Skip to content

Instantly share code, notes, and snippets.

@Amarlanda

Amarlanda/audit-gcp.sh

Forked from hh/audit-gcp.sh
Created July 8, 2022 08:49
Show Gist options
  • Save Amarlanda/3f89b9c8e414c6f9a16d1be33ae50f96 to your computer and use it in GitHub Desktop.
Save Amarlanda/3f89b9c8e414c6f9a16d1be33ae50f96 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -20,7 +20,7 @@ gcloud \
    | grep -v "boskos-03\|boskos-04\|boskos-05" \
    | grep -v "boskos-06\|boskos-07\|boskos-08" \
    | grep -v "boskos-09\|boskos-1" \
    | grep -v "k8s-infra"
    | grep -v "k8s-infra" \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  2. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -20,7 +20,7 @@ gcloud \
    | grep -v "boskos-03\|boskos-04\|boskos-05" \
    | grep -v "boskos-06\|boskos-07\|boskos-08" \
    | grep -v "boskos-09\|boskos-1" \
    | grep "k8s-infra" \
    | grep -v "k8s-infra"
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  3. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -20,7 +20,7 @@ gcloud \
    | grep -v "boskos-03\|boskos-04\|boskos-05" \
    | grep -v "boskos-06\|boskos-07\|boskos-08" \
    | grep -v "boskos-09\|boskos-1" \
    | grep "k8s-infra"
    | grep "k8s-infra" \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  4. @hh hh revised this gist Feb 24, 2021. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -19,7 +19,8 @@ gcloud \
    | grep -v "boskos-00\|boskos-01\|boskos-02" \
    | grep -v "boskos-03\|boskos-04\|boskos-05" \
    | grep -v "boskos-06\|boskos-07\|boskos-08" \
    | grep "boskos-09\|boskos-1" \
    | grep -v "boskos-09\|boskos-1" \
    | grep "k8s-infra"
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  5. @hh hh revised this gist Feb 24, 2021. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -18,7 +18,8 @@ gcloud \
    | grep -v boskos-gpu \
    | grep -v "boskos-00\|boskos-01\|boskos-02" \
    | grep -v "boskos-03\|boskos-04\|boskos-05" \
    | grep "boskos-06\|boskos-07\|boskos-08" \
    | grep -v "boskos-06\|boskos-07\|boskos-08" \
    | grep "boskos-09\|boskos-1" \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  6. @hh hh revised this gist Feb 24, 2021. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -16,7 +16,9 @@ gcloud \
    | grep -v k8s-staging \
    | grep -v boskos-scale \
    | grep -v boskos-gpu \
    | grep "boskos-00\|boskos-01\|boskos-02" \
    | grep -v "boskos-00\|boskos-01\|boskos-02" \
    | grep -v "boskos-03\|boskos-04\|boskos-05" \
    | grep "boskos-06\|boskos-07\|boskos-08" \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  7. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -16,8 +16,7 @@ gcloud \
    | grep -v k8s-staging \
    | grep -v boskos-scale \
    | grep -v boskos-gpu \
    | grep -v "boskos-00\|boskos-01\|boskos-02" \
    | grep "boskos-03\|boskos-04\|boskos-05" \
    | grep "boskos-00\|boskos-01\|boskos-02" \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  8. @hh hh revised this gist Feb 24, 2021. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -16,8 +16,8 @@ gcloud \
    | grep -v k8s-staging \
    | grep -v boskos-scale \
    | grep -v boskos-gpu \
    | grep -v 'boskos-00\|boskos-01\|boskos-02' \
    | grep 'boskos-03\|boskos-04\|boskos-05' \
    | grep -v "boskos-00\|boskos-01\|boskos-02" \
    | grep "boskos-03\|boskos-04\|boskos-05" \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  9. @hh hh revised this gist Feb 24, 2021. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -16,7 +16,8 @@ gcloud \
    | grep -v k8s-staging \
    | grep -v boskos-scale \
    | grep -v boskos-gpu \
    | grep 'boskos-00\|boskos-01\|boskos-02' \
    | grep -v 'boskos-00\|boskos-01\|boskos-02' \
    | grep 'boskos-03\|boskos-04\|boskos-05' \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  10. @hh hh revised this gist Feb 24, 2021. 1 changed file with 5 additions and 1 deletion.
    6 changes: 5 additions & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,11 @@ gcloud \
    projects list \
    --filter="parent.id=${CNCF_GCP_ORG}" \
    --format="value(name, projectNumber)" \
    | sort | grep -v k8s-staging | grep -v boskos-scale | grep boskos-gpu \
    | sort \
    | grep -v k8s-staging \
    | grep -v boskos-scale \
    | grep -v boskos-gpu \
    | grep 'boskos-00\|boskos-01\|boskos-02' \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  11. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,7 @@ gcloud \
    projects list \
    --filter="parent.id=${CNCF_GCP_ORG}" \
    --format="value(name, projectNumber)" \
    | sort | grep -v k8s-staging | grep boskos-scale \
    | sort | grep -v k8s-staging | grep -v boskos-scale | grep boskos-gpu \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  12. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,7 @@ gcloud \
    projects list \
    --filter="parent.id=${CNCF_GCP_ORG}" \
    --format="value(name, projectNumber)" \
    | sort | grep k8s-staging \
    | sort | grep -v k8s-staging | grep boskos-scale \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  13. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,8 +12,7 @@ gcloud \
    projects list \
    --filter="parent.id=${CNCF_GCP_ORG}" \
    --format="value(name, projectNumber)" \
    | sort \
    | tail -10 | head -5 \
    | sort | grep k8s-staging \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  14. @hh hh revised this gist Feb 24, 2021. 1 changed file with 1 addition and 23 deletions.
    24 changes: 1 addition & 23 deletions audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -6,36 +6,14 @@ set -o pipefail

