remove audit-serviceaccount (chainguard-dev#465)

this cleans up the `Abnormal Access Token Generation` alert policy should remove ~200 alert policies in staging and ~150 in prod Signed-off-by: Kenny Leung <kleung@chainguard.dev>
k4leung4 · Jul 25, 2024 · 518fa3c · 518fa3c
1 parent 03789aa
commit 518fa3c
Show file tree

Hide file tree

Showing 17 changed files with 3 additions and 253 deletions.
diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml
@@ -11,7 +11,6 @@ jobs:
       fail-fast: false
       matrix:
         module:
-          - audit-serviceaccount
           - authorize-private-service
           - bucket-events
           - cloudevent-broker

diff --git a/modules/audit-serviceaccount/README.md b/modules/audit-serviceaccount/README.md
diff --git a/modules/audit-serviceaccount/main.tf b/modules/audit-serviceaccount/main.tf
diff --git a/modules/audit-serviceaccount/variables.tf b/modules/audit-serviceaccount/variables.tf
diff --git a/modules/bucket-events/README.md b/modules/bucket-events/README.md
@@ -80,7 +80,6 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_audit-delivery-serviceaccount"></a> [audit-delivery-serviceaccount](#module\_audit-delivery-serviceaccount) | ../audit-serviceaccount | n/a |
 | <a name="module_authorize-delivery"></a> [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a |
 | <a name="module_http"></a> [http](#module\_http) | ../dashboard/sections/http | n/a |
 | <a name="module_layout"></a> [layout](#module\_layout) | ../dashboard/sections/layout | n/a |

diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf
@@ -55,20 +55,6 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" {
   members = ["serviceAccount:${google_project_service_identity.pubsub.email}"]
 }
 
-module "audit-delivery-serviceaccount" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = google_service_account.delivery.email
-
-  # The absence of authorized identities here means that
-  # nothing is authorized to act as this service account.
-  # Note: Cloud Pub/Sub's usage doesn't show up in the
-  # audit logs.
-
-  notification_channels = var.notification_channels
-}
-
 module "this" {
   source     = "../regional-go-service"
   project_id = var.project_id

diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md
@@ -93,7 +93,6 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_audit-import-serviceaccount"></a> [audit-import-serviceaccount](#module\_audit-import-serviceaccount) | ../audit-serviceaccount | n/a |
 | <a name="module_recorder-dashboard"></a> [recorder-dashboard](#module\_recorder-dashboard) | ../dashboard/cloudevent-receiver | n/a |
 | <a name="module_this"></a> [this](#module\_this) | ../regional-go-service | n/a |
 | <a name="module_triggers"></a> [triggers](#module\_triggers) | ../cloudevent-trigger | n/a |

diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf
@@ -74,20 +74,6 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi
   members            = [var.provisioner]
 }
 
-module "audit-import-serviceaccount" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = google_service_account.import-identity.email
-
-  # The absence of authorized identities here means that
-  # nothing is authorized to act as this service account.
-  # Note: BigQuery DTS's usage doesn't show up in the
-  # audit logs.
-
-  notification_channels = var.notification_channels
-}
-
 // Create a BQ DTS job for each of the regions x types pulling from the appropriate buckets and paths.
 resource "google_bigquery_data_transfer_config" "import-job" {
   for_each = local.regional-types

diff --git a/modules/cloudevent-trigger/README.md b/modules/cloudevent-trigger/README.md
@@ -92,7 +92,6 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_audit-trigger-serviceaccount"></a> [audit-trigger-serviceaccount](#module\_audit-trigger-serviceaccount) | ../audit-serviceaccount | n/a |
 | <a name="module_authorize-delivery"></a> [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a |
 
 ## Resources

diff --git a/modules/cloudevent-trigger/main.tf b/modules/cloudevent-trigger/main.tf
@@ -30,20 +30,6 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" {
   members = ["serviceAccount:${google_project_service_identity.pubsub.email}"]
 }
 
