diff --git a/src/coverage/google.md b/src/coverage/google.md index 8e00b2a9..39952924 100755 --- a/src/coverage/google.md +++ b/src/coverage/google.md @@ -1,6 +1,6 @@ # todo google -Resource percentage coverage 7.79 +Resource percentage coverage 7.77 Datasource percentage coverage 30.42 ./resource.ps1 google_access_context_manager_access_level @@ -21,6 +21,7 @@ Datasource percentage coverage 30.42 ./resource.ps1 google_alloydb_backup ./resource.ps1 google_alloydb_cluster ./resource.ps1 google_alloydb_instance +./resource.ps1 google_alloydb_user ./resource.ps1 google_api_gateway_api ./resource.ps1 google_api_gateway_api_config ./resource.ps1 google_api_gateway_api_config_iam_binding @@ -319,6 +320,7 @@ Datasource percentage coverage 30.42 ./resource.ps1 google_data_loss_prevention_stored_info_type ./resource.ps1 google_data_pipeline_pipeline ./resource.ps1 google_database_migration_service_connection_profile +./resource.ps1 google_database_migration_service_private_connection ./resource.ps1 google_dataflow_flex_template_job ./resource.ps1 google_dataflow_job ./resource.ps1 google_dataform_repository @@ -626,16 +628,12 @@ Datasource percentage coverage 30.42 ./resource.ps1 google_project_iam_audit_config ./resource.ps1 google_project_iam_policy ./resource.ps1 google_project_organization_policy -./resource.ps1 google_project_service_identity ./resource.ps1 google_project_services ./resource.ps1 google_project_usage_export_bucket ./resource.ps1 google_public_ca_external_account_key ./resource.ps1 google_pubsub_subscription_iam_binding ./resource.ps1 google_pubsub_subscription_iam_member ./resource.ps1 google_pubsub_subscription_iam_policy -./resource.ps1 google_pubsub_topic_iam_binding -./resource.ps1 google_pubsub_topic_iam_member -./resource.ps1 google_pubsub_topic_iam_policy ./resource.ps1 google_recaptcha_enterprise_key ./resource.ps1 google_redis_cluster ./resource.ps1 google_redis_instance @@ -654,11 +652,6 @@ Datasource percentage coverage 30.42 ./resource.ps1 google_scc_source_iam_binding ./resource.ps1 google_scc_source_iam_member ./resource.ps1 google_scc_source_iam_policy -./resource.ps1 google_secret_manager_secret -./resource.ps1 google_secret_manager_secret_iam_binding -./resource.ps1 google_secret_manager_secret_iam_member -./resource.ps1 google_secret_manager_secret_iam_policy -./resource.ps1 google_secret_manager_secret_version ./resource.ps1 google_security_scanner_scan_config ./resource.ps1 google_service_directory_endpoint ./resource.ps1 google_service_directory_namespace diff --git a/src/files_gcp.go b/src/files_gcp.go index 8f2cbdee..63d0f90f 100644 --- a/src/files_gcp.go +++ b/src/files_gcp.go @@ -165,3 +165,15 @@ var googlePubsubSchema []byte //go:embed mapping/google/resource/pubsub/google_pubsub_subscription.json var googlePubsubSubscription []byte + +//go:embed mapping/google/resource/pubsub/google_pubsub_topic_iam_binding.json +var googlePubsubTopicIam []byte + +//go:embed mapping/google/resource/secretmanager/google_secret_manager_secret.json +var googleSecretManagerSecret []byte + +//go:embed mapping/google/resource/secretmanager/google_secret_manager_secret_iam_binding.json +var googleSecretManagerSecretIam []byte + +//go:embed mapping/google/resource/secretmanager/google_secret_manager_secret_version.json +var googleSecretManagerSecretVersion []byte diff --git a/src/gcp.go b/src/gcp.go index 40939c78..f780825b 100644 --- a/src/gcp.go +++ b/src/gcp.go @@ -54,6 +54,13 @@ func GCPLookup(result string) interface{} { "google_bigquery_job": googleBigqueryJob, "google_bigquery_table": placeholder, "google_bigtable_instance": googleBigtableInstance, + "google_bigtable_instance_iam_binding": googleBigTableInstanceIam, + "google_bigtable_instance_iam_member": googleBigTableInstanceIam, + "google_bigtable_instance_iam_policy": googleBigTableInstanceIam, + "google_bigtable_table": googleBigtableTable, + "google_bigtable_table_iam_binding": googleBigTableTableIam, + "google_bigtable_table_iam_member": googleBigTableTableIam, + "google_bigtable_table_iam_policy": googleBigTableTableIam, "google_cloudfunctions_function": googleCloudfunctionsFunction, "google_cloudfunctions_function_iam_member": googleCloudfunctionsFunctionIamPolicy, "google_cloudfunctions_function_iam_policy": googleCloudfunctionsFunctionIamPolicy, @@ -80,10 +87,22 @@ func