From 0e2e6a9b4fda9fbe2bfe65ec6dbdc5e58fe098a5 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Wed, 19 May 2021 01:04:28 -0400
Subject: [PATCH 1/4] infra/gcp/roles: refresh roles

---
 infra/gcp/roles/audit.viewer.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/infra/gcp/roles/audit.viewer.yaml b/infra/gcp/roles/audit.viewer.yaml
index 19cfc8a30db..f35cab90fbc 100644
--- a/infra/gcp/roles/audit.viewer.yaml
+++ b/infra/gcp/roles/audit.viewer.yaml
@@ -70,6 +70,7 @@ includedPermissions:
   - aiplatform.modelEvaluationSlices.list
   - aiplatform.modelEvaluations.list
   - aiplatform.models.list
+  - aiplatform.nasJobs.list
   - aiplatform.operations.list
   - aiplatform.specialistPools.list
   - aiplatform.studies.list
@@ -192,6 +193,7 @@ includedPermissions:
   - clientauthconfig.brands.list
   - clientauthconfig.clients.list
   - cloudasset.assets.analyzeIamPolicy
+  - cloudasset.assets.analyzeMove
   - cloudasset.assets.exportAccessLevel
   - cloudasset.assets.exportAccessPolicy
   - cloudasset.assets.exportAllAccessPolicy
@@ -283,6 +285,7 @@ includedPermissions:
   - cloudasset.assets.exportSpannerInstances
   - cloudasset.assets.exportSqladminInstances
   - cloudasset.assets.exportStorageBuckets
+  - cloudasset.assets.listCloudkmsCryptoKeys
   - cloudasset.assets.searchAllIamPolicies
   - cloudasset.assets.searchAllResources
   - cloudasset.feeds.list
@@ -682,18 +685,23 @@ includedPermissions:
   - dialogflow.participants.list
   - dialogflow.phoneNumberOrders.list
   - dialogflow.phoneNumbers.list
+  - dialogflow.securitySettings.list
   - dialogflow.sessionEntityTypes.list
   - dialogflow.smartMessagingEntries.list
   - dialogflow.transitionRouteGroups.list
   - dialogflow.versions.list
   - dialogflow.webhooks.list
   - dlp.analyzeRiskTemplates.list
+  - dlp.columnDataProfiles.list
   - dlp.deidentifyTemplates.list
+  - dlp.estimates.list
   - dlp.inspectFindings.list
   - dlp.inspectTemplates.list
   - dlp.jobTriggers.list
   - dlp.jobs.list
+  - dlp.projectDataProfiles.list
   - dlp.storedInfoTypes.list
+  - dlp.tableDataProfiles.list
   - dns.changes.get
   - dns.changes.list
   - dns.dnsKeys.get
@@ -706,6 +714,7 @@ includedPermissions:
   - dns.policies.getIamPolicy
   - dns.policies.list
   - dns.projects.get
+  - dns.resourceRecordSets.get
   - dns.resourceRecordSets.list
   - documentai.evaluations.list
   - documentai.labelerPools.list
@@ -978,6 +987,7 @@ includedPermissions:
   - resourcemanager.tagKeys.list
   - resourcemanager.tagValues.getIamPolicy
   - resourcemanager.tagValues.list
+  - resourcesettings.settings.list
   - retail.catalogs.list
   - retail.operations.list
   - retail.products.list

From 268c44d98bd431f9c4a51fcd05c91d042b187432 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Wed, 19 May 2021 01:07:16 -0400
Subject: [PATCH 2/4] infra/gcp/roles: add to audit.viewer