-module "audit-trigger-serviceaccount" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = google_service_account.this.email
-
-  # The absence of authorized identities here means that
-  # nothing is authorized to act as this service account.
-  # Note: Cloud Pub/Sub's usage doesn't show up in the
-  # audit logs.
-
-  notification_channels = var.notification_channels
-}
-
 // Authorize this service account to invoke the private service receiving
 // events from this trigger.
 module "authorize-delivery" {

diff --git a/modules/cron/README.md b/modules/cron/README.md
@@ -70,10 +70,7 @@ No requirements.
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_audit-cronjob-serviceaccount"></a> [audit-cronjob-serviceaccount](#module\_audit-cronjob-serviceaccount) | ../audit-serviceaccount | n/a |
-| <a name="module_audit-delivery-serviceaccount"></a> [audit-delivery-serviceaccount](#module\_audit-delivery-serviceaccount) | ../audit-serviceaccount | n/a |
+No modules.
 
 ## Resources
 

diff --git a/modules/cron/main.tf b/modules/cron/main.tf
@@ -18,20 +18,6 @@ resource "google_project_service" "cloudscheduler" {
   disable_on_destroy = false
 }
 
-module "audit-cronjob-serviceaccount" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = var.service_account
-
-  # The absence of authorized identities here means that
-  # nothing is authorized to act as this service account.
-  # Note: Cloud Run's usage doesn't show up in the
-  # audit logs.
-
-  notification_channels = var.notification_channels
-}
-
 locals {
   repo = var.repository != "" ? var.repository : "gcr.io/${var.project_id}/${var.name}"
 }
@@ -180,20 +166,6 @@ resource "google_service_account" "delivery" {
   display_name = "Dedicated service account for invoking ${google_cloud_run_v2_job.job.name}."
 }
 
-module "audit-delivery-serviceaccount" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = google_service_account.delivery.email
-
-  # The absence of authorized identities here means that
-  # nothing is authorized to act as this service account.
-  # Note: Cloud Scheduler's usage doesn't show up in the
-  # audit logs.
-
-  notification_channels = var.notification_channels
-}
-
 resource "google_cloud_run_v2_job_iam_binding" "authorize-calls" {
   project  = google_cloud_run_v2_job.job.project
   location = google_cloud_run_v2_job.job.location

diff --git a/modules/github-gsa/README.md b/modules/github-gsa/README.md
@@ -42,9 +42,7 @@ No requirements.
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_audit-usage"></a> [audit-usage](#module\_audit-usage) | ../audit-serviceaccount | n/a |
+No modules.
 
 ## Resources
 

diff --git a/modules/github-gsa/main.tf b/modules/github-gsa/main.tf
@@ -132,15 +132,3 @@ resource "google_service_account_iam_binding" "allow-impersonation" {
     }
   }
 }
-
-// Create an auditing policy to ensure that tokens are only issued for identities
-// matching our expectations.
-module "audit-usage" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = google_service_account.this.email
-
-  allowed_principal_regex = local.principalSubject
-  notification_channels   = var.notification_channels
-}
diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf
@@ -5,11 +5,6 @@ terraform {
   }
 }
 
-moved {
-  from = module.audit-serviceaccount
-  to   = module.this.module.audit-serviceaccount
-}
-
 moved {
   from = google_project_iam_member.metrics-writer
   to   = module.this.google_project_iam_member.metrics-writer

diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md
@@ -65,9 +65,7 @@ No requirements.
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_audit-serviceaccount"></a> [audit-serviceaccount](#module\_audit-serviceaccount) | ../audit-serviceaccount | n/a |
+No modules.
 
 ## Resources
 

diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf
@@ -1,16 +1,3 @@
-module "audit-serviceaccount" {
-  source = "../audit-serviceaccount"
-
-  project_id      = var.project_id
-  service-account = var.service_account
-
-  # The absence of authorized identities here means that
-  # nothing is authorized to act as this service account.
-  # Note: Cloud Run's usage doesn't show up in the audit logs.
-
-  notification_channels = var.notification_channels
-}
-
 resource "google_project_iam_member" "metrics-writer" {
   project = var.project_id
   role    = "roles/monitoring.metricWriter"