From e1a17d5af24185b8bc1952c8c46af130fce90794 Mon Sep 17 00:00:00 2001 From: Taylor <28880387+tsmithv11@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:14:13 -0700 Subject: [PATCH] fix(terraform): Remove dataproc.admin from multiple checks (#6725) * Remove dataproc.admin * Add additional roles * Update test_GoogleProjectImpersonationRoles.py --- .../gcp/AbsGoogleImpersonationRoles.py | 72 +++++++++++++++++-- .../test_GoogleProjectImpersonationRoles.py | 4 +- 2 files changed, 68 insertions(+), 8 deletions(-) diff --git a/checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py b/checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py index 66d95092645..b6e3f083271 100644 --- a/checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py +++ b/checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py @@ -1,6 +1,9 @@ from checkov.common.models.enums import CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck +# Reference: https://cloud.google.com/iam/docs/best-practices-service-accounts +# Lookup: https://cloud.google.com/iam/docs/permissions-reference + IMPERSONATION_ROLES = [ "roles/owner", "roles/editor", @@ -10,15 +13,72 @@ "roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator", "roles/iam.workloadIdentityUser", - "roles/dataproc.editor", - "roles/dataproc.admin", "roles/dataflow.developer", - "roles/resourcemanager.folderAdmin", - "roles/resourcemanager.folderIamAdmin", - "roles/resourcemanager.projectIamAdmin", - "roles/resourcemanager.organizationAdmin", "roles/serverless.serviceAgent", "roles/dataproc.serviceAgent", + "roles/deploymentmanager.editor", + "roles/cloudbuild.builds.editor", + "roles/aiplatform.customCodeServiceAgent", + "roles/aiplatform.extensionServiceAgent", + "roles/aiplatform.serviceAgent", + "roles/apigateway.serviceAgent", + "roles/apigee.serviceAgent", + "roles/appengine.serviceAgent", + "roles/appengineflex.serviceAgent", + "roles/bigquerycontinuousquery.serviceAgent", + "roles/bigquerydatatransfer.serviceAgent", + "roles/bigqueryspark.serviceAgent", + "roles/cloudbuild.serviceAgent", + "roles/cloudconfig.serviceAgent", + "roles/clouddeploy.serviceAgent", + "roles/cloudfunctions.serviceAgent", + "roles/cloudscheduler.serviceAgent", + "roles/cloudtasks.serviceAgent", + "roles/composer.serviceAgent", + "roles/compute.serviceAgent", + "roles/connectors.serviceAgent", + "roles/dataflow.serviceAgent", + "roles/eventarc.serviceAgent", + "roles/integrations.serviceAgent", + "roles/ml.serviceAgent", + "roles/notebooks.serviceAgent", + "roles/pubsub.serviceAgent", + "roles/run.serviceAgent", + "roles/sourcerepo.serviceAgent", + "roles/workflows.serviceAgent", + "roles/iam.serviceAccountOpenIdTokenCreator", + "roles/aiplatform.colabServiceAgent", + "roles/backupdr.computeEngineOperator", + "roles/backupdr.serviceAgent", + "roles/batch.serviceAgent", + "roles/clouddeploymentmanager.serviceAgent", + "roles/cloudtpu.serviceAgent", + "roles/compute.instanceGroupManagerServiceAgent", + "roles/configdelivery.serviceAgent", + "roles/container.serviceAgent", + "roles/datapipelines.serviceAgent", + "roles/dataplex.serviceAgent", + "roles/dataprep.serviceAgent", + "roles/dataproc.hubAgent", + "roles/firebaseapphosting.serviceAgent", + "roles/firebasemods.serviceAgent", + "roles/gameservices.serviceAgent", + "roles/genomics.serviceAgent", + "roles/krmapihosting.anthosApiEndpointServiceAgent", + "roles/krmapihosting.serviceAgent", + "roles/lifesciences.serviceAgent", + "roles/osconfig.serviceAgent", + "roles/runapps.serviceAgent", + "roles/securitycenter.securityResponseServiceAgent", + "roles/workstations.serviceAgent", + "roles/securesourcemanager.serviceAgent", + "roles/assuredoss.admin", + "roles/securitycenter.admin", + "roles/vpcaccess.serviceAgent", + "roles/cloudbuild.builds.builder", + "roles/composer.worker", + "roles/dataflow.admin", + "roles/run.sourceDeveloper", ] diff --git a/tests/terraform/checks/resource/gcp/test_GoogleProjectImpersonationRoles.py b/tests/terraform/checks/resource/gcp/test_GoogleProjectImpersonationRoles.py index 7b4a49c17c1..bfab0a2e56b 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleProjectImpersonationRoles.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleProjectImpersonationRoles.py @@ -12,7 +12,7 @@ def test_failure_binding(self): hcl_res = hcl2.loads(""" resource "google_project_iam_binding" "project" { project = "your-project-id" - role = "roles/resourcemanager.organizationAdmin" + role = "roles/serverless.serviceAgent" members = [ "user", @@ -28,7 +28,7 @@ def test_failure_member(self): hcl_res = hcl2.loads(""" resource "google_project_iam_member" "project" { project = "your-project-id" - role = "roles/resourcemanager.organizationAdmin" + role = "roles/iam.workloadIdentityUser" member = "serviceAccount:test-compute@developer.gserviceaccount.com" } """)