(s) that match +# type = "logging.googleapis.com/user/sa-impersonation". If a metric was +# created recently, it could take up to 10 minutes to become available. Please +# try again soon. +# +# hence, this is commented out by default. -logging_metrics: - sa-impersonation: - filter: | - protoPayload.serviceName="iamcredentials.googleapis.com" - (protoPayload.methodName="GenerateAccessToken" OR protoPayload.methodName="GenerateIdToken") - label_extractors: - email_id: EXTRACT(resource.labels.email_id) - metric_descriptor: - metric_kind: DELTA - value_type: INT64 - unit: "1" - display_name: Service Account Impersonation - labels: - - key: email_id - value_type: STRING - -alerts: - sa-impersonation-alert: - display_name: Service Account Impersonation Alert - combiner: OR - conditions: - - display_name: Impersonation Detected - condition_threshold: - filter: | - metric.type="logging.googleapis.com/user/sa-impersonation" AND - resource.type="global" - comparison: COMPARISON_GT - threshold_value: 0 - duration: 60s - trigger: - count: 1 - aggregations: - - alignment_period: 60s - per_series_aligner: ALIGN_COUNT - cross_series_reducer: REDUCE_SUM - group_by_fields: ["metric.label.email_id"] - notification_channels: - - email-security - enabled: true +notification_channels: {} +# email-security: +# type: email +# display_name: Security Team Email +# labels: +# email_address: $email_addresses:gcp-organization-admins +# enabled: true +# +logging_metrics: {} +# sa-impersonation: +# filter: | +# protoPayload.serviceName="iamcredentials.googleapis.com" +# (protoPayload.methodName="GenerateAccessToken" OR protoPayload.methodName="GenerateIdToken") +# label_extractors: +# email_id: EXTRACT(resource.labels.email_id) +# metric_descriptor: +# metric_kind: DELTA +# value_type: INT64 +# unit: "1" +# display_name: Service Account Impersonation +# labels: +# - key: email_id +# value_type: STRING +# +alerts: {} +# sa-impersonation-alert: +# display_name: Service Account Impersonation Alert +# combiner: OR +# conditions: +# - display_name: Impersonation Detected +# condition_threshold: +# filter: | +# metric.type="logging.googleapis.com/user/sa-impersonation" AND +# resource.type="global" +# comparison: COMPARISON_GT +# threshold_value: 0 +# duration: 60s +# trigger: +# count: 1 +# aggregations: +# - alignment_period: 60s +# per_series_aligner: ALIGN_COUNT +# cross_series_reducer: REDUCE_SUM +# group_by_fields: ["metric.label.email_id"] +# notification_channels: +# - email-security +# enabled: true diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml index 5d32078f3..d0c17c32f 100644 --- a/tests/fast/stages/s0_org_setup/hardened.yaml +++ b/tests/fast/stages/s0_org_setup/hardened.yaml @@ -271,7 +271,7 @@ values: name: versions/0-org-setup-version.txt retention: [] source: fast_version.txt - source_md5hash: a564c0ab78f4b481f7886f9871376d2c + source_md5hash: bd0ef4e3857492f0215774bdcb2f3dc7 temporary_hold: null timeouts: null google_storage_bucket_object.workflows["org-setup"]: diff --git a/tests/fast/stages/s0_org_setup/simple.yaml b/tests/fast/stages/s0_org_setup/simple.yaml index 16395beb7..90ab4b2ea 100644 --- a/tests/fast/stages/s0_org_setup/simple.yaml +++ b/tests/fast/stages/s0_org_setup/simple.yaml @@ -13,6 +13,7 @@ # limitations under the License. # yamllint disable rule:line-length + values: google_storage_bucket_object.providers["0-org-setup"]: bucket: ft0-prod-iac-core-0-iac-outputs @@ -44,6 +45,7 @@ values: name: providers/0-org-setup-providers.tf retention: [] source: null + source_md5hash: 2a0bbb00e4b7f1454a50ac7f26c23c05 temporary_hold: null timeouts: null google_storage_bucket_object.providers["0-org-setup-ro"]: @@ -76,6 +78,7 @@ values: name: providers/0-org-setup-ro-providers.tf retention: [] source: null + source_md5hash: 2a0bbb00e4b7f1454a50ac7f26c23c05 temporary_hold: null timeouts: null google_storage_bucket_object.providers["1-vpcsc"]: @@ -109,6 +112,7 @@ values: name: providers/1-vpcsc-providers.tf retention: [] source: null + source_md5hash: d2df90abc46524d941227a1dec12dd86 temporary_hold: null timeouts: null google_storage_bucket_object.providers["2-networking"]: @@ -142,6 +146,7 @@ values: name: providers/2-networking-providers.tf retention: [] source: null + source_md5hash: a724885c3dcc9850116aca1ef4d4fc5a temporary_hold: null timeouts: null google_storage_bucket_object.providers["2-project-factory"]: @@ -175,6 +180,7 @@ values: name: providers/2-project-factory-providers.tf retention: [] source: null + source_md5hash: 165844578c46bc04c4581139c8b8b8d4 temporary_hold: null timeouts: null google_storage_bucket_object.providers["2-security"]: @@ -208,6 +214,7 @@ values: name: providers/2-security-providers.tf retention: [] source: null + source_md5hash: 5969d3e40a61a42d849a81417a6a84eb temporary_hold: null timeouts: null google_storage_bucket_object.tfvars["globals"]: @@ -227,6 +234,7 @@ values: name: tfvars/0-globals.auto.tfvars.json retention: [] source: null + source_md5hash: cdbf79d3eff8bced040e5deccf39d765 temporary_hold: null timeouts: null google_storage_bucket_object.tfvars["org-setup"]: @@ -263,6 +271,7 @@ values: name: versions/0-org-setup-version.txt retention: [] source: fast_version.txt + source_md5hash: bd0ef4e3857492f0215774bdcb2f3dc7 temporary_hold: null timeouts: null google_storage_bucket_object.workflows["org-setup"]: @@ -376,6 +385,7 @@ values: name: workflows/org-setup.yaml retention: [] source: null + source_md5hash: e5dc153b195e936b1c81bc33db1935c7 temporary_hold: null timeouts: null local_file.providers["0-org-setup"]: @@ -1259,82 +1269,6 @@ values: module.factory.module.projects["iac-0"].data.google_storage_project_service_account.gcs_sa[0]: project: ft0-prod-iac-core-0 user_project: null - module.factory.module.projects["iac-0"].google_logging_metric.metrics["sa-impersonation"]: - bucket_name: null - bucket_options: [] - description: null - disabled: null - filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" - - (protoPayload.methodName="GenerateAccessToken" OR protoPayload.methodName="GenerateIdToken") - - ' - label_extractors: - email_id: EXTRACT(resource.labels.email_id) - metric_descriptor: - - display_name: Service Account Impersonation - labels: - - description: '' - key: email_id - value_type: STRING - metric_kind: DELTA - unit: '1' - value_type: INT64 - name: sa-impersonation - project: ft0-prod-iac-core-0 - timeouts: null - value_extractor: null - module.factory.module.projects["iac-0"].google_monitoring_alert_policy.alerts["sa-impersonation-alert"]: - alert_strategy: [] - combiner: OR - conditions: - - condition_absent: [] - condition_matched_log: [] - condition_monitoring_query_language: [] - condition_prometheus_query_language: [] - condition_sql: [] - condition_threshold: - - aggregations: - - alignment_period: 60s - cross_series_reducer: REDUCE_SUM - group_by_fields: - - metric.label.email_id - per_series_aligner: ALIGN_COUNT - comparison: COMPARISON_GT - denominator_aggregations: [] - denominator_filter: null - duration: 60s - evaluation_missing_data: null - filter: 'metric.type="logging.googleapis.com/user/sa-impersonation" AND - - resource.type="global" - - ' - forecast_options: [] - threshold_value: 0 - trigger: - - count: 1 - percent: null - display_name: Impersonation Detected - display_name: Service Account Impersonation Alert - documentation: [] - enabled: true - project: ft0-prod-iac-core-0 - severity: null - timeouts: null - user_labels: null - module.factory.module.projects["iac-0"].google_monitoring_notification_channel.channels["email-security"]: - description: null - display_name: Security Team Email - enabled: true - force_delete: false - labels: - email_address: $email_addresses:gcp-organization-admins - project: ft0-prod-iac-core-0 - sensitive_labels: [] - timeouts: null - type: email - user_labels: null module.factory.module.projects["iac-0"].google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: dry_run_spec: [] name: projects/ft0-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders @@ -3007,6 +2941,7 @@ values: input: null output: null triggers_replace: null + counts: google_bigquery_dataset: 1 google_bigquery_default_service_account: 2 @@ -3014,13 +2949,10 @@ counts: google_essential_contacts_contact: 1 google_folder: 10 google_folder_iam_binding: 44 - google_logging_metric: 1 google_logging_organization_settings: 1 google_logging_organization_sink: 3 google_logging_project_bucket_config: 3 google_logging_project_settings: 2 - google_monitoring_alert_policy: 1 - google_monitoring_notification_channel: 1 google_org_policy_custom_constraint: 1 google_org_policy_policy: 37 google_organization_iam_audit_config: 1 @@ -3047,5 +2979,18 @@ counts: google_tags_tag_value_iam_binding: 4 local_file: 9 modules: 50 - resources: 328 + resources: 325 terraform_data: 4 + +outputs: + iam_principals: + domain: domain:example.org + gcp-billing-admins: group:gcp-billing-admins@example.org + gcp-devops: group:gcp-devops@example.org + gcp-network-admins: group:gcp-network-admins@example.org + gcp-organization-admins: group:fabric-fast-owners@google.com + gcp-secops-admins: group:gcp-secops-admins@example.org + gcp-security-admins: group:gcp-security-admins@example.org + gcp-support: group:gcp-support@example.org + projects: __missing__ + tfvars: __missing__