Skip to content

Commit

Permalink
Changing IAM audit config to be authoritative (#2438)
Browse files Browse the repository at this point in the history
* Changing IAM audit config to be authoritative

* Remove unused code + test
  • Loading branch information
slevenick authored and rileykarson committed Nov 11, 2019
1 parent 8161d33 commit b47312f
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 199 deletions.
36 changes: 4 additions & 32 deletions third_party/terraform/resources/resource_iam_audit_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ func ResourceIamAuditConfig(parentSpecificSchema map[string]*schema.Schema, newU

func ResourceIamAuditConfigWithBatching(parentSpecificSchema map[string]*schema.Schema, newUpdaterFunc newResourceIamUpdaterFunc, resourceIdParser resourceIdParserFunc, enableBatching bool) *schema.Resource {
return &schema.Resource{
Create: resourceIamAuditConfigCreate(newUpdaterFunc, enableBatching),
Create: resourceIamAuditConfigCreateUpdate(newUpdaterFunc, enableBatching),
Read: resourceIamAuditConfigRead(newUpdaterFunc),
Update: resourceIamAuditConfigUpdate(newUpdaterFunc, enableBatching),
Update: resourceIamAuditConfigCreateUpdate(newUpdaterFunc, enableBatching),
Delete: resourceIamAuditConfigDelete(newUpdaterFunc, enableBatching),
Schema: mergeSchemas(iamAuditConfigSchema, parentSpecificSchema),
Importer: &schema.ResourceImporter{
Expand All @@ -55,34 +55,6 @@ func ResourceIamAuditConfigWithBatching(parentSpecificSchema map[string]*schema.
}
}

func resourceIamAuditConfigCreate(newUpdaterFunc newResourceIamUpdaterFunc, enableBatching bool) schema.CreateFunc {
return func(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
updater, err := newUpdaterFunc(d, config)
if err != nil {
return err
}

ac := getResourceIamAuditConfig(d)
modifyF := func(ep *cloudresourcemanager.Policy) error {
ep.AuditConfigs = mergeAuditConfigs(append(ep.AuditConfigs, ac))
return nil
}

if enableBatching {
err = BatchRequestModifyIamPolicy(updater, modifyF, config, fmt.Sprintf(
"Add audit config for service %s on resource %q", ac.Service, updater.DescribeResource()))
} else {
err = iamPolicyReadModifyWrite(updater, modifyF)
}
if err != nil {
return err
}
d.SetId(updater.GetResourceId() + "/audit_config/" + ac.Service)
return resourceIamAuditConfigRead(newUpdaterFunc)(d, meta)
}
}

func resourceIamAuditConfigRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.ReadFunc {
return func(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
Expand Down Expand Up @@ -150,7 +122,7 @@ func iamAuditConfigImport(resourceIdParser resourceIdParserFunc) schema.StateFun
}
}

func resourceIamAuditConfigUpdate(newUpdaterFunc newResourceIamUpdaterFunc, enableBatching bool) schema.UpdateFunc {
func resourceIamAuditConfigCreateUpdate(newUpdaterFunc newResourceIamUpdaterFunc, enableBatching bool) func(*schema.ResourceData, interface{}) error {
return func(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
updater, err := newUpdaterFunc(d, config)
Expand All @@ -173,7 +145,7 @@ func resourceIamAuditConfigUpdate(newUpdaterFunc newResourceIamUpdaterFunc, enab
if err != nil {
return err
}

d.SetId(updater.GetResourceId() + "/audit_config/" + ac.Service)
return resourceIamAuditConfigRead(newUpdaterFunc)(d, meta)
}
}
Expand Down
6 changes: 0 additions & 6 deletions third_party/terraform/utils/iam.go.erb
Original file line number Diff line number Diff line change
Expand Up @@ -279,12 +279,6 @@ func listFromIamBindingMap(bm map[iamBindingKey]map[string]struct{}) []*cloudres
return rb
}

// Flatten AuditConfigs so each service has a single exemption list of log type to members
func mergeAuditConfigs(auditConfigs []*cloudresourcemanager.AuditConfig) []*cloudresourcemanager.AuditConfig {
am := createIamAuditConfigsMap(auditConfigs)
return listFromIamAuditConfigMap(am)
}

// Flattens AuditConfigs so each role has a single Binding with combined members\
func removeAllAuditConfigsWithService(ac []*cloudresourcemanager.AuditConfig, service string) []*cloudresourcemanager.AuditConfig {
acMap := createIamAuditConfigsMap(ac)
Expand Down
161 changes: 0 additions & 161 deletions third_party/terraform/utils/iam_test.go.erb
Original file line number Diff line number Diff line change
Expand Up @@ -787,167 +787,6 @@ func TestIamListFromIamBindingMap(t *testing.T) {
}
}

func TestIamMergeAuditConfigs(t *testing.T) {
testCases := []struct {
input []*cloudresourcemanager.AuditConfig
expect []*cloudresourcemanager.AuditConfig
}{
{
input: []*cloudresourcemanager.AuditConfig{},
expect: []*cloudresourcemanager.AuditConfig{},
},
{
input: []*cloudresourcemanager.AuditConfig{
{
Service: "foo.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
},
},
},
{
Service: "bar.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
ExemptedMembers: []string{"user-1"},
},
},
},
},
expect: []*cloudresourcemanager.AuditConfig{
{
Service: "foo.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
},
},
},
{
Service: "bar.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
ExemptedMembers: []string{"user-1"},
},
},
},
},
},
{
input: []*cloudresourcemanager.AuditConfig{
{
Service: "kms.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
},
{
LogType: "DATA_WRITE",
ExemptedMembers: []string{"user-1"},
},
},
},
{
Service: "iam.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
ExemptedMembers: []string{"user-1"},
},
},
},
{
Service: "kms.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "DATA_WRITE",
ExemptedMembers: []string{"user-2"},
},
},
},
{
Service: "iam.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
ExemptedMembers: []string{"user-2"},
},
},
},
{
Service: "foo.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "DATA_WRITE",
ExemptedMembers: []string{"user-1"},
},
},
},
{
Service: "kms.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "DATA_WRITE",
ExemptedMembers: []string{"user-3", "user-4"},
},
{
LogType: "DATA_READ",
ExemptedMembers: []string{"user-1", "user-2"},
},
},
},
},
expect: []*cloudresourcemanager.AuditConfig{
{
Service: "kms.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
},
{
LogType: "DATA_WRITE",
ExemptedMembers: []string{"user-1", "user-2", "user-3", "user-4"},
},
{
LogType: "DATA_READ",
ExemptedMembers: []string{"user-1", "user-2"},
},
},
},
{
Service: "iam.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "ADMIN_READ",
ExemptedMembers: []string{"user-1", "user-2"},
},
},
},
{
Service: "foo.googleapis.com",
AuditLogConfigs: []*cloudresourcemanager.AuditLogConfig{
{
LogType: "DATA_WRITE",
ExemptedMembers: []string{"user-1"},
},
},
},
},
},
}

for _, tc := range testCases {
got := mergeAuditConfigs(tc.input)
if !compareAuditConfigs(got, tc.expect) {
t.Errorf("Unexpected value for mergeAuditConfigs(%s).\nActual: %s\nExpected: %s\n",
debugPrintAuditConfigs(tc.input), debugPrintAuditConfigs(got), debugPrintAuditConfigs(tc.expect))
}
}
}

func TestIamRemoveAllAuditConfigsWithService(t *testing.T) {
testCases := []struct {
input []*cloudresourcemanager.AuditConfig
Expand Down

0 comments on commit b47312f

Please sign in to comment.