feat(misconf): added audit config attribute (#9249)

2025-12-12 15:50:15 -08:00 · 2025-08-01 09:05:55 +03:00
parent 649eb2f8e6
commit 4d4a2444b6
6 changed files with 280 additions and 6 deletions
--- a/pkg/iac/adapters/terraform/google/iam/adapt_test.go
+++ b/pkg/iac/adapters/terraform/google/iam/adapt_test.go
@@ -298,6 +298,129 @@ resource "google_project_iam_member" "project" {
 				},
 			},
 		},
+		{
+			name: "audit configs",
+			terraform: `
+data "google_organization" "org" {
+  domain = "example.com"
+}
+
+resource "google_project" "test" {
+  name                = "Test project"
+  project_id          = "test"
+  org_id              = data.google_organization.org.org_id
+  auto_create_network = false
+}
+
+resource "google_folder" "test" {
+  display_name = "Test folder"
+  parent       = data.google_organization.org.org_id
+}
+
+resource "google_project_iam_audit_config" "project_audit" {
+  project = google_project.test.project_id
+  service = "allServices"
+  
+  audit_log_config {
+    log_type = "ADMIN_READ"
+  }
+  
+  audit_log_config {
+    log_type = "DATA_WRITE"
+    exempted_members = [
+      "user:alice@example.com",
+      "serviceAccount:test@project.iam.gserviceaccount.com"
+    ]
+  }
+}
+
+resource "google_organization_iam_audit_config" "org_audit" {
+  org_id  = data.google_organization.org.org_id
+  service = "storage.googleapis.com"
+  
+  audit_log_config {
+    log_type = "DATA_READ"
+    exempted_members = ["user:bob@example.com"]
+  }
+}
+
+resource "google_folder_iam_audit_config" "folder_audit" {
+  folder  = google_folder.test.name
+  service = "compute.googleapis.com"
+  
+  audit_log_config {
+    log_type = "ADMIN_READ"
+  }
+}
+`,
+			expected: iam.IAM{
+				Projects: []iam.Project{
+					{
+						Metadata:          iacTypes.NewTestMetadata(),
+						AutoCreateNetwork: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+						AuditConfigs: []iam.AuditConfig{
+							{
+								Metadata: iacTypes.NewTestMetadata(),
+								Service:  iacTypes.String("allServices", iacTypes.NewTestMetadata()),
+								AuditLogConfigs: []iam.AuditLogConfig{
+									{
+										Metadata:        iacTypes.NewTestMetadata(),
+										LogType:         iacTypes.String("ADMIN_READ", iacTypes.NewTestMetadata()),
+										ExemptedMembers: nil,
+									},
+									{
+										Metadata: iacTypes.NewTestMetadata(),
+										LogType:  iacTypes.String("DATA_WRITE", iacTypes.NewTestMetadata()),
+										ExemptedMembers: []iacTypes.StringValue{
+											iacTypes.String("user:alice@example.com", iacTypes.NewTestMetadata()),
+											iacTypes.String("serviceAccount:test@project.iam.gserviceaccount.com", iacTypes.NewTestMetadata()),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				Organizations: []iam.Organization{
+					{
+						Metadata: iacTypes.NewTestMetadata(),
+						AuditConfigs: []iam.AuditConfig{
+							{
+								Metadata: iacTypes.NewTestMetadata(),
+								Service:  iacTypes.String("storage.googleapis.com", iacTypes.NewTestMetadata()),
+								AuditLogConfigs: []iam.AuditLogConfig{
+									{
+										Metadata: iacTypes.NewTestMetadata(),
+										LogType:  iacTypes.String("DATA_READ", iacTypes.NewTestMetadata()),
+										ExemptedMembers: []iacTypes.StringValue{
+											iacTypes.String("user:bob@example.com", iacTypes.NewTestMetadata()),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				Folders: []iam.Folder{
+					{
+						Metadata: iacTypes.NewTestMetadata(),
+						AuditConfigs: []iam.AuditConfig{
+							{
+								Metadata: iacTypes.NewTestMetadata(),
+								Service:  iacTypes.String("compute.googleapis.com", iacTypes.NewTestMetadata()),
+								AuditLogConfigs: []iam.AuditLogConfig{
+									{
+										Metadata:        iacTypes.NewTestMetadata(),
+										LogType:         iacTypes.String("ADMIN_READ", iacTypes.NewTestMetadata()),
+										ExemptedMembers: nil,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}