    CNCF_GCP_ORG=758905017065

    echo "# Removing existing audit files"
    rm -rf org_kubernetes.io

    echo "# Auditing CNCF CGP Org: ${CNCF_GCP_ORG}"
    mkdir -p org_kubernetes.io/roles
    gcloud \
    iam roles list \
    --organization="${CNCF_GCP_ORG}" \
    --format="value(name)" \
    | while read -r ROLE_PATH; do
    ROLE=$(basename "${ROLE_PATH}")
    gcloud iam roles describe "${ROLE}" \
    --organization="${CNCF_GCP_ORG}" \
    --format=json \
    | jq 'del(.etag)' \
    > "org_kubernetes.io/roles/${ROLE}.json"
    done
    gcloud \
    organizations get-iam-policy "${CNCF_GCP_ORG}" \
    --format=json \
    | jq 'del(.etag)' \
    > "org_kubernetes.io/iam.json"

    echo "## Iterating over Projects"
    gcloud \
    projects list \
    --filter="parent.id=${CNCF_GCP_ORG}" \
    --format="value(name, projectNumber)" \
    | sort \
    | tail -5 | head -5 \
    | tail -10 | head -5 \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

  15. @hh hh created this gist Feb 24, 2021.
    233 changes: 233 additions & 0 deletions audit-gcp.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,233 @@
    #!/bin/bash

    set -o errexit
    set -o nounset
    set -o pipefail

    CNCF_GCP_ORG=758905017065

    echo "# Removing existing audit files"
    rm -rf org_kubernetes.io

    echo "# Auditing CNCF CGP Org: ${CNCF_GCP_ORG}"
    mkdir -p org_kubernetes.io/roles
    gcloud \
    iam roles list \
    --organization="${CNCF_GCP_ORG}" \
    --format="value(name)" \
    | while read -r ROLE_PATH; do
    ROLE=$(basename "${ROLE_PATH}")
    gcloud iam roles describe "${ROLE}" \
    --organization="${CNCF_GCP_ORG}" \
    --format=json \
    | jq 'del(.etag)' \
    > "org_kubernetes.io/roles/${ROLE}.json"
    done
    gcloud \
    organizations get-iam-policy "${CNCF_GCP_ORG}" \
    --format=json \
    | jq 'del(.etag)' \
    > "org_kubernetes.io/iam.json"

