1907c38e22
* Added IAM denial policies * Moved default to empty, removed trys, added condition vars to expression * remove redundant null checks * reduce line length * boilerplate and principal context expansion * update readmes * add explicit validation against null values * add context tests * Add missing license headers to examples --------- Co-authored-by: Julio Castillo <jccb@google.com>
275 lines
6.3 KiB
HCL
275 lines
6.3 KiB
HCL
context = {
|
|
condition_vars = {
|
|
organization = {
|
|
id = 1234567890
|
|
}
|
|
}
|
|
custom_roles = {
|
|
myrole_one = "organizations/366118655033/roles/myRoleOne"
|
|
myrole_two = "organizations/366118655033/roles/myRoleTwo"
|
|
}
|
|
email_addresses = {
|
|
default = "foo@example.com"
|
|
}
|
|
folder_ids = {
|
|
"test/prod" = "folders/6789012345"
|
|
}
|
|
kms_keys = {
|
|
compute-prod-ew1 = "projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute"
|
|
}
|
|
iam_principals = {
|
|
mygroup = "group:test-group@example.com"
|
|
mysa = "serviceAccount:test@test-project.iam.gserviceaccount.com"
|
|
myuser = "user:test-user@example.com"
|
|
}
|
|
project_ids = {
|
|
vpc-host = "test-vpc-host"
|
|
}
|
|
tag_keys = {
|
|
test = "tagKeys/1234567890"
|
|
}
|
|
tag_values = {
|
|
"test/one" = "tagValues/1234567890"
|
|
}
|
|
tag_vars = {
|
|
projects = {
|
|
"test-00" = {
|
|
test = "foo-test-0/dynamic_test"
|
|
}
|
|
}
|
|
}
|
|
log_buckets = {
|
|
audit = "logging.googleapis.com/projects/my-project/locations/global/buckets/audit-bucket"
|
|
}
|
|
notification_channels = {
|
|
email = "projects/my-project/notificationChannels/12345"
|
|
}
|
|
vpc_sc_perimeters = {
|
|
default = "accessPolicies/888933661165/servicePerimeters/default"
|
|
}
|
|
pubsub_topics = {
|
|
test = "projects/test-prod-audit-logs-0/topics/audit-logs"
|
|
}
|
|
}
|
|
alerts = {
|
|
test-alert = {
|
|
combiner = "OR"
|
|
display_name = "Test Alert"
|
|
conditions = [{
|
|
display_name = "test-condition"
|
|
condition_threshold = {
|
|
comparison = "COMPARISON_GT"
|
|
duration = "60s"
|
|
filter = "resource.type=\"gce_instance\" AND metric.type=\"compute.googleapis.com/instance/cpu/utilization\""
|
|
}
|
|
}]
|
|
notification_channels = ["$notification_channels:email"]
|
|
}
|
|
}
|
|
logging_metrics = {
|
|
test-metric = {
|
|
filter = "resource.type=\"gce_instance\""
|
|
bucket_name = "$log_buckets:audit"
|
|
}
|
|
}
|
|
notification_channels = {
|
|
new-email = {
|
|
type = "email"
|
|
labels = {
|
|
email_address = "$email_addresses:default"
|
|
}
|
|
}
|
|
new-pubsub = {
|
|
type = "pubsub"
|
|
labels = {
|
|
topic = "$pubsub_topics:test"
|
|
}
|
|
}
|
|
}
|
|
asset_feeds = {
|
|
test = {
|
|
billing_project = "test-project"
|
|
feed_output_config = {
|
|
pubsub_destination = {
|
|
topic = "$pubsub_topics:test"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
contacts = {
|
|
"$email_addresses:default" = ["ALL"]
|
|
}
|
|
iam = {
|
|
"$custom_roles:myrole_one" = [
|
|
"$iam_principals:myuser"
|
|
]
|
|
"roles/viewer" = [
|
|
"$iam_principals:mysa",
|
|
]
|
|
}
|
|
iam_by_principals = {
|
|
"$iam_principals:mygroup" = [
|
|
"roles/owner",
|
|
"$custom_roles:myrole_one"
|
|
]
|
|
}
|
|
iam_bindings = {
|
|
myrole_two = {
|
|
role = "$custom_roles:myrole_two"
|
|
members = [
|
|
"$iam_principals:mysa"
|
|
]
|
|
condition = {
|
|
title = "Test"
|
|
expression = "resource.matchTag('$${organization.id}/environment', 'development')"
|
|
}
|
|
}
|
|
}
|
|
iam_bindings_additive = {
|
|
myrole_two = {
|