 	for _, test := range tests {
--- a/pkg/iac/adapters/terraform/google/iam/folder_iam.go
+++ b/pkg/iac/adapters/terraform/google/iam/folder_iam.go
@@ -14,6 +14,7 @@ func (a *adapter) adaptFolderIAM() {
 	a.adaptFolders()
 	a.adaptFolderMembers()
 	a.adaptFolderBindings()
+	a.adaptFolderAuditConfigs()
 }

 const googleFolder = "google_folder"
@@ -97,3 +98,18 @@ func (a *adapter) findFolder(iamBlock *terraform.Block) *iam.Folder {

 	return nil
 }
+
+func (a *adapter) adaptFolderAuditConfigs() {
+	for _, iamBlock := range a.modules.GetResourcesByType("google_folder_iam_audit_config") {
+		auditConfig := AdaptAuditConfig(iamBlock)
+		if folder := a.findFolder(iamBlock); folder != nil {
+			folder.AuditConfigs = append(folder.AuditConfigs, auditConfig)
+		} else {
+			// we didn't find the folder - add an unmanaged one
+			a.folders[uuid.NewString()] = &iam.Folder{
+				Metadata:     types.NewUnmanagedMetadata(),
+				AuditConfigs: []iam.AuditConfig{auditConfig},
+			}
+		}
+	}
+}
--- a/pkg/iac/adapters/terraform/google/iam/org_iam.go
+++ b/pkg/iac/adapters/terraform/google/iam/org_iam.go
@@ -14,6 +14,7 @@ func (a *adapter) adaptOrganizationIAM() {
 	a.adaptOrganizations()
 	a.adaptOrganizationMembers()
 	a.adaptOrganizationBindings()
+	a.adaptOrganizationAuditConfigs()
 }

 func (a *adapter) adaptOrganizations() {
@@ -100,3 +101,18 @@ func (a *adapter) findOrganization(iamBlock *terraform.Block) *iam.Organization

 	return nil
 }
+
+func (a *adapter) adaptOrganizationAuditConfigs() {
+	for _, iamBlock := range a.modules.GetResourcesByType("google_organization_iam_audit_config") {
+		auditConfig := AdaptAuditConfig(iamBlock)
+		if org := a.findOrganization(iamBlock); org != nil {
+			org.AuditConfigs = append(org.AuditConfigs, auditConfig)
+		} else {
+			// we didn't find the org - add an unmanaged one
+			a.orgs[uuid.NewString()] = &iam.Organization{
+				Metadata:     types.NewUnmanagedMetadata(),
+				AuditConfigs: []iam.AuditConfig{auditConfig},
+			}
+		}
+	}
+}
--- a/pkg/iac/adapters/terraform/google/iam/project_iam.go
+++ b/pkg/iac/adapters/terraform/google/iam/project_iam.go
@@ -18,6 +18,7 @@ func (a *adapter) adaptProjectIAM() {
 	a.adaptProjects()
 	a.adaptProjectMembers()
 	a.adaptProjectBindings()
+	a.adaptProjectAuditConfigs()
 }

 func (a *adapter) adaptProjects() {
@@ -212,3 +213,45 @@ func (a *adapter) findProject(iamBlock *terraform.Block) *iam.Project {