    echo "## Iterating over Projects"
    gcloud \
    projects list \
    --filter="parent.id=${CNCF_GCP_ORG}" \
    --format="value(name, projectNumber)" \
    | sort \
    | tail -5 | head -5 \
    | while read -r PROJECT NUM; do
    export CLOUDSDK_CORE_PROJECT="${PROJECT}"

    echo "### Auditing Project ${PROJECT}"
    # ensure folder is clean
    rm -rf "projects/${PROJECT}"
    mkdir -p "projects/${PROJECT}"
    gcloud \
    projects describe "${PROJECT}" \
    --format=json \
    > "projects/${PROJECT}/description.json"

    echo "#### ${PROJECT} IAM"
    gcloud \
    projects get-iam-policy "${PROJECT}" \
    --format=json \
    | jq 'del(.etag)' \
    > "projects/${PROJECT}/iam.json"

    echo "#### ${PROJECT} ServiceAccounts"
    gcloud \
    iam service-accounts list \
    --project="${PROJECT}" \
    --format="value(email)" \
    | while read -r SVCACCT; do
    mkdir -p "projects/${PROJECT}/service-accounts/${SVCACCT}"
    gcloud \
    iam service-accounts describe "${SVCACCT}" \
    --project="${PROJECT}" \
    --format=json \
    | jq 'del(.etag)' \
    > "projects/${PROJECT}/service-accounts/${SVCACCT}/description.json"
    gcloud \
    iam service-accounts get-iam-policy "${SVCACCT}" \
    --project="${PROJECT}" \
    --format=json \
    | jq 'del(.etag)' \
    > "projects/${PROJECT}/service-accounts/${SVCACCT}/iam.json"
    done

    echo "#### ${PROJECT} Roles"
    gcloud \
    iam roles list \
    --project="${PROJECT}" \
    --format="value(name)" \
    | while read -r ROLE_PATH; do
    mkdir -p "projects/${PROJECT}/roles"
    ROLE=$(basename "${ROLE_PATH}")
    gcloud \
    iam roles describe "${ROLE}" \
    --project="${PROJECT}" \
    --format=json \
    | jq 'del(.etag)' \
    > "projects/${PROJECT}/roles/${ROLE}.json"
    done

    echo "#### Services"
    mkdir -p "projects/${PROJECT}/services"
    gcloud \
    services list \
    --filter="state:ENABLED" \
    > "projects/${PROJECT}/services/enabled.txt"
    gcloud \
    services list \
    --filter="state:ENABLED" \
    --format="value(config.name)" \
    | sed 's/.googleapis.com//' \
    | while read -r SVC; do
    case "${SVC}" in
    bigquery)
    mkdir -p "projects/${PROJECT}/services/${SVC}"
    bq \
    --format=prettyjson --project_id=$PROJECT ls
    > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json"
    # Only run if there are any datasets
    if [ -s "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" ]
    then
    bq \
    --project_id="{$PROJECT}" --format=json ls \
    | jq -r '.[] | .datasetReference["datasetId"]' \
    | while read -r DATASET; do
    bq \
    --project_id="${PROJECT}" --format=json show "${PROJECT}:${DATASET}" \
    | jq .access > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json"
    done
    fi
    ;;
    compute)
    mkdir -p "projects/${PROJECT}/services/${SVC}"
    gcloud \
    compute project-info describe \
    --project="${PROJECT}" \
    --format=json \
    | jq 'del(.quotas[].usage, .commonInstanceMetadata.fingerprint)' \
    > "projects/${PROJECT}/services/${SVC}/project-info.json"
    ;;
    container)
    mkdir -p "projects/${PROJECT}/services/${SVC}"
    # Don't do a JSON dump here - too much changes without human
    # action.
    gcloud \
    container clusters list \
    --format="value(name, location, locations, currentNodeCount, status)" \
    > "projects/${PROJECT}/services/${SVC}/clusters.txt"
    ;;
    dns)
    mkdir -p "projects/${PROJECT}/services/${SVC}"
    gcloud \
    dns project-info describe "${PROJECT}" \
    --format=json \
    > "projects/${PROJECT}/services/${SVC}/info.json"
    gcloud \
    dns managed-zones list \
    --format=json \
    > "projects/${PROJECT}/services/${SVC}/zones.json"
    ;;
    logging)
    echo "TODO: ${SVC} needs serviceusage.services.use"
    ##### gcloud logging logs list --format=json > "projects/${PROJECT}/services/logging.logs.json"
    ##### gcloud logging metrics list --format=json > "projects/${PROJECT}/services/logging.metrics.json"
    ##### gcloud logging sinks list --format=json > "projects/${PROJECT}/services/logging.sinks.json"
    ;;
    monitoring)
    echo "TODO: ${SVC} needs serviceusage.services.use"
    #### gcloud alpha monitoring policies list > "projects/${PROJECT}/services/monitoring.policies.json"
    #### gcloud alpha monitoring channels list > "projects/${PROJECT}/services/monitoring.channels.json"
    #### gcloud alpha monitoring channel-descriptors list > "projects/${PROJECT}/services/monitoring.channel-descriptors.json"
    ;;
    secretmanager)
    gcloud \
    secrets list \
    --project=${PROJECT} \
    --format="value(name)" \
    | while read -r SECRET; do
    path="projects/${PROJECT}/secrets/${SECRET}"
    mkdir -p "${path}"
    gcloud \
    secrets describe "${SECRET}" \
    --project="${PROJECT}" \
    --format=json \
    > "${path}/description.json"
    gcloud \
    secrets versions list "${SECRET}" \
    --project="${PROJECT}" \
    --format=json \
    > "${path}/versions.json"
    gcloud \
    secrets get-iam-policy "${SECRET}" \
    --project="${PROJECT}" \
    --format=json \
    | jq 'del(.etag)' \
    > "${path}/iam.json"
    done
    ;;
    storage-api)
    gsutil ls -p "${PROJECT}" \
    | awk -F/ '{print $3}' \
    | while read -r BUCKET; do
    mkdir -p "projects/${PROJECT}/buckets/${BUCKET}"
    gsutil bucketpolicyonly get "gs://${BUCKET}/" \
    > "projects/${PROJECT}/buckets/${BUCKET}/bucketpolicyonly.txt"
    gsutil cors get "gs://${BUCKET}/" \
    > "projects/${PROJECT}/buckets/${BUCKET}/cors.txt"
    gsutil logging get "gs://${BUCKET}/" \
    > "projects/${PROJECT}/buckets/${BUCKET}/logging.txt"
    gsutil iam get "gs://${BUCKET}/" \
    | jq 'del(.etag)' \
    > "projects/${PROJECT}/buckets/${BUCKET}/iam.json"
    done
    ;;
    *)
    echo "##### Unhandled Service ${SVC}"
    # (these were all enabled for kubernetes-public)
    # TODO: handle (or ignore) bigquerystorage
    # TODO: handle (or ignore) clouderrorreporting
    # TODO: handle (or ignore) cloudfunctions
    # TODO: handle (or ignore) cloudresourcemanager
    # TODO: handle (or ignore) cloudshell
    # TODO: handle (or ignore) containerregistry
    # TODO: handle (or ignore) iam
    # TODO: handle (or ignore) iamcredentials
    # TODO: handle (or ignore) oslogin
    # TODO: handle (or ignore) pubsub
    # TODO: handle (or ignore) serviceusage
    # TODO: handle (or ignore) source
    # TODO: handle (or ignore) stackdriver
    # TODO: handle (or ignore) storage-component
    ;;
    esac
    done
    done


    # TODO:
    # Dump iam for Big Query