Add policy pack - Validate GCP > Service Account for any unapproved role association. Closes #886

Author: vkumbha

policy_packs/gcp/iam/enforce_user_service_accounts_have_permitted_roles_assigned/main.tf

@@ -0,0 +1,5 @@
+resource "turbot_policy_pack" "main" {
+  title       = "Enforce GCP IAM Service Accounts have Permitted Roles assigned"
+  description = "Ensures that service accounts do not have disallowed roles assigned. This reduces the risk of over-privileged access and enhances security by enforcing least privilege principles for service accounts."
+  akas        = ["gcp_iam_enforce_service_accounts_have_permitted_roles_assigned"]
+}

policy_packs/gcp/iam/enforce_user_service_accounts_have_permitted_roles_assigned/policies.tf

@@ -0,0 +1,70 @@
+# GCP > IAM > Service Account > Approved
+resource "turbot_policy_setting" "gcp_iam_service_account_approved" {
+  resource = turbot_policy_pack.main.id
+  type     = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountApproved"
+  value    = "Check: Approved"
+  # value = "Enforce: Delete unapproved if new"
+  # value = "Enforce: Disable unapproved"
+}
+
+# GCP > IAM > Service Account > Approved > Custom
+resource "turbot_policy_setting" "gcp_iam_service_account_approved_custom" {
+  resource       = turbot_policy_pack.main.id
+  type           = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountApprovedCustom"
+  template_input = <<-EOT
+    {
+      resources(
+        filter: "resourceTypeId:tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy resourceId:{{ $.resource.parent.turbot.id }}"
+      ) {
+        items {
+          projectBindings: get(path: "bindings")
+        }
+      }
+      resource {
+        email: get(path:"email")
+        disabled: get(path:"disabled")
+      }
+    }
+    EOT
+  template       = <<-EOT
+    {%- set disallowedRoles = [
+        "roles/editor", 
+        "roles/owner", 
+        "roles/viewer", 
+        "roles/resourcemanager.tagUser", 
+        "roles/resourcemanager.tagAdmin",  
+        "roles/iam.serviceAccountTokenCreator", 
+        "roles/iam.serviceAccountUser"
+    ] -%}
+
+    {%- set email = $.resource.email -%}
+    {%- set isDisabled = $.resource.disabled == true -%}
+    {%- set assignedDisallowedRoles = [] -%}
+
+    {%- if not isDisabled -%} {# If the service account is not disabled, check for disallowed roles #}
+      {%- for binding in $.resources.items[0].projectBindings -%}
+        {%- if binding.role in disallowedRoles -%}
+          {%- for member in binding.members -%}
+            {%- if member == "serviceAccount:" + email -%}
+              {%- set assignedDisallowedRoles = assignedDisallowedRoles.concat([binding.role]) -%}
+            {%- endif -%}
+          {%- endfor -%}
+        {%- endif -%}
+      {%- endfor -%}
+    {%- endif -%}
+
+    {%- if isDisabled -%}
+    - "title": "Role Bindings"
+      "result": "Approved"
+      "message": "The service account is disabled."
+    {%- elif assignedDisallowedRoles | length > 0 -%}
+    - "title": "Role Bindings"
+      "result": "Not approved"
+      "message": "The service account has disallowed role(s): {{ assignedDisallowedRoles | join(", ") }} assigned."
+    {%- else -%}
+    - "title": "Role Bindings"
+      "result": "Approved"
+      "message": "The service account does not have any disallowed roles assigned."
+    {%- endif -%}
+    EOT
+}

policy_packs/gcp/iam/enforce_user_service_accounts_have_permitted_roles_assigned/providers.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    turbot = {
+      source  = "turbot/turbot"
+      version = ">= 1.11.0"
+    }
+  }
+}
+
+provider "turbot" {
+}