 	return nil
 }
+
+func (a *adapter) adaptProjectAuditConfigs() {
+	for _, iamBlock := range a.modules.GetResourcesByType("google_project_iam_audit_config") {
+		auditConfig := AdaptAuditConfig(iamBlock)
+		if project := a.findProject(iamBlock); project != nil {
+			project.AuditConfigs = append(project.AuditConfigs, auditConfig)
+		} else {
+			// we didn't find the project - add an unmanaged one
+			a.projects[uuid.NewString()] = &iam.Project{
+				Metadata:          iacTypes.NewUnmanagedMetadata(),
+				AutoCreateNetwork: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
+				AuditConfigs:      []iam.AuditConfig{auditConfig},
+			}
+		}
+	}
+}
+
+func AdaptAuditConfig(block *terraform.Block) iam.AuditConfig {
+	auditConfig := iam.AuditConfig{
+		Metadata: block.GetMetadata(),
+		Service:  block.GetAttribute("service").AsStringValueOrDefault("", block),
+	}
+
+	for _, logConfigBlock := range block.GetBlocks("audit_log_config") {
+		logConfig := iam.AuditLogConfig{
+			Metadata: logConfigBlock.GetMetadata(),
+			LogType:  logConfigBlock.GetAttribute("log_type").AsStringValueOrDefault("", logConfigBlock),
+		}
+
+		// Parse exempted_members array
+		if exemptedAttr := logConfigBlock.GetAttribute("exempted_members"); !exemptedAttr.IsNil() {
+			for _, member := range exemptedAttr.AsStringValues().AsStrings() {
+				logConfig.ExemptedMembers = append(logConfig.ExemptedMembers,
+					iacTypes.String(member, exemptedAttr.GetMetadata()))
+			}
+		}
+
+		auditConfig.AuditLogConfigs = append(auditConfig.AuditLogConfigs, logConfig)
+	}
+
+	return auditConfig
+}
--- a/pkg/iac/providers/google/iam/iam.go
+++ b/pkg/iac/providers/google/iam/iam.go
@@ -12,15 +12,17 @@ type IAM struct {
 }

 type Organization struct {
-	Metadata iacTypes.Metadata
-	Members  []Member
-	Bindings []Binding
+	Metadata     iacTypes.Metadata
+	Members      []Member
+	Bindings     []Binding
+	AuditConfigs []AuditConfig
 }

 type Folder struct {
-	Metadata iacTypes.Metadata
-	Members  []Member
-	Bindings []Binding
+	Metadata     iacTypes.Metadata
+	Members      []Member
+	Bindings     []Binding
+	AuditConfigs []AuditConfig
 }

 type Project struct {
@@ -28,6 +30,7 @@ type Project struct {
 	AutoCreateNetwork iacTypes.BoolValue
 	Members           []Member
 	Bindings          []Binding
+	AuditConfigs      []AuditConfig
 }

 type Binding struct {
@@ -44,6 +47,18 @@ type Member struct {
 	DefaultServiceAccount iacTypes.BoolValue
 }

+type AuditConfig struct {
+	Metadata        iacTypes.Metadata
+	Service         iacTypes.StringValue
+	AuditLogConfigs []AuditLogConfig
+}
+
+type AuditLogConfig struct {
+	Metadata        iacTypes.Metadata
+	LogType         iacTypes.StringValue
+	ExemptedMembers []iacTypes.StringValue
+}
+
 type WorkloadIdentityPoolProvider struct {
 	Metadata                       iacTypes.Metadata
 	WorkloadIdentityPoolId         iacTypes.StringValue
--- a/pkg/iac/rego/schemas/cloud.json
+++ b/pkg/iac/rego/schemas/cloud.json
@@ -6728,6 +6728,46 @@
        }
      }
    },
+    "github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.AuditConfig": {
+      "type": "object",
+      "properties": {
+        "__defsec_metadata": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
+        },
+        "auditlogconfigs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.AuditLogConfig"
+          }
+        },
+        "service": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
+        }
+      }
+    },
+    "github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.AuditLogConfig": {
+      "type": "object",
+      "properties": {
+        "__defsec_metadata": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
+        },
+        "exemptedmembers": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
+          }
+        },
+        "logtype": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
+        }
+      }
+    },
    "github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.Binding": {
      "type": "object",
      "properties": {
@@ -6759,6 +6799,13 @@
          "type": "object",
          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
        },
+        "auditconfigs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.AuditConfig"
+          }
+        },
        "bindings": {
          "type": "array",
          "items": {
@@ -6836,6 +6883,13 @@
          "type": "object",
          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
        },
+        "auditconfigs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.AuditConfig"
+          }
+        },
        "bindings": {
          "type": "array",
          "items": {
@@ -6859,6 +6913,13 @@
          "type": "object",
          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
        },
+        "auditconfigs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.iam.AuditConfig"
+          }
+        },
        "autocreatenetwork": {
          "type": "object",
          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"