chore: add AWS/GCP missing permissions (#1790)

* chore: agentless missing permissions

* chore: gcp missiong permissions

Author: PengyuanZhao

integration/gcp_generation_test.go

@@ -785,198 +785,6 @@ func TestGenerationGcpWithExistingTerraform(t *testing.T) {
 	assert.Empty(t, data)
 }
 
-// Test integrations with folders to include/exclude
-func TestGenerationGcpFolders(t *testing.T) {
-	os.Setenv("LW_NOCACHE", "true")
-	defer os.Setenv("LW_NOCACHE", "")
-	var final string
-
-	tfResult := runGcpGenerateTest(t,
-		func(c *expect.Console) {
-			expectsCliOutput(t, c, []MsgRspHandler{
-				MsgRsp{cmd.QuestionGcpProjectID, projectId},
-				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "y"},
-				MsgRsp{cmd.QuestionGcpOrganizationID, organizationId},
-				MsgRsp{cmd.QuestionGcpEnableAgentless, "n"},
-				MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"},
-				MsgRsp{cmd.QuestionGcpConfigurationIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"},
-				MsgRsp{cmd.QuestionGcpUseExistingSink, "n"},
-				MsgRsp{cmd.QuestionGcpAuditLogIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpCustomFilter, ""},
-				MsgRsp{cmd.QuestionGcpCustomizeProjects, ""},
-				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
-				MsgRsp{cmd.QuestionUseExistingServiceAccount, "n"},
-				MsgRsp{cmd.QuestionGcpCustomizeOutputLocation, ""},
-				MsgRsp{cmd.QuestionRunTfPlan, "n"},
-			})
-			final, _ = c.ExpectEOF()
-		},
-		"generate",
-		"cloud-account",
-		"gcp",
-		"--folders_to_include", "folder/abc",
-		"--folders_to_include", "folder/def",
-		"--folders_to_include", "folder/abc",
-		"--folders_to_exclude", "folder/abc",
-		"--folders_to_exclude", "folder/def",
-	)
-
-	assertTerraformSaved(t, final)
-
-	buildTf, _ := gcp.NewTerraform(false, true, true, true,
-		gcp.WithProjectId(projectId),
-		gcp.WithOrganizationIntegration(true),
-		gcp.WithOrganizationId(organizationId),
-		gcp.WithFoldersToExclude([]string{"folder/abc", "folder/def"}),
-		gcp.WithFoldersToInclude([]string{"folder/abc", "folder/abc", "folder/def"}),
-	).Generate()
-	assert.Equal(t, buildTf, tfResult)
-}
-
-// Test integrations with shorthand flags to include/exclude folders
-func TestGenerationGcpFoldersShorthand(t *testing.T) {
-	os.Setenv("LW_NOCACHE", "true")
-	defer os.Setenv("LW_NOCACHE", "")
-	var final string
-
-	tfResult := runGcpGenerateTest(t,
-		func(c *expect.Console) {
-			expectsCliOutput(t, c, []MsgRspHandler{
-				MsgRsp{cmd.QuestionGcpProjectID, projectId},
-				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "y"},
-				MsgRsp{cmd.QuestionGcpOrganizationID, organizationId},
-				MsgRsp{cmd.QuestionGcpEnableAgentless, "n"},
-				MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"},
-				MsgRsp{cmd.QuestionGcpConfigurationIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"},
-				MsgRsp{cmd.QuestionGcpUseExistingSink, "n"},
-				MsgRsp{cmd.QuestionGcpAuditLogIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpCustomFilter, ""},
-				MsgRsp{cmd.QuestionGcpCustomizeProjects, ""},
-				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
-				MsgRsp{cmd.QuestionUseExistingServiceAccount, "n"},
-				MsgRsp{cmd.QuestionGcpCustomizeOutputLocation, ""},
-				MsgRsp{cmd.QuestionRunTfPlan, "n"},
-			})
-			final, _ = c.ExpectEOF()
-		},
-		"generate",
-		"cloud-account",
-		"gcp",
-		"-i", "folder/abc",
-		"-i", "folder/abc",
-		"-i", "folder/def",
-		"-e", "folder/abc",
-		"-e", "folder/def",
-	)
-
-	assertTerraformSaved(t, final)
-
-	buildTf, _ := gcp.NewTerraform(false, true, true, true,
-		gcp.WithProjectId(projectId),
-		gcp.WithOrganizationIntegration(true),
-		gcp.WithOrganizationId(organizationId),
-		gcp.WithFoldersToExclude([]string{"folder/abc", "folder/def"}),
-		gcp.WithFoldersToInclude([]string{"folder/abc", "folder/abc", "folder/def"}),
-	).Generate()
-	assert.Equal(t, buildTf, tfResult)
-}
-
-// Test integrations with --include_root_projects
-func TestGenerationGcpIncludeRootProjects(t *testing.T) {
-	os.Setenv("LW_NOCACHE", "true")
-	defer os.Setenv("LW_NOCACHE", "")
-	var final string
-
-	tfResult := runGcpGenerateTest(t,
-		func(c *expect.Console) {
-			expectsCliOutput(t, c, []MsgRspHandler{
-				MsgRsp{cmd.QuestionGcpProjectID, projectId},
-				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "y"},
-				MsgRsp{cmd.QuestionGcpOrganizationID, organizationId},
-				MsgRsp{cmd.QuestionGcpEnableAgentless, "n"},
-				MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"},
-				MsgRsp{cmd.QuestionGcpConfigurationIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"},
-				MsgRsp{cmd.QuestionGcpUseExistingSink, "n"},
-				MsgRsp{cmd.QuestionGcpAuditLogIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpCustomFilter, ""},
-				MsgRsp{cmd.QuestionGcpCustomizeProjects, ""},
-				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
-				MsgRsp{cmd.QuestionUseExistingServiceAccount, "n"},
-				MsgRsp{cmd.QuestionGcpCustomizeOutputLocation, ""},
-				MsgRsp{cmd.QuestionRunTfPlan, "n"},
-			})
-			final, _ = c.ExpectEOF()
-		},
-		"generate",
-		"cloud-account",
-		"gcp",
-		"--folders_to_exclude",
-		"folder/abc",
-		"--include_root_projects",
-	)
-
-	assertTerraformSaved(t, final)
-
-	buildTf, _ := gcp.NewTerraform(false, true, true, true,
-		gcp.WithProjectId(projectId),
-		gcp.WithOrganizationIntegration(true),
-		gcp.WithOrganizationId(organizationId),
-		gcp.WithFoldersToExclude([]string{"folder/abc"}),
-		gcp.WithIncludeRootProjects(true),
-	).Generate()
-	assert.Equal(t, buildTf, tfResult)
-}
-
-// Test integrations with --include_root_projects=false
-func TestGenerationGcpIncludeRootProjectsFalse(t *testing.T) {
-	os.Setenv("LW_NOCACHE", "true")
-	defer os.Setenv("LW_NOCACHE", "")
-	var final string
-
-	tfResult := runGcpGenerateTest(t,
-		func(c *expect.Console) {
-			expectsCliOutput(t, c, []MsgRspHandler{
-				MsgRsp{cmd.QuestionGcpProjectID, projectId},
-				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "y"},
-				MsgRsp{cmd.QuestionGcpOrganizationID, organizationId},
-				MsgRsp{cmd.QuestionGcpEnableAgentless, "n"},
-				MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"},
-				MsgRsp{cmd.QuestionGcpConfigurationIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"},
-				MsgRsp{cmd.QuestionGcpUseExistingSink, "n"},
-				MsgRsp{cmd.QuestionGcpAuditLogIntegrationName, ""},
-				MsgRsp{cmd.QuestionGcpCustomFilter, ""},
-				MsgRsp{cmd.QuestionGcpCustomizeProjects, ""},
-				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
-				MsgRsp{cmd.QuestionUseExistingServiceAccount, "n"},
-				MsgRsp{cmd.QuestionGcpCustomizeOutputLocation, ""},
-				MsgRsp{cmd.QuestionRunTfPlan, "n"},
-			})
-			final, _ = c.ExpectEOF()
-		},
-		"generate",
-		"cloud-account",
-		"gcp",
-		"--folders_to_exclude",
-		"folder/abc",
-		"--include_root_projects=false",
-	)
-
-	assertTerraformSaved(t, final)
-
-	buildTf, _ := gcp.NewTerraform(false, true, true, true,
-		gcp.WithProjectId(projectId),
-		gcp.WithOrganizationIntegration(true),
-		gcp.WithOrganizationId(organizationId),
-		gcp.WithFoldersToExclude([]string{"folder/abc"}),
-		gcp.WithIncludeRootProjects(false),
-	).Generate()
-	assert.Equal(t, buildTf, tfResult)
-}
-
 // Test Audit Log with --google_workspace_filter and --k8s_filter
 func TestGenerationGcpAuditLogFiltersTrue(t *testing.T) {
 	os.Setenv("LW_NOCACHE", "true")

lwpreflight/aws/constants.go

@@ -547,6 +547,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"events:PutRule",
 		"events:PutTargets",
 		"events:RemoveTargets",
+		"events:TagResource",
 		"iam:AttachRolePolicy",
 		"iam:CreatePolicy",
 		"iam:CreateRole",
@@ -581,6 +582,7 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"logs:ListTagsLogGroup",
 		"logs:PutLogEvents",
 		"logs:PutRetentionPolicy",
+		"logs:TagResource",
 		"organizations:DescribeAccount",
 		"organizations:DescribeOrganization",
 		"organizations:ListAccounts",

lwpreflight/gcp/constants.go

@@ -102,6 +102,9 @@ var RequiredPermissions = map[IntegrationType][]string{
 		"pubsub.topics.getIamPolicy",
 		"pubsub.topics.list",
 		"pubsub.topics.setIamPolicy",
+		"resourcemanager.organizations.get",
+		"resourcemanager.organizations.getIamPolicy",
+		"resourcemanager.organizations.setIamPolicy",
 		"resourcemanager.projects.get",
 		"resourcemanager.projects.getIamPolicy",
 		"resourcemanager.projects.setIamPolicy",
@@ -134,6 +137,9 @@ var RequiredPermissions = map[IntegrationType][]string{
 		"iam.serviceAccounts.undelete",
 		"iam.serviceAccounts.update",
 		"monitoring.timeSeries.list",
+		"resourcemanager.organizations.get",
+		"resourcemanager.organizations.getIamPolicy",
+		"resourcemanager.organizations.setIamPolicy",
 		"resourcemanager.projects.get",
 		"resourcemanager.projects.getIamPolicy",
 		"resourcemanager.projects.list",
@@ -262,6 +268,21 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"essentialcontacts.contacts.list",
 		"essentialcontacts.contacts.send",
 		"essentialcontacts.contacts.update",
+		"iam.roles.create",
+		"iam.roles.delete",
+		"iam.roles.get",
+		"iam.roles.list",
+		"iam.roles.undelete",
+		"iam.roles.update",
+		"iam.serviceAccountKeys.create",
+		"iam.serviceAccountKeys.delete",
+		"iam.serviceAccountKeys.get",
+		"iam.serviceAccountKeys.list",
+		"iam.serviceAccounts.actAs",
+		"iam.serviceAccounts.create",
+		"iam.serviceAccounts.delete",
+		"iam.serviceAccounts.get",
+		"iam.serviceAccounts.list",
 		"logging.buckets.create",
 		"logging.buckets.delete",
 		"logging.buckets.get",
@@ -284,9 +305,9 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"logging.logMetrics.get",
 		"logging.logMetrics.list",
 		"logging.logMetrics.update",
-		"logging.logs.list",
 		"logging.logServiceIndexes.list",
 		"logging.logServices.list",
+		"logging.logs.list",
 		"logging.notificationRules.create",
 		"logging.notificationRules.delete",
 		"logging.notificationRules.get",
@@ -310,6 +331,19 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"orgpolicy.constraints.list",
 		"orgpolicy.policies.list",
 		"orgpolicy.policy.get",
+		"pubsub.subscriptions.create",
+		"pubsub.subscriptions.delete",
+		"pubsub.subscriptions.get",
+		"pubsub.subscriptions.getIamPolicy",
+		"pubsub.subscriptions.list",
+		"pubsub.subscriptions.setIamPolicy",
+		"pubsub.topics.attachSubscription",
+		"pubsub.topics.create",
+		"pubsub.topics.delete",
+		"pubsub.topics.get",
+		"pubsub.topics.getIamPolicy",
+		"pubsub.topics.list",
+		"pubsub.topics.setIamPolicy",
 		"resourcemanager.folders.get",
 		"resourcemanager.folders.getIamPolicy",
 		"resourcemanager.folders.list",
@@ -321,6 +355,9 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"resourcemanager.projects.getIamPolicy",
 		"resourcemanager.projects.list",
 		"resourcemanager.projects.setIamPolicy",
+		"serviceusage.quotas.get",
+		"serviceusage.services.get",
+		"serviceusage.services.list",
 	},
 	Config: {
 		"billing.accounts.get",
@@ -342,6 +379,15 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"iam.roles.list",
 		"iam.roles.undelete",
 		"iam.roles.update",
+		"iam.serviceAccountKeys.create",
+		"iam.serviceAccountKeys.delete",
+		"iam.serviceAccountKeys.get",
+		"iam.serviceAccountKeys.list",
+		"iam.serviceAccounts.actAs",
+		"iam.serviceAccounts.create",
+		"iam.serviceAccounts.delete",
+		"iam.serviceAccounts.get",
+		"iam.serviceAccounts.list",
 		"orgpolicy.constraints.list",
 		"orgpolicy.policies.list",
 		"orgpolicy.policy.get",
@@ -356,6 +402,9 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"resourcemanager.projects.getIamPolicy",
 		"resourcemanager.projects.list",
 		"resourcemanager.projects.setIamPolicy",
+		"serviceusage.quotas.get",
+		"serviceusage.services.get",
+		"serviceusage.services.list",
 	},
 	GkeAuditLog: {
 		"iam.serviceAccountKeys.create",

lwpreflight/gcp/policy.go

@@ -46,9 +46,10 @@ func FetchPolicies(p *Preflight) error {
 			for _, m := range b.Members {
 				if strings.Contains(strings.ToLower(m), strings.ToLower(p.caller.Email)) {
 					role, err := iamSvc.Roles.Get(b.Role).Do()
-					if err == nil {
-						permissions = append(permissions, role.IncludedPermissions...)
+					if err != nil {
+						return err
 					}
+					permissions = append(permissions, role.IncludedPermissions...)
 					roles[b.Role] = true
 					break
 				}