Specifically secretmanager.viewer, which apparently
k8s-infra-gcp-auditors@kubernetes.io is directly bound to on the
organization
---
 infra/gcp/roles/audit.viewer.yaml       | 5 +++++
 infra/gcp/roles/specs/audit.viewer.yaml | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/infra/gcp/roles/audit.viewer.yaml b/infra/gcp/roles/audit.viewer.yaml
index f35cab90fbc..0606d8cbd71 100644
--- a/infra/gcp/roles/audit.viewer.yaml
+++ b/infra/gcp/roles/audit.viewer.yaml
@@ -15,6 +15,8 @@
 #   - roles/dns.reader
 #   # read access to cloud assets metadata
 #   - roles/cloudasset.viewer
+#   # read access to secrets metadata (not their contents)
+#   - roles/secretmanager.viewer
 # 
 #   # meta roles (regardless of roles/viewer)
 #   # read access for the project hierarchy (org, folders, projects)
@@ -1004,9 +1006,12 @@ includedPermissions:
   - runtimeconfig.variables.list
   - runtimeconfig.waiters.getIamPolicy
   - runtimeconfig.waiters.list
+  - secretmanager.locations.get
   - secretmanager.locations.list
+  - secretmanager.secrets.get
   - secretmanager.secrets.getIamPolicy
   - secretmanager.secrets.list
+  - secretmanager.versions.get
   - secretmanager.versions.list
   - securitycenter.assets.list
   - securitycenter.findings.list
diff --git a/infra/gcp/roles/specs/audit.viewer.yaml b/infra/gcp/roles/specs/audit.viewer.yaml
index ee769763719..92f691d53fd 100644
--- a/infra/gcp/roles/specs/audit.viewer.yaml
+++ b/infra/gcp/roles/specs/audit.viewer.yaml
@@ -13,6 +13,8 @@ include:
   - roles/dns.reader
   # read access to cloud assets metadata
   - roles/cloudasset.viewer
+  # read access to secrets metadata (not their contents)
+  - roles/secretmanager.viewer
 
   # meta roles (regardless of roles/viewer)
   # read access for the project hierarchy (org, folders, projects)

From 16506e0fe88298f68d076b1d920b271f92cd6567 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Wed, 19 May 2021 01:09:46 -0400
Subject: [PATCH 3/4] infra/gcp/org: remove secretmanager.viewer binding

auditors should be getting all of their permissions through the custom
org role audit.viewer
---
 infra/gcp/ensure-organization.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/infra/gcp/ensure-organization.sh b/infra/gcp/ensure-organization.sh
index 1621f2021f0..bd0f2a3730c 100755
--- a/infra/gcp/ensure-organization.sh
+++ b/infra/gcp/ensure-organization.sh
@@ -71,7 +71,9 @@ org_role_bindings=(
   "serviceAccount:$(svc_acct_email "kubernetes-public" "k8s-infra-gcp-auditor"):$(custom_org_role_name "audit.viewer")"
 )
 
-removed_org_role_bindings=()
+removed_org_role_bindings=(
+  "group:k8s-infra-gcp-auditors@kubernetes.io:roles/secretmanager.viewer"
+)
 
 function ensure_org_roles() {
     for role in "${org_roles[@]}"; do

From 186bde07f7b2faf27e43f7a95b256e7873f7b2d3 Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Wed, 19 May 2021 01:16:27 -0400
Subject: [PATCH 4/4] infra/gcp/org: remove stray user bindings

These were originally intended to be removed by 4e5eeed but for some
reason that did not happen before the code to do was removed by
623bb00.

The organizationAdmin binding was manually added at some point, and is
redundant in the face of the custom org role organization.admin
---
 infra/gcp/ensure-organization.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/infra/gcp/ensure-organization.sh b/infra/gcp/ensure-organization.sh
index bd0f2a3730c..e4c68192605 100755
--- a/infra/gcp/ensure-organization.sh
+++ b/infra/gcp/ensure-organization.sh
@@ -72,7 +72,19 @@ org_role_bindings=(
 )
 
 removed_org_role_bindings=(
+  # TODO(spiffxp): remove all of these in followup PR once deployed
   "group:k8s-infra-gcp-auditors@kubernetes.io:roles/secretmanager.viewer"
+  "user:davanum@gmail.com:roles/compute.viewer"
+  "user:davanum@gmail.com:roles/dns.reader"
+  "user:davanum@gmail.com:roles/iam.securityReviewer"
+  "user:davanum@gmail.com:roles/resourcemanager.organizationViewer"
+  "user:davanum@gmail.com:roles/serviceusage.serviceUsageConsumer"
+  "user:thockin@google.com:roles/compute.viewer"
+  "user:thockin@google.com:roles/dns.reader"
+  "user:thockin@google.com:roles/iam.securityReviewer"
+  "user:thockin@google.com:roles/resourcemanager.organizationViewer"
+  "user:thockin@google.com:roles/serviceusage.serviceUsageConsumer"
+  "user:spiffxp@google.com:roles/resourcemanager.organizationAdmin"
 )
 
 function ensure_org_roles() {