fix(terraform): Remove dataproc.admin from multiple checks (#6725)

* Remove dataproc.admin * Add additional roles * Update test_GoogleProjectImpersonationRoles.py
bridgecrewio · Sep 19, 2024 · e1a17d5 · e1a17d5
1 parent 0262d6d
commit e1a17d5
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 8 deletions.
diff --git a/checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py b/checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py
@@ -1,6 +1,9 @@
 from checkov.common.models.enums import CheckResult
 from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
 
+# Reference: https://cloud.google.com/iam/docs/best-practices-service-accounts
+# Lookup: https://cloud.google.com/iam/docs/permissions-reference
+
 IMPERSONATION_ROLES = [
     "roles/owner",
     "roles/editor",
@@ -10,15 +13,72 @@
     "roles/iam.serviceAccountUser",
     "roles/iam.serviceAccountTokenCreator",
     "roles/iam.workloadIdentityUser",
-    "roles/dataproc.editor",
-    "roles/dataproc.admin",
     "roles/dataflow.developer",
-    "roles/resourcemanager.folderAdmin",
-    "roles/resourcemanager.folderIamAdmin",
-    "roles/resourcemanager.projectIamAdmin",
-    "roles/resourcemanager.organizationAdmin",
     "roles/serverless.serviceAgent",
     "roles/dataproc.serviceAgent",
+    "roles/deploymentmanager.editor",
+    "roles/cloudbuild.builds.editor",
+    "roles/aiplatform.customCodeServiceAgent",
+    "roles/aiplatform.extensionServiceAgent",
+    "roles/aiplatform.serviceAgent",
+    "roles/apigateway.serviceAgent",
+    "roles/apigee.serviceAgent",
+    "roles/appengine.serviceAgent",
+    "roles/appengineflex.serviceAgent",
+    "roles/bigquerycontinuousquery.serviceAgent",
+    "roles/bigquerydatatransfer.serviceAgent",
+    "roles/bigqueryspark.serviceAgent",
+    "roles/cloudbuild.serviceAgent",
+    "roles/cloudconfig.serviceAgent",
+    "roles/clouddeploy.serviceAgent",
+    "roles/cloudfunctions.serviceAgent",
+    "roles/cloudscheduler.serviceAgent",
+    "roles/cloudtasks.serviceAgent",
+    "roles/composer.serviceAgent",
+    "roles/compute.serviceAgent",
+    "roles/connectors.serviceAgent",
+    "roles/dataflow.serviceAgent",
+    "roles/eventarc.serviceAgent",
+    "roles/integrations.serviceAgent",
+    "roles/ml.serviceAgent",
+    "roles/notebooks.serviceAgent",
+    "roles/pubsub.serviceAgent",
+    "roles/run.serviceAgent",
+    "roles/sourcerepo.serviceAgent",
+    "roles/workflows.serviceAgent",
+    "roles/iam.serviceAccountOpenIdTokenCreator",
+    "roles/aiplatform.colabServiceAgent",
+    "roles/backupdr.computeEngineOperator",
+    "roles/backupdr.serviceAgent",
+    "roles/batch.serviceAgent",
+    "roles/clouddeploymentmanager.serviceAgent",
+    "roles/cloudtpu.serviceAgent",
+    "roles/compute.instanceGroupManagerServiceAgent",
+    "roles/configdelivery.serviceAgent",
+    "roles/container.serviceAgent",
+    "roles/datapipelines.serviceAgent",
+    "roles/dataplex.serviceAgent",
+    "roles/dataprep.serviceAgent",
+    "roles/dataproc.hubAgent",
+    "roles/firebaseapphosting.serviceAgent",
+    "roles/firebasemods.serviceAgent",
+    "roles/gameservices.serviceAgent",
+    "roles/genomics.serviceAgent",
+    "roles/krmapihosting.anthosApiEndpointServiceAgent",
+    "roles/krmapihosting.serviceAgent",
+    "roles/lifesciences.serviceAgent",
+    "roles/osconfig.serviceAgent",
+    "roles/runapps.serviceAgent",
+    "roles/securitycenter.securityResponseServiceAgent",
+    "roles/workstations.serviceAgent",
+    "roles/securesourcemanager.serviceAgent",
+    "roles/assuredoss.admin",
+    "roles/securitycenter.admin",
+    "roles/vpcaccess.serviceAgent",
+    "roles/cloudbuild.builds.builder",
+    "roles/composer.worker",
+    "roles/dataflow.admin",
+    "roles/run.sourceDeveloper",
 ]
 
 

diff --git a/tests/terraform/checks/resource/gcp/test_GoogleProjectImpersonationRoles.py b/tests/terraform/checks/resource/gcp/test_GoogleProjectImpersonationRoles.py
@@ -12,7 +12,7 @@ def test_failure_binding(self):
         hcl_res = hcl2.loads("""
             resource "google_project_iam_binding" "project" {
               project = "your-project-id"
-              role    = "roles/resourcemanager.organizationAdmin"
+              role    = "roles/serverless.serviceAgent"
             
               members = [
                 "user",
@@ -28,7 +28,7 @@ def test_failure_member(self):
         hcl_res = hcl2.loads("""
             resource "google_project_iam_member" "project" {
               project = "your-project-id"
-              role    = "roles/resourcemanager.organizationAdmin"
+              role    = "roles/iam.workloadIdentityUser"
               member  = "serviceAccount:[email protected]"
             }
                 """)