From 1770cda21ebeb4812234a5fa9dd8f8765652ea3d Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 24 Oct 2024 11:38:42 -0700 Subject: [PATCH 1/2] SSPROD-48612: add ciem roles to cspm svc acct org case --- modules/config-posture/organizational.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf index 77d85b0..f3f9a87 100644 --- a/modules/config-posture/organizational.tf +++ b/modules/config-posture/organizational.tf @@ -15,7 +15,8 @@ data "google_organization" "org" { # role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management) #--------------------------------------------------------------------------------------------- resource "google_organization_iam_member" "cspm" { - for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : [] + # adding ciem role with permissions to the service account alongside cspm roles + for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : [] org_id = data.google_organization.org[0].org_id role = each.key From e42d390ae84d6007a2066963be60a9910961a967 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 24 Oct 2024 13:09:17 -0700 Subject: [PATCH 2/2] rm ciem roles from pub sub integrations --- modules/integrations/pub-sub/organizational.tf | 9 --------- 1 file changed, 9 deletions(-) diff --git a/modules/integrations/pub-sub/organizational.tf b/modules/integrations/pub-sub/organizational.tf index b721906..bf26105 100644 --- a/modules/integrations/pub-sub/organizational.tf +++ b/modules/integrations/pub-sub/organizational.tf @@ -83,13 +83,4 @@ resource "google_organization_iam_member" "custom" { org_id = data.google_organization.org[0].org_id role = google_organization_iam_custom_role.custom_ingestion_auth_role[0].id member = "serviceAccount:${google_service_account.push_auth.email}" -} - -# adding ciem role with permissions to the service account for org -resource "google_organization_iam_member" "identity_mgmt" { - for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : [] - - org_id = data.google_organization.org[0].org_id - role = each.key - member = "serviceAccount:${google_service_account.push_auth.email}" } \ No newline at end of file