From b3c7699b8c1d40a98aab78599cc986ff243a42ea Mon Sep 17 00:00:00 2001 From: Zsolt Molnar Date: Mon, 1 Sep 2025 15:58:28 +0200 Subject: [PATCH] Enable ADMIN_READ audit log for sts.googleapis.com in automation (iac) project (#3290) * Enable ADMIN_READ audit log for sts.googleapis.com in the automation (iac) project for better workload identity debugging and auditing * Fix FAST tests * Test fix #2 * Test fix #3 * Final test fix --------- Co-authored-by: Julio Castillo --- fast/stages/0-bootstrap/automation.tf | 6 +++++- tests/fast/stages/s0_bootstrap/cicd.yaml | 10 ++++++++-- tests/fast/stages/s0_bootstrap/simple.yaml | 10 ++++++++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf index 85abbdc1e..40bd4bfcc 100644 --- a/fast/stages/0-bootstrap/automation.tf +++ b/fast/stages/0-bootstrap/automation.tf @@ -171,13 +171,17 @@ module "automation-project" { # https://cloud.google.com/iam/docs/audit-logging#audited_operations logging_data_access = { "iam.googleapis.com" = { - # ADMIN_READ captures impersonation and token generation/exchanges + # ADMIN_READ captures impersonation and GenerateAccessToken API calls ADMIN_READ = {} # enable DATA_WRITE if you want to capture configuration changes # to IAM-related resources (roles, deny policies, service # accounts, identity pools, etc) # DATA_WRITE = {} } + "sts.googleapis.com" = { + # ADMIN_READ captures SecurityTokenService.ExchangeToken API calls + ADMIN_READ = {} + } } } diff --git a/tests/fast/stages/s0_bootstrap/cicd.yaml b/tests/fast/stages/s0_bootstrap/cicd.yaml index 0fd6b0dbf..44eda390b 100644 --- a/tests/fast/stages/s0_bootstrap/cicd.yaml +++ b/tests/fast/stages/s0_bootstrap/cicd.yaml @@ -173,6 +173,12 @@ values: log_type: ADMIN_READ project: fast-prod-iac-core-0 service: iam.googleapis.com + module.automation-project.google_project_iam_audit_config.default["sts.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: ADMIN_READ + project: fast-prod-iac-core-0 + service: sts.googleapis.com module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: condition: [] members: @@ -2390,7 +2396,7 @@ counts: google_organization_iam_custom_role: 16 google_organization_iam_member: 31 google_project: 3 - google_project_iam_audit_config: 1 + google_project_iam_audit_config: 2 google_project_iam_binding: 19 google_project_iam_member: 23 google_project_service: 33 @@ -2406,7 +2412,7 @@ counts: google_tags_tag_value: 2 local_file: 13 modules: 26 - resources: 297 + resources: 298 outputs: custom_roles: diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index fcc02bb89..4ae05c234 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -111,6 +111,12 @@ values: log_type: ADMIN_READ project: fast-prod-iac-core-0 service: iam.googleapis.com + module.automation-project.google_project_iam_audit_config.default["sts.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: ADMIN_READ + project: fast-prod-iac-core-0 + service: sts.googleapis.com module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: condition: [] members: @@ -1587,7 +1593,7 @@ counts: google_organization_iam_custom_role: 16 google_organization_iam_member: 31 google_project: 3 - google_project_iam_audit_config: 1 + google_project_iam_audit_config: 2 google_project_iam_binding: 19 google_project_iam_member: 17 google_project_service: 33 @@ -1603,7 +1609,7 @@ counts: google_tags_tag_value: 2 local_file: 8 modules: 20 - resources: 260 + resources: 261 outputs: cicd_repositories: {}