|
role = "$custom_roles:myrole_two"
|
|
member = "$iam_principals:myuser"
|
|
}
|
|
sa_test = {
|
|
role = "roles/browser"
|
|
member = "$service_agents:compute"
|
|
}
|
|
}
|
|
logging_data_access = {
|
|
allServices = {
|
|
ADMIN_READ = {
|
|
exempted_members = ["$iam_principals:mygroup"]
|
|
}
|
|
DATA_READ = {}
|
|
}
|
|
}
|
|
logging_sinks = {
|
|
test-pubsub = {
|
|
destination = "$pubsub_topics:test"
|
|
filter = "log_id('cloudaudit.googleapis.com/activity')"
|
|
type = "pubsub"
|
|
}
|
|
}
|
|
pam_entitlements = {
|
|
net-admins = {
|
|
max_request_duration = "3600s"
|
|
manual_approvals = {
|
|
require_approver_justification = true
|
|
steps = [{
|
|
approvers = ["$iam_principals:mygroup"]
|
|
}]
|
|
}
|
|
eligible_users = ["$iam_principals:mygroup"]
|
|
privileged_access = [
|
|
{ role = "roles/compute.networkAdmin" },
|
|
{ role = "roles/compute.admin" },
|
|
{ role = "$custom_roles:myrole_two" }
|
|
]
|
|
}
|
|
}
|
|
parent = "$folder_ids:test/prod"
|
|
services = [
|
|
"compute.googleapis.com"
|
|
]
|
|
service_encryption_key_ids = {
|
|
"compute.googleapis.com" = [
|
|
"$kms_keys:compute-prod-ew1"
|
|
]
|
|
}
|
|
shared_vpc_service_config = {
|
|
host_project = "$project_ids:vpc-host"
|
|
iam_bindings_additive = {
|
|
myrole_two = {
|
|
role = "$custom_roles:myrole_two"
|
|
member = "$iam_principals:myuser"
|
|
}
|
|
}
|
|
network_users = ["$iam_principals:mysa"]
|
|
service_agent_iam = {
|
|
"roles/compute.networkUser" = [
|
|
"$service_agents:cloudservices", "$service_agents:compute"
|
|
]
|
|
}
|
|
service_iam_grants = ["$service_agents:compute"]
|
|
}
|
|
iam_by_principals_conditional = {
|
|
"$iam_principals:myuser" = {
|
|
roles = [
|
|
"roles/storage.admin",
|
|
"$custom_roles:myrole_one",
|
|
"$custom_roles:myrole_two",
|
|
]
|
|
condition = {
|
|
title = "expires_after_2020_12_31"
|
|
description = "Expiring at midnight of 2020-12-31"
|
|
expression = "request.time < timestamp(\"2021-01-01T00:00:00Z\")"
|
|
}
|
|
}
|
|
}
|
|
tag_bindings = {
|
|
bar = "tagValues/1234567891"
|
|
baz = "$tag_values:test/one"
|
|
foo = "$${projects[\"test-00\"].test}/cc-123"
|
|
}
|
|
tags = {
|
|
test = {
|
|
id = "$tag_keys:test"
|
|
iam = {
|
|
"roles/tagAdmin" = ["$iam_principals:mygroup"]
|
|
}
|
|
iam_bindings = {
|
|
tag_user = {
|
|
role = "roles/tagUser"
|
|
members = ["$iam_principals:myuser"]
|
|
}
|
|
}
|
|
iam_bindings_additive = {
|
|
tag_viewer = {
|
|
role = "roles/tagViewer"
|
|
member = "$iam_principals:mysa"
|
|
}
|
|
}
|
|
values = {
|
|
one = {
|
|
id = "$tag_values:test/one"
|
|
iam = {
|
|
"roles/tagAdmin" = ["$iam_principals:mygroup"]
|
|
}
|
|
iam_bindings = {
|
|
tag_user = {
|
|
role = "roles/tagUser"
|
|
members = ["$iam_principals:myuser"]
|
|
}
|
|
}
|
|
iam_bindings_additive = {
|
|
tag_viewer = {
|
|
role = "roles/tagViewer"
|
|
member = "$iam_principals:mysa"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
vpc_sc = {
|
|
perimeter_name = "$vpc_sc_perimeters:default"
|
|
}
|
|
|
|
iam_deny_policies = {
|
|
test-policy = {
|
|
display_name = "Test Deny Policy"
|
|
rules = [
|
|
{
|
|
description = "Test Rule"
|
|
denied_principals = ["$iam_principals:myuser"]
|
|
denied_permissions = ["compute.googleapis.com/instances.create"]
|
|
exception_principals = ["$iam_principals:mygroup"]
|
|
denial_condition = {
|
|
title = "Test Condition"
|
|
expression = "resource.matchTag('$${organization.id}/environment', 'development')"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|