GCPLookup(result string) interface{} { "google_project_iam_binding": googleProjectIamBinding, "google_project_iam_custom_role": googleProjectIamCustomRole, "google_project_iam_member": googleProjectIamBinding, + "google_project_service": googleProjectService, + "google_project_service_identity": placeholder, "google_pubsub_lite_reservation": googlePubsubLiteReservation, "google_pubsub_lite_subscription": googlePubsubLiteSubscription, "google_pubsub_lite_topic": googlePubsubLiteTopic, + "google_pubsub_schema": googlePubsubSchema, + "google_pubsub_subscription": googlePubsubSubscription, "google_pubsub_topic": googlePubsubTopic, + "google_pubsub_topic_iam_binding": googlePubsubTopicIam, + "google_pubsub_topic_iam_member": googlePubsubTopicIam, + "google_pubsub_topic_iam_policy": googlePubsubTopicIam, + "google_secret_manager_secret": googleSecretManagerSecret, + "google_secret_manager_secret_iam_binding": googleSecretManagerSecretIam, + "google_secret_manager_secret_iam_member": googleSecretManagerSecretIam, + "google_secret_manager_secret_iam_policy": googleSecretManagerSecretIam, + "google_secret_manager_secret_version": googleSecretManagerSecretVersion, "google_service_account": googleServiceAccount, "google_service_account_iam_binding": googleServiceAccountIamBinding, "google_service_account_iam_member": googleServiceAccountIamMember, @@ -98,16 +117,6 @@ func GCPLookup(result string) interface{} { "google_storage_bucket_acl": googleStorageBucketACL, "google_storage_bucket_iam_binding": googleStorageBucketIamBinding, "google_storage_bucket_object": googleStorageBucketObject, - "google_bigtable_table": googleBigtableTable, - "google_bigtable_instance_iam_policy": googleBigTableInstanceIam, - "google_bigtable_instance_iam_member": googleBigTableInstanceIam, - "google_bigtable_instance_iam_binding": googleBigTableInstanceIam, - "google_bigtable_table_iam_binding": googleBigTableTableIam, - "google_bigtable_table_iam_member": googleBigTableTableIam, - "google_bigtable_table_iam_policy": googleBigTableTableIam, - "google_pubsub_schema": googlePubsubSchema, - "google_pubsub_subscription": googlePubsubSubscription, - "google_project_service": googleProjectService, } return TFLookup[result] diff --git a/src/mapping/google/resource/pubsub/google_pubsub_topic_iam_binding.json b/src/mapping/google/resource/pubsub/google_pubsub_topic_iam_binding.json new file mode 100644 index 00000000..8479e291 --- /dev/null +++ b/src/mapping/google/resource/pubsub/google_pubsub_topic_iam_binding.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "pubsub.topics.getIamPolicy", + "pubsub.topics.setIamPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/google/resource/secretmanager/google_secret_manager_secret.json b/src/mapping/google/resource/secretmanager/google_secret_manager_secret.json new file mode 100644 index 00000000..478b9d78 --- /dev/null +++ b/src/mapping/google/resource/secretmanager/google_secret_manager_secret.json @@ -0,0 +1,22 @@ +[ + { + "apply": [ + "secretmanager.secrets.create", + "secretmanager.secrets.get", + "secretmanager.secrets.update", + "secretmanager.secrets.delete" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "secretmanager.secrets.delete" + ], + "modify": [ + "secretmanager.secrets.update" + ], + "plan": [ + "secretmanager.secrets.get" + ] + } +] diff --git a/src/mapping/google/resource/secretmanager/google_secret_manager_secret_iam_binding.json b/src/mapping/google/resource/secretmanager/google_secret_manager_secret_iam_binding.json new file mode 100644 index 00000000..aa7d0851 --- /dev/null +++ b/src/mapping/google/resource/secretmanager/google_secret_manager_secret_iam_binding.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "secretmanager.secrets.getIamPolicy", + "secretmanager.secrets.setIamPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/google/resource/secretmanager/google_secret_manager_secret_version.json b/src/mapping/google/resource/secretmanager/google_secret_manager_secret_version.json new file mode 100644 index 00000000..0dd6a67b --- /dev/null +++ b/src/mapping/google/resource/secretmanager/google_secret_manager_secret_version.json @@ -0,0 +1,21 @@ +[ + { + "apply": [ + "secretmanager.versions.add", + "secretmanager.versions.enable", + "secretmanager.versions.get", + "secretmanager.versions.access", + "secretmanager.versions.destroy" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "secretmanager.versions.destroy" + ], + "modify": [], + "plan": [ + "secretmanager.versions.get" + ] + } +] diff --git a/terraform/google/backup/google_artifact_registry_repository_iam_binding.tf b/terraform/google/backup/google_artifact_registry_repository_iam_binding.tf index 3c9c6081..2c26603b 100644 --- a/terraform/google/backup/google_artifact_registry_repository_iam_binding.tf +++ b/terraform/google/backup/google_artifact_registry_repository_iam_binding.tf @@ -5,6 +5,6 @@ resource "google_artifact_registry_repository_iam_binding" "pike" { role = "roles/artifactregistry.reader" members = [ "user:james.woolfenden@gmail.com", - "user:crwoolfenden@gmail.com" + "user:anonymous@gmail.com" ] } diff --git a/terraform/google/backup/google_artifact_registry_repository_iam_member.tf b/terraform/google/backup/google_artifact_registry_repository_iam_member.tf index 11ad558d..2912e722 100644 --- a/terraform/google/backup/google_artifact_registry_repository_iam_member.tf +++ b/terraform/google/backup/google_artifact_registry_repository_iam_member.tf @@ -3,5 +3,5 @@ resource "google_artifact_registry_repository_iam_member" "pike" { location = google_artifact_registry_repository.pike.location repository = google_artifact_registry_repository.pike.name role = "roles/artifactregistry.reader" - member = "user:crwoolfenden@gmail.com" + member = "user:anonymous@gmail.com" } diff --git a/terraform/google/backup/google_artifact_registry_repository_iam_policy.tf b/terraform/google/backup/google_artifact_registry_repository_iam_policy.tf index d80f39e6..2c3f4040 100644 --- a/terraform/google/backup/google_artifact_registry_repository_iam_policy.tf +++ b/terraform/google/backup/google_artifact_registry_repository_iam_policy.tf @@ -3,7 +3,7 @@ data "google_iam_policy" "admin" { role = "roles/artifactregistry.reader" members = [ "user:james.woolfenden@gmail.com", - "user:crwoolfenden@gmail.com", + "user:anonymous@gmail.com", ] } } diff --git a/terraform/google/backup/google_bigtable_table_iam_binding.tf b/terraform/google/backup/google_bigtable_table_iam_binding.tf index 18396e0a..ed1c74ae 100644 --- a/terraform/google/backup/google_bigtable_table_iam_binding.tf +++ b/terraform/google/backup/google_bigtable_table_iam_binding.tf @@ -3,7 +3,7 @@ data "google_iam_policy" "admin" { binding { role = "roles/bigtable.user" members = [ - "user:crwoolfenden@gmail.com", + "user:anonymous@gmail.com", ] } } diff --git a/terraform/google/backup/google_project_service_identity.tf b/terraform/google/backup/google_project_service_identity.tf new file mode 100644 index 00000000..5a85519a --- /dev/null +++ b/terraform/google/backup/google_project_service_identity.tf @@ -0,0 +1,12 @@ +data "google_project" "project" {} + +resource "google_project_service_identity" "hc_sa" { + provider = google-beta + + project = data.google_project.project.project_id + service = "healthcare.googleapis.com" +} + +output "identity" { + value = google_project_service_identity.hc_sa +} diff --git a/terraform/google/backup/google_pubsub_topic_iam_binding.tf b/terraform/google/backup/google_pubsub_topic_iam_binding.tf new file mode 100644 index 00000000..da9a6734 --- /dev/null +++ b/terraform/google/backup/google_pubsub_topic_iam_binding.tf @@ -0,0 +1 @@ +resource "google_pubsub_topic_iam_binding" "pike" {} diff --git a/terraform/google/backup/google_pubsub_topic_iam_member.tf b/terraform/google/backup/google_pubsub_topic_iam_member.tf new file mode 100644 index 00000000..808c75a8 --- /dev/null +++ b/terraform/google/backup/google_pubsub_topic_iam_member.tf @@ -0,0 +1,5 @@ +resource "google_pubsub_topic_iam_member" "pike" { + topic = "projects/pike-gcp/topics/pike" + member = "user:anonymous@gmail.com" + role = "roles/viewer" +} diff --git a/terraform/google/backup/google_pubsub_topic_iam_policy.tf b/terraform/google/backup/google_pubsub_topic_iam_policy.tf new file mode 100644 index 00000000..9378a7b5 --- /dev/null +++ b/terraform/google/backup/google_pubsub_topic_iam_policy.tf @@ -0,0 +1 @@ +resource "google_pubsub_topic_iam_policy" "pike" {} diff --git a/terraform/google/backup/google_secret_manager_secret.tf b/terraform/google/backup/google_secret_manager_secret.tf new file mode 100644 index 00000000..3b972b38 --- /dev/null +++ b/terraform/google/backup/google_secret_manager_secret.tf @@ -0,0 +1,11 @@ +resource "google_secret_manager_secret" "pike" { + secret_id = "secret-version" + + labels = { + label = "my-label" + } + + replication { + auto {} + } +} diff --git a/terraform/google/backup/google_secret_manager_secret_iam_binding.tf b/terraform/google/backup/google_secret_manager_secret_iam_binding.tf new file mode 100644 index 00000000..c2ac0cc6 --- /dev/null +++ b/terraform/google/backup/google_secret_manager_secret_iam_binding.tf @@ -0,0 +1 @@ +resource "google_secret_manager_secret_iam_binding" "pike" {} diff --git a/terraform/google/backup/google_secret_manager_secret_iam_member.tf b/terraform/google/backup/google_secret_manager_secret_iam_member.tf new file mode 100644 index 00000000..b6989c17 --- /dev/null +++ b/terraform/google/backup/google_secret_manager_secret_iam_member.tf @@ -0,0 +1,5 @@ +resource "google_secret_manager_secret_iam_member" "pike" { + member = "user:anonymous@gmail.com" + secret_id = google_secret_manager_secret.pike.id + role = "roles/secretmanager.secretAccessor" +} diff --git a/terraform/google/backup/google_secret_manager_secret_iam_policy.tf b/terraform/google/backup/google_secret_manager_secret_iam_policy.tf new file mode 100644 index 00000000..5b518e20 --- /dev/null +++ b/terraform/google/backup/google_secret_manager_secret_iam_policy.tf @@ -0,0 +1 @@ +resource "google_secret_manager_secret_iam_policy" "pike" {} diff --git a/terraform/google/backup/google_secret_manager_secret_version.tf b/terraform/google/backup/google_secret_manager_secret_version.tf new file mode 100644 index 00000000..123bc5c1 --- /dev/null +++ b/terraform/google/backup/google_secret_manager_secret_version.tf @@ -0,0 +1,4 @@ +resource "google_secret_manager_secret_version" "pike" { + secret_data = "mysecret" + secret = google_secret_manager_secret.pike.id +} diff --git a/terraform/google/backup/google_service_account_iam_binding.tf b/terraform/google/backup/google_service_account_iam_binding.tf index b9370247..11de1293 100644 --- a/terraform/google/backup/google_service_account_iam_binding.tf +++ b/terraform/google/backup/google_service_account_iam_binding.tf @@ -8,6 +8,6 @@ resource "google_service_account_iam_binding" "admin-account-iam" { role = "roles/iam.serviceAccountUser" members = [ - "user:crwoolfenden@gmail.com", + "user:anonymous@gmail.com", ] } diff --git a/terraform/google/backup/google_service_account_iam_member.tf b/terraform/google/backup/google_service_account_iam_member.tf index be8a67d0..57b769f3 100644 --- a/terraform/google/backup/google_service_account_iam_member.tf +++ b/terraform/google/backup/google_service_account_iam_member.tf @@ -6,5 +6,5 @@ resource "google_service_account" "sa" { resource "google_service_account_iam_member" "pike" { service_account_id = google_service_account.sa.name role = "roles/iam.serviceAccountUser" - member = "user:crwoolfenden@gmail.com" + member = "user:anonymous@gmail.com" } diff --git a/terraform/google/role/google_project_iam_custom_role.tf b/terraform/google/role/google_project_iam_custom_role.tf index 5c85398a..ecc57c05 100644 --- a/terraform/google/role/google_project_iam_custom_role.tf +++ b/terraform/google/role/google_project_iam_custom_role.tf @@ -4,20 +4,27 @@ resource "google_project_iam_custom_role" "pike" { title = "pike terraform user" description = "A user with least privileges" permissions = [ - - //google_project_service - "serviceusage.services.get", - "serviceusage.services.list", - "serviceusage.services.enable", - "serviceusage.services.disable", - "resourcemanager.projects.get", - # "iam.serviceAccounts.list", - # "iam.serviceAccounts.setIamPolicy", - # "iam.serviceAccounts.getIamPolicy", - # "iam.serviceAccounts.undelete" + //google_pubsub_topic_iam_member + "pubsub.topics.getIamPolicy", + "pubsub.topics.setIamPolicy", + + //google_secret_manager_secret + "secretmanager.secrets.create", + "secretmanager.secrets.get", + "secretmanager.secrets.update", + "secretmanager.secrets.delete", + //google_secret_manager_secret_iam_member + "secretmanager.secrets.getIamPolicy", + "secretmanager.secrets.setIamPolicy", + //google_secret_manager_secret_version + "secretmanager.versions.add", + "secretmanager.versions.enable", + "secretmanager.versions.get", + "secretmanager.versions.access", + "secretmanager.versions.destroy" ] }