From 9693fda902f3c958aca7cd43ed6fefb82ce11287 Mon Sep 17 00:00:00 2001
From: Nghia Tran <tcnghia@gmail.com>
Date: Wed, 24 Jul 2024 16:32:07 -0700
Subject: [PATCH 1/2] Remove laser alerts

Signed-off-by: Nghia Tran <tcnghia@gmail.com>
---
 modules/cloudevent-recorder/README.md |   1 -
 modules/cloudevent-recorder/main.tf   |  65 -----------------
 modules/configmap/README.md           |   1 -
 modules/configmap/main.tf             |  52 -------------
 modules/cron/README.md                |   2 -
 modules/cron/main.tf                  | 101 --------------------------
 modules/regional-go-service/main.tf   |   5 --
 modules/regional-service/README.md    |   1 -
 modules/regional-service/main.tf      |  53 --------------
 modules/secret/README.md              |   1 -
 modules/secret/main.tf                |  46 ------------
 modules/serverless-gclb/README.md     |   1 -
 modules/serverless-gclb/main.tf       |  42 -----------
 13 files changed, 371 deletions(-)

diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md
index 60dbcf39..1e02ec64 100644
--- a/modules/cloudevent-recorder/README.md
+++ b/modules/cloudevent-recorder/README.md
@@ -108,7 +108,6 @@ No requirements.
 | [google_bigquery_table.types](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table) | resource |
 | [google_bigquery_table_iam_binding.import-writes-to-tables](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam_binding) | resource |
 | [google_monitoring_alert_policy.bq_dts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
-| [google_monitoring_alert_policy.bucket-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_pubsub_subscription.dead-letter-pull-sub](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription_iam_binding.allow-pubsub-to-ack](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_binding) | resource |
diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf
index ed7a1237..4dbf9938 100644
--- a/modules/cloudevent-recorder/main.tf
+++ b/modules/cloudevent-recorder/main.tf
@@ -50,68 +50,3 @@ resource "google_storage_bucket" "recorder" {
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
-resource "google_monitoring_alert_policy" "bucket-access" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal Event Bucket Access: ${var.name}"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Bucket Access"
-
-    condition_matched_log {
-      filter = <<EOT
-      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
-      protoPayload.serviceName="storage.googleapis.com"
-      protoPayload.resourceName=~"projects/_/buckets/${var.name}-(${join("|", keys(var.regions))})-${random_id.suffix.hex}"
-
-      -- Exclude things that happen during terraform plan.
-      -protoPayload.methodName=("storage.buckets.get")
-
-      -- Don't alert if someone just opens the bucket list in the UI
-      -protoPayload.methodName=("storage.managedFolders.list")
-
-      -- The recorder service write objects into the bucket.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${google_service_account.recorder.email}"
-        protoPayload.methodName="storage.objects.create"
-      )
-
-      -- The importer identity (used by DTS) enumerates and reads objects.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${google_service_account.import-identity.email}"
-        protoPayload.methodName=("storage.objects.get" OR "storage.objects.list")
-      )
-
-      -- Our CI identity reconciles the bucket.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
-        protoPayload.methodName=("storage.getIamPermissions")
-      )
-
-      -- Security scanners frequently probe for public buckets via listing buckets
-      -- and then getting permissions, so we ignore these even though they pierce
-      -- the abstraction.
-      -protoPayload.methodName="storage.getIamPermissions"
-      EOT
-
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-      }
-    }
-  }
-
-  notification_channels = var.notification_channels
-
-  enabled = "true"
-  project = var.project_id
-}
diff --git a/modules/configmap/README.md b/modules/configmap/README.md
index 165eff69..994bf245 100644
--- a/modules/configmap/README.md
+++ b/modules/configmap/README.md
@@ -77,7 +77,6 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_monitoring_alert_policy.anomalous-secret-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
 | [google_secret_manager_secret_version.data](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
diff --git a/modules/configmap/main.tf b/modules/configmap/main.tf
index 09148954..a91e401c 100644
--- a/modules/configmap/main.tf
+++ b/modules/configmap/main.tf
@@ -28,55 +28,3 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
-// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
-resource "google_monitoring_alert_policy" "anomalous-secret-access" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal ConfigMap Access: ${var.name}"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Abnormal ConfigMap Access: ${var.name}"
-
-    condition_matched_log {
-      filter = <<EOT
-      -- This looks at logs from both data_access and activity, so we don't filter on either here.
-      protoPayload.serviceName="secretmanager.googleapis.com"
-      (
-        protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/") OR
