-
-
Save jdyke/f839a1d3fedf0537e505f01f4813e342 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Determine if project or organization and perform logic based on bound resource layer | |
properties = log_entry['jsonPayload']['properties'] | |
for entry in properties: | |
if 'project_id' in entry: | |
resource = properties['project_id'] | |
print(f"The Project ID is {resource}") | |
resource_bindings = retrieve_bindings(service, resource) | |
check_if_member_exists = check_member_on_resource(outside_member_ids, resource_bindings) | |
if check_if_member_exists is True: | |
bindings_removed = remove_anomalous_iam_resource(outside_member_ids, resource_bindings) | |
set_iam_binding_resource(resource, service, bindings_removed) | |
else: | |
logging.debug("Member does not exist.") | |
sys.exit(0) | |
elif 'organization_id' in entry: | |
resource = 'organizations/' + properties['organization_id'] | |
print(f"The Organization is {resource}") | |
resource_bindings = retrieve_bindings(service, resource) | |
check_if_member_exists = check_member_on_resource(outside_member_ids, resource_bindings) | |
if check_if_member_exists is True: | |
bindings_removed = remove_anomalous_iam_resource(outside_member_ids, resource_bindings) | |
set_iam_binding_resource(resource, service, bindings_removed) | |
else: | |
logging.debug("Member does not exist.") | |
sys.exit(0) | |
## Resources have IAM bindings. We need to return those to parse through. | |
def retrieve_bindings(service, resource): | |
if 'organizations' in resource: | |
request = service.organizations().getIamPolicy(resource=f"{resource}") | |
response = request.execute() | |
resource_bindings = response.pop("bindings") | |
print(f"Current organization bindings: {resource_bindings}") | |
else: | |
request = service.projects().getIamPolicy(resource=resource) | |
response = request.execute() | |
resource_bindings = response.pop("bindings") | |
print(f"Current project bindings: {resource_bindings}") | |
return resource_bindings | |
## Looks for our anomalous IAM member and removes from resource bindings | |
def remove_anomalous_iam_resource(outside_member_ids, resource_bindings): | |
bindings_removed = resource_bindings | |
for dic in bindings_removed: | |
if 'members' in dic: | |
for values in dic.values(): | |
for member in outside_member_ids: | |
if member in values: | |
try: | |
values.remove(member) | |
print(f"Member removed: {member}") | |
except: | |
logging.info(f"{member} not found.") | |
continue | |
else: | |
logging.debug(f"{member} not found.") | |
print(f"New bindings after anomalous member(s) removed: {bindings_removed}") | |
return bindings_removed | |
## Set our new resource IAM bindings | |
def set_iam_binding_resource(resource, service, bindings_removed): | |
set_iam_policy_request_body = { | |
"policy": { | |
"bindings": [ | |
bindings_removed | |
] | |
} | |
} | |
if 'organizations' in resource: | |
request = service.organizations().setIamPolicy(resource=f"{resource}", body=set_iam_policy_request_body) | |
binding_response = request.execute() | |
print(f"New policy attached to the organization: {binding_response}") | |
else: | |
request = service.projects().setIamPolicy(resource=resource, body=set_iam_policy_request_body) | |
binding_response = request.execute() | |
print(f"New policy attached to the project: {binding_response}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment