feat: add policyanalyzer.activityAnalysisViewer (#99)

* feat: add policyanalyzer.activityAnalysisViewer This role permits gcp-cfg-collector to gather additional service account key context (specifically recent usage) PSP-2485 * feat: add policyanalyzer.activityAnalysisViewer Add policyanalyzer to required config apis PSP-2485 * feat: add policyanalyzer.activityAnalysisViewer Use make terraform-docs PSP-2485
lacework · Oct 4, 2024 · b52b22f · b52b22f
1 parent 2e52c0a
commit b52b22f
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ e.g. `terraform state rm 'google_project_iam_binding.for_lacework_service_accoun
 roles/browser
 roles/iam.securityReviewer
 roles/cloudasset.viewer
+roles/policyanalyzer.activityAnalysisViewer
 ```
 
 The following custom role is required depending on the integration level.
@@ -50,6 +51,7 @@ cloudresourcemanager.googleapis.com
 storage-component.googleapis.com
 cloudasset.googleapis.com
 essentialcontacts.googleapis.com
+policyanalyzer.googleapis.com
 ```
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -109,7 +111,7 @@ essentialcontacts.googleapis.com
 | <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | The organization ID, required if org\_integration is set to true | `string` | `""` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that will be use at the beginning of every generated resource | `string` | `"lw-cfg"` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | A project ID different from the default defined inside the provider | `string` | `""` | no |
-| <a name="input_required_config_apis"></a> [required\_config\_apis](#input\_required\_config\_apis) | n/a | `map(any)` | <pre>{<br>  "bigquery": "bigquery.googleapis.com",<br>  "cloudasset_inventory": "cloudasset.googleapis.com",<br>  "compute": "compute.googleapis.com",<br>  "containers": "container.googleapis.com",<br>  "dns": "dns.googleapis.com",<br>  "essentialcontacts": "essentialcontacts.googleapis.com",<br>  "iam": "iam.googleapis.com",<br>  "kms": "cloudkms.googleapis.com",<br>  "logging": "logging.googleapis.com",<br>  "pubsub": "pubsub.googleapis.com",<br>  "resourcemanager": "cloudresourcemanager.googleapis.com",<br>  "serviceusage": "serviceusage.googleapis.com",<br>  "sqladmin": "sqladmin.googleapis.com",<br>  "storage_component": "storage-component.googleapis.com"<br>}</pre> | no |
+| <a name="input_required_config_apis"></a> [required\_config\_apis](#input\_required\_config\_apis) | n/a | `map(any)` | <pre>{<br>  "bigquery": "bigquery.googleapis.com",<br>  "cloudasset_inventory": "cloudasset.googleapis.com",<br>  "compute": "compute.googleapis.com",<br>  "containers": "container.googleapis.com",<br>  "dns": "dns.googleapis.com",<br>  "essentialcontacts": "essentialcontacts.googleapis.com",<br>  "iam": "iam.googleapis.com",<br>  "kms": "cloudkms.googleapis.com",<br>  "logging": "logging.googleapis.com",<br>  "policyanalyzer": "policyanalyzer.googleapis.com",<br>  "pubsub": "pubsub.googleapis.com",<br>  "resourcemanager": "cloudresourcemanager.googleapis.com",<br>  "serviceusage": "serviceusage.googleapis.com",<br>  "sqladmin": "sqladmin.googleapis.com",<br>  "storage_component": "storage-component.googleapis.com"<br>}</pre> | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | The Service Account name (required when use\_existing\_service\_account is set to true). This can also be used to specify the new service account name when use\_existing\_service\_account is set to false | `string` | `""` | no |
 | <a name="input_service_account_private_key"></a> [service\_account\_private\_key](#input\_service\_account\_private\_key) | The private key in JSON format, base64 encoded (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
 | <a name="input_skip_iam_grants"></a> [skip\_iam\_grants](#input\_skip\_iam\_grants) | Skip generation of custom role, and IAM grants to the Service Account, for customers who use IAM policy-as-code external to the Lacework module. WARNING - integration will fail if grants are not in place prior to execution. 'use\_existing\_service\_account' must also be set to `true` | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -23,13 +23,15 @@ locals {
   default_project_roles = local.skip_iam_grants ? [] : [
     "roles/browser",
     "roles/iam.securityReviewer",
-    "roles/cloudasset.viewer"
+    "roles/cloudasset.viewer",
+    "roles/policyanalyzer.activityAnalysisViewer"
   ]
 
   default_organization_roles = local.skip_iam_grants ? [] : [
     "roles/browser",
     "roles/iam.securityReviewer",
-    "roles/cloudasset.viewer"
+    "roles/cloudasset.viewer",
+    "roles/policyanalyzer.activityAnalysisViewer"
   ]
 
   // if org_integration is false, project_roles = local.default_project_roles
@@ -54,6 +56,7 @@ locals {
         "roles/browser",
         "roles/iam.securityReviewer",
         "roles/cloudasset.viewer",
+        "roles/policyanalyzer.activityAnalysisViewer",
         google_organization_iam_custom_role.lacework_custom_organization_role.0.name
       ]
       ) : (

diff --git a/variables.tf b/variables.tf
@@ -60,6 +60,7 @@ variable "required_config_apis" {
     storage_component    = "storage-component.googleapis.com"
     cloudasset_inventory = "cloudasset.googleapis.com"
     essentialcontacts    = "essentialcontacts.googleapis.com"
+    policyanalyzer       = "policyanalyzer.googleapis.com"
   }
 }