-        protoPayload.request.parent=("projects/${var.project_id}/secrets/${var.name}" OR "projects/${data.google_project.project.number}/secrets/${var.name}")
-      )
-
-      -- Ignore the identity that is intended to access this.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
-        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
-      )
-
-      -- Ignore the identity as which we set this up.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
-        protoPayload.methodName=("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.GetSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.EnableSecretVersion")
-      )
-      EOT
-
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-      }
-    }
-  }
-
-  notification_channels = var.notification-channels
-
-  enabled = "true"
-  project = var.project_id
-}
diff --git a/modules/cron/README.md b/modules/cron/README.md
index dc0b6437..dce5a992 100644
--- a/modules/cron/README.md
+++ b/modules/cron/README.md
@@ -82,8 +82,6 @@ No requirements.
 | [google-beta_google_cloud_run_v2_job.job](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_cloud_run_v2_job) | resource |
 | [google_cloud_run_v2_job_iam_binding.authorize-calls](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_job_iam_binding) | resource |
 | [google_cloud_scheduler_job.cron](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
-| [google_monitoring_alert_policy.anomalous-job-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
-| [google_monitoring_alert_policy.anomalous-job-execution](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_monitoring_alert_policy.success](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_iam_member.authorize-list](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_service.cloud_run_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
diff --git a/modules/cron/main.tf b/modules/cron/main.tf
index a0070ff8..3a75f923 100644
--- a/modules/cron/main.tf
+++ b/modules/cron/main.tf
@@ -235,107 +235,6 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
-// Create an alert policy to notify if the job is accessed by an unauthorized entity.
-resource "google_monitoring_alert_policy" "anomalous-job-access" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal CronJob Access: ${var.name}"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Abnormal CronJob Access: ${var.name}"
-
-    condition_matched_log {
-      filter = <<EOT
-      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
-      protoPayload.serviceName="run.googleapis.com"
-      protoPayload.resourceName=("${join("\" OR \"", [
-      "namespaces/${var.project_id}/jobs/${var.name}-cron",
-      "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
-      ])}")
-
-      -- Allow CI to reconcile jobs and their IAM policies.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
-        protoPayload.methodName=("${join("\" OR \"", [
-      "google.cloud.run.v2.Jobs.CreateJob",
-      "google.cloud.run.v2.Jobs.UpdateJob",
-      "google.cloud.run.v2.Jobs.SetIamPolicy",
-])}")
-      )
-      -(
-        protoPayload.authenticationInfo.principalEmail=~"${join("|", concat(var.invokers, [data.google_client_openid_userinfo.me.email]))}"
-        protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
-      )
-      EOT
-
-label_extractors = {
-  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-  "method_name" = "EXTRACT(protoPayload.methodName)"
-  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-}
-}
-}
-
-notification_channels = var.notification_channels
-
-enabled = "true"
-project = var.project_id
-}
-
-// Create an alert policy to notify if the job is accessed by an unauthorized entity.
-resource "google_monitoring_alert_policy" "anomalous-job-execution" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal Job Execution: ${var.name}"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Abnormal Job Execution: ${var.name}"
-
-    condition_matched_log {
-      filter = <<EOT
-      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
-      protoPayload.serviceName="run.googleapis.com"
-      protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
-      protoPayload.resourceName=("${join("\" OR \"", [
-      "namespaces/${var.project_id}/jobs/${var.name}-cron",
-      "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
-])}")
-
-      -- Allow the delivery service account to run the job, but flag anyone else
-      -protoPayload.authenticationInfo.principalEmail=~"${join("|", [google_service_account.delivery.email, data.google_client_openid_userinfo.me.email])}"
-      EOT
-
-label_extractors = {
-  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-  "method_name" = "EXTRACT(protoPayload.methodName)"
-  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-}
-}
-}
-
-notification_channels = var.notification_channels
-
-enabled = "true"
-project = var.project_id
-}
-
-
 resource "google_monitoring_alert_policy" "success" {
   count = var.success_alert_alignment_period_seconds == 0 ? 0 : 1
 
diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf
index 6efffcc5..6a61e551 100644
--- a/modules/regional-go-service/main.tf
+++ b/modules/regional-go-service/main.tf
@@ -79,11 +79,6 @@ moved {
   to   = module.this.google_cloud_run_v2_service.this
 }
 
-moved {
-  from = google_monitoring_alert_policy.anomalous-service-access
-  to   = module.this.google_monitoring_alert_policy.anomalous-service-access
-}
-
 moved {
   from = google_monitoring_alert_policy.bad-rollout
   to   = module.this.google_monitoring_alert_policy.bad-rollout
diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md
index 004cf5e7..14de990e 100644
--- a/modules/regional-service/README.md
+++ b/modules/regional-service/README.md
@@ -75,7 +75,6 @@ No requirements.
 |------|------|
 | [google-beta_google_cloud_run_v2_service.this](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_cloud_run_v2_service) | resource |
 | [google_cloud_run_v2_service_iam_member.public-services-are-unauthenticated](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service_iam_member) | resource |
-| [google_monitoring_alert_policy.anomalous-service-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_iam_member.metrics-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.profiler-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.trace-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf
index eb677d78..1aaf78d9 100644
--- a/modules/regional-service/main.tf
+++ b/modules/regional-service/main.tf
@@ -274,59 +274,6 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
-// Create an alert policy to notify if the service is accessed by an unauthorized entity.
-resource "google_monitoring_alert_policy" "anomalous-service-access" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal Service Access: ${var.name}"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Abnormal Service Access: ${var.name}"
-
-    condition_matched_log {
-      filter = <<EOT
-      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
-      protoPayload.serviceName="run.googleapis.com"
-      protoPayload.resourceName=("${join("\" OR \"", concat([
-        "namespaces/${var.project_id}/services/${var.name}"
-      ],
-      [
-        for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
-      ]))}")
-
-      -- Allow CI to reconcile services and their IAM policies.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
-        protoPayload.methodName=("${join("\" OR \"", [
-          "google.cloud.run.v2.Services.CreateService",
-          "google.cloud.run.v2.Services.UpdateService",
-          "google.cloud.run.v2.Services.SetIamPolicy",
-        ])}")
-      )
-      EOT
-
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-      }
-    }
-  }
-
-  notification_channels = var.notification_channels
-
-  enabled = "true"
-  project = var.project_id
-}
-
 // When the service is behind a load balancer, then it is publicly exposed and responsible
 // for handling its own authentication.
 resource "google_cloud_run_v2_service_iam_member" "public-services-are-unauthenticated" {
diff --git a/modules/secret/README.md b/modules/secret/README.md
index 5856a0f0..e31d6894 100644
--- a/modules/secret/README.md
+++ b/modules/secret/README.md
@@ -76,7 +76,6 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_monitoring_alert_policy.anomalous-secret-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-service-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-version-adder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
diff --git a/modules/secret/main.tf b/modules/secret/main.tf
index 3beb9ff4..632007da 100644
--- a/modules/secret/main.tf
+++ b/modules/secret/main.tf
@@ -39,49 +39,3 @@ resource "google_secret_manager_secret_iam_binding" "authorize-version-adder" {
 // Get a project number for this project ID.
 data "google_project" "project" { project_id = var.project_id }
 
-// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
-resource "google_monitoring_alert_policy" "anomalous-secret-access" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal Secret Access: ${var.name}"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Abnormal Secret Access: ${var.name}"
-
-    condition_matched_log {
-      filter = <<EOT
-      -- This looks at logs from both data_access and activity, so we don't filter on either here.
-      protoPayload.serviceName="secretmanager.googleapis.com"
-      (
-        protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/") OR
-        protoPayload.request.parent=("projects/${var.project_id}/secrets/${var.name}" OR "projects/${data.google_project.project.number}/secrets/${var.name}")
-      )
-
-      -- Ignore the identity that is intended to access this.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
-        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
-      )
-      EOT
-
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-      }
-    }
-  }
-
-  notification_channels = var.notification-channels
-
-  enabled = "true"
-  project = var.project_id
-}
diff --git a/modules/serverless-gclb/README.md b/modules/serverless-gclb/README.md
index 795ade30..30c5495e 100644
--- a/modules/serverless-gclb/README.md
+++ b/modules/serverless-gclb/README.md
@@ -92,7 +92,6 @@ No modules.
 | [google_compute_target_https_proxy.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource |
 | [google_compute_url_map.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource |
 | [google_dns_record_set.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
-| [google_monitoring_alert_policy.abnormal-gclb-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_client_openid_userinfo.me](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_openid_userinfo) | data source |
 
 ## Inputs
diff --git a/modules/serverless-gclb/main.tf b/modules/serverless-gclb/main.tf
index 34d6db4b..8e098996 100644
--- a/modules/serverless-gclb/main.tf
+++ b/modules/serverless-gclb/main.tf
@@ -149,45 +149,3 @@ locals {
   )
 }
 
-resource "google_monitoring_alert_policy" "abnormal-gclb-access" {
-  # In the absence of data, incident will auto-close after an hour
-  alert_strategy {
-    auto_close = "3600s"
-
-    notification_rate_limit {
-      period = "3600s" // re-alert hourly if condition still valid.
-    }
-  }
-
-  display_name = "Abnormal GCLB Access"
-  combiner     = "OR"
-
-  conditions {
-    display_name = "Anomaly detected"
-
-    condition_matched_log {
-      filter = <<EOT
-      logName=(
-          "projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
-       OR "projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
-      )
-
-      protoPayload.resourceName=("${join("\" OR \"", local.audited-resources)}")
-      -- Allows robots
-      -protoPayload.authenticationInfo.principalEmail=("${join("\" OR \"", local.authorized-accounts)}")
-      -- Allow read-only operations
-      -protoPayload.methodName=~(".*\.get.*" OR ".*\.list.*" OR ".*\.aggregatedList")
-EOT
-      label_extractors = {
-        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
-        "method_name" = "EXTRACT(protoPayload.methodName)"
-        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
-      }
-    }
-  }
-
-  notification_channels = var.notification_channels
-
-  enabled = "true"
-  project = var.project_id
-}

From e9b126c14d815607297280637c1516abde5c9e22 Mon Sep 17 00:00:00 2001
From: Nghia Tran <tcnghia@gmail.com>
Date: Wed, 24 Jul 2024 16:48:29 -0700
Subject: [PATCH 2/2] Revert secrets

Signed-off-by: Nghia Tran <tcnghia@gmail.com>
---
 modules/secret/README.md |  1 +
 modules/secret/main.tf   | 46 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/modules/secret/README.md b/modules/secret/README.md
index e31d6894..5856a0f0 100644
--- a/modules/secret/README.md
+++ b/modules/secret/README.md
@@ -76,6 +76,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_monitoring_alert_policy.anomalous-secret-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-service-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-version-adder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
diff --git a/modules/secret/main.tf b/modules/secret/main.tf
index 632007da..3beb9ff4 100644
--- a/modules/secret/main.tf
+++ b/modules/secret/main.tf
@@ -39,3 +39,49 @@ resource "google_secret_manager_secret_iam_binding" "authorize-version-adder" {
 // Get a project number for this project ID.
 data "google_project" "project" { project_id = var.project_id }
 
+// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Secret Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Secret Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      -- This looks at logs from both data_access and activity, so we don't filter on either here.
+      protoPayload.serviceName="secretmanager.googleapis.com"
+      (
+        protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/") OR
+        protoPayload.request.parent=("projects/${var.project_id}/secrets/${var.name}" OR "projects/${data.google_project.project.number}/secrets/${var.name}")
+      )
+
+      -- Ignore the identity that is intended to access this.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
+        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
+      )
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification-channels
+
+  enabled = "true"
+  project = var.project_id
+}