From b6910e1bc1ec48cf8e77e0217fd881a2135eae14 Mon Sep 17 00:00:00 2001
From: Kenny Leung <kleung@chainguard.dev>
Date: Tue, 3 Sep 2024 08:38:40 -0700
Subject: [PATCH] Revert "Remove laser alerts (#462)"

This reverts commit 7c2050515e62e93a27d69e615d9d4167e2c7012c.
---
 modules/cloudevent-recorder/README.md |   1 +
 modules/cloudevent-recorder/main.tf   |  65 +++++++++++++++++
 modules/configmap/README.md           |   1 +
 modules/configmap/main.tf             |  52 +++++++++++++
 modules/cron/README.md                |   2 +
 modules/cron/main.tf                  | 101 ++++++++++++++++++++++++++
 modules/regional-go-service/main.tf   |   5 ++
 modules/regional-service/README.md    |   1 +
 modules/regional-service/main.tf      |  53 ++++++++++++++
 modules/serverless-gclb/README.md     |   1 +
 modules/serverless-gclb/main.tf       |  42 +++++++++++
 11 files changed, 324 insertions(+)

diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md
index c1911636..f8bc774e 100644
--- a/modules/cloudevent-recorder/README.md
+++ b/modules/cloudevent-recorder/README.md
@@ -107,6 +107,7 @@ No requirements.
 | [google_bigquery_table.types](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table) | resource |
 | [google_bigquery_table_iam_binding.import-writes-to-tables](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam_binding) | resource |
 | [google_monitoring_alert_policy.bq_dts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+| [google_monitoring_alert_policy.bucket-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_pubsub_subscription.dead-letter-pull-sub](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription_iam_binding.allow-pubsub-to-ack](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_binding) | resource |
diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf
index 4dbf9938..ed7a1237 100644
--- a/modules/cloudevent-recorder/main.tf
+++ b/modules/cloudevent-recorder/main.tf
@@ -50,3 +50,68 @@ resource "google_storage_bucket" "recorder" {
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+resource "google_monitoring_alert_policy" "bucket-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Event Bucket Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Bucket Access"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      protoPayload.serviceName="storage.googleapis.com"
+      protoPayload.resourceName=~"projects/_/buckets/${var.name}-(${join("|", keys(var.regions))})-${random_id.suffix.hex}"
+
+      -- Exclude things that happen during terraform plan.
+      -protoPayload.methodName=("storage.buckets.get")
+
+      -- Don't alert if someone just opens the bucket list in the UI
+      -protoPayload.methodName=("storage.managedFolders.list")
+
+      -- The recorder service write objects into the bucket.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${google_service_account.recorder.email}"
+        protoPayload.methodName="storage.objects.create"
+      )
+
+      -- The importer identity (used by DTS) enumerates and reads objects.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${google_service_account.import-identity.email}"
+        protoPayload.methodName=("storage.objects.get" OR "storage.objects.list")
+      )
+
+      -- Our CI identity reconciles the bucket.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("storage.getIamPermissions")
+      )
+
+      -- Security scanners frequently probe for public buckets via listing buckets
+      -- and then getting permissions, so we ignore these even though they pierce
+      -- the abstraction.
+      -protoPayload.methodName="storage.getIamPermissions"
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
diff --git a/modules/configmap/README.md b/modules/configmap/README.md
index 994bf245..165eff69 100644
--- a/modules/configmap/README.md
+++ b/modules/configmap/README.md
@@ -77,6 +77,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_monitoring_alert_policy.anomalous-secret-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
 | [google_secret_manager_secret_version.data](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
diff --git a/modules/configmap/main.tf b/modules/configmap/main.tf
index a91e401c..09148954 100644
--- a/modules/configmap/main.tf
+++ b/modules/configmap/main.tf
@@ -28,3 +28,55 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal ConfigMap Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal ConfigMap Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      -- This looks at logs from both data_access and activity, so we don't filter on either here.
+      protoPayload.serviceName="secretmanager.googleapis.com"
+      (
+        protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/") OR
+        protoPayload.request.parent=("projects/${var.project_id}/secrets/${var.name}" OR "projects/${data.google_project.project.number}/secrets/${var.name}")
+      )
+
+      -- Ignore the identity that is intended to access this.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
+        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
+      )
+
+      -- Ignore the identity as which we set this up.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.GetSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.EnableSecretVersion")
+      )
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification-channels
+
+  enabled = "true"
+  project = var.project_id
+}
diff --git a/modules/cron/README.md b/modules/cron/README.md
index b0046445..ec098e52 100644
--- a/modules/cron/README.md
+++ b/modules/cron/README.md
@@ -79,6 +79,8 @@ No modules.
 | [google-beta_google_cloud_run_v2_job.job](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_cloud_run_v2_job) | resource |
 | [google_cloud_run_v2_job_iam_binding.authorize-calls](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_job_iam_binding) | resource |
 | [google_cloud_scheduler_job.cron](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
+| [google_monitoring_alert_policy.anomalous-job-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+| [google_monitoring_alert_policy.anomalous-job-execution](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_monitoring_alert_policy.success](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_iam_member.authorize-list](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.metrics-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
diff --git a/modules/cron/main.tf b/modules/cron/main.tf
index f0b01c28..61e2cb2d 100644
--- a/modules/cron/main.tf
+++ b/modules/cron/main.tf
@@ -250,6 +250,107 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+// Create an alert policy to notify if the job is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-job-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal CronJob Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal CronJob Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.resourceName=("${join("\" OR \"", [
+      "namespaces/${var.project_id}/jobs/${var.name}-cron",
+      "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
+      ])}")
+
+      -- Allow CI to reconcile jobs and their IAM policies.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("${join("\" OR \"", [
+      "google.cloud.run.v2.Jobs.CreateJob",
+      "google.cloud.run.v2.Jobs.UpdateJob",
+      "google.cloud.run.v2.Jobs.SetIamPolicy",
+])}")
+      )
+      -(
+        protoPayload.authenticationInfo.principalEmail=~"${join("|", concat(var.invokers, [data.google_client_openid_userinfo.me.email]))}"
+        protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
+      )
+      EOT
+
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
+}
+
+notification_channels = var.notification_channels
+
+enabled = "true"
+project = var.project_id
+}
+
+// Create an alert policy to notify if the job is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-job-execution" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Job Execution: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Job Execution: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
+      protoPayload.resourceName=("${join("\" OR \"", [
+      "namespaces/${var.project_id}/jobs/${var.name}-cron",
+      "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
+])}")
+
+      -- Allow the delivery service account to run the job, but flag anyone else
+      -protoPayload.authenticationInfo.principalEmail=~"${join("|", [google_service_account.delivery.email, data.google_client_openid_userinfo.me.email])}"
+      EOT
+
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
+}
+
+notification_channels = var.notification_channels
+
+enabled = "true"
+project = var.project_id
+}
+
+
 resource "google_monitoring_alert_policy" "success" {
   count = var.success_alert_alignment_period_seconds == 0 ? 0 : 1
 
diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf
index 2b5c1af5..1625868f 100644
--- a/modules/regional-go-service/main.tf
+++ b/modules/regional-go-service/main.tf
@@ -74,6 +74,11 @@ moved {
   to   = module.this.google_cloud_run_v2_service.this
 }
 
+moved {
+  from = google_monitoring_alert_policy.anomalous-service-access
+  to   = module.this.google_monitoring_alert_policy.anomalous-service-access
+}
+
 moved {
   from = google_monitoring_alert_policy.bad-rollout
   to   = module.this.google_monitoring_alert_policy.bad-rollout
diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md
index 812021f9..60fb9c92 100644
--- a/modules/regional-service/README.md
+++ b/modules/regional-service/README.md
@@ -73,6 +73,7 @@ No modules.
 |------|------|
 | [google-beta_google_cloud_run_v2_service.this](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_cloud_run_v2_service) | resource |
 | [google_cloud_run_v2_service_iam_member.public-services-are-unauthenticated](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service_iam_member) | resource |
+| [google_monitoring_alert_policy.anomalous-service-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_iam_member.metrics-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.profiler-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.trace-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf
index b1e8100a..6f1b9574 100644
--- a/modules/regional-service/main.tf
+++ b/modules/regional-service/main.tf
@@ -266,6 +266,59 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+// Create an alert policy to notify if the service is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-service-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Service Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Service Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.resourceName=("${join("\" OR \"", concat([
+        "namespaces/${var.project_id}/services/${var.name}"
+      ],
+      [
+        for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
+      ]))}")
+
+      -- Allow CI to reconcile services and their IAM policies.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("${join("\" OR \"", [
+          "google.cloud.run.v2.Services.CreateService",
+          "google.cloud.run.v2.Services.UpdateService",
+          "google.cloud.run.v2.Services.SetIamPolicy",
+        ])}")
+      )
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
+
 // When the service is behind a load balancer, then it is publicly exposed and responsible
 // for handling its own authentication.
 resource "google_cloud_run_v2_service_iam_member" "public-services-are-unauthenticated" {
diff --git a/modules/serverless-gclb/README.md b/modules/serverless-gclb/README.md
index 08dbbb0f..187b3b69 100644
--- a/modules/serverless-gclb/README.md
+++ b/modules/serverless-gclb/README.md
@@ -95,6 +95,7 @@ No modules.
 | [google_compute_target_https_proxy.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource |
 | [google_compute_url_map.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource |
 | [google_dns_record_set.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
+| [google_monitoring_alert_policy.abnormal-gclb-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_client_openid_userinfo.me](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_openid_userinfo) | data source |
 
 ## Inputs
diff --git a/modules/serverless-gclb/main.tf b/modules/serverless-gclb/main.tf
index bdda04db..a7f2726e 100644
--- a/modules/serverless-gclb/main.tf
+++ b/modules/serverless-gclb/main.tf
@@ -162,3 +162,45 @@ locals {
   )
 }
 
+resource "google_monitoring_alert_policy" "abnormal-gclb-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal GCLB Access"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Anomaly detected"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName=(
+          "projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
+       OR "projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      )
+
+      protoPayload.resourceName=("${join("\" OR \"", local.audited-resources)}")
+      -- Allows robots
+      -protoPayload.authenticationInfo.principalEmail=("${join("\" OR \"", local.authorized-accounts)}")
+      -- Allow read-only operations
+      -protoPayload.methodName=~(".*\.get.*" OR ".*\.list.*" OR ".*\.aggregatedList")
+EOT
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}