Add iam_policy in table gcp_cloud_run_service Closes #529 (#531)

turbot · Jan 3, 2024 · 233743d · 233743d
1 parent 93ee1bb
commit 233743d
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 0 deletions.
diff --git a/docs/tables/gcp_cloud_run_service.md b/docs/tables/gcp_cloud_run_service.md
@@ -197,6 +197,31 @@ from
   json_each(conditions) as c;
 ```
 
+### Get associated members or principals, with a role of services
+Attaching an Identity and Access Management (IAM) policy to a Google Cloud Run service involves setting permissions for that particular service. Google Cloud Run services use IAM for access control, and by configuring IAM policies, you can define who has what type of access to your Cloud Run services.
+
+```sql+postgres
+select
+  name,
+  i -> 'Condition' as condition,
+  i -> 'Members' as members,
+  i ->> 'Role' as role
+from
+  gcp_cloud_run_service,
+  jsonb_array_elements(iam_policy -> 'Bindings') as i;
+```
+
+```sql+sqlite
+select
+  name,
+  json_extract(i.value, '$.Condition') as condition,
+  json_extract(i.value, '$.Members') as members,
+  json_extract(i.value, '$.Role') as role
+from
+  gcp_cloud_run_service,
+  json_each(json_extract(iam_policy, '$.Bindings')) as i;
+```
+
 ### Get template details of services
 Explore the various attributes of your cloud-based services, such as encryption keys, container details, and scaling parameters. This query is useful to gain an understanding of your service configurations and identify areas for potential adjustments or enhancements.
 

diff --git a/gcp/table_gcp_cloud_run_service.go b/gcp/table_gcp_cloud_run_service.go
@@ -202,6 +202,13 @@ func tableGcpCloudRunService(ctx context.Context) *plugin.Table {
 				Description: "Detailed status information for corresponding traffic targets.",
 				Type:        proto.ColumnType_JSON,
 			},
+			{
+				Name:        "iam_policy",
+				Description: "An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.",
+				Type:        proto.ColumnType_JSON,
+				Hydrate:     getCloudRunServiceIamPolicy,
+				Transform:   transform.FromValue(),
+			},
 
 			// Standard steampipe columns
 			{
@@ -340,6 +347,38 @@ func getCloudRunService(ctx context.Context, d *plugin.QueryData, h *plugin.Hydr
 	return resp, err
 }
 
+func getCloudRunServiceIamPolicy(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {
+
+	data := h.Item.(*run.GoogleCloudRunV2Service)
+	serviceName := strings.Split(data.Name, "/")[5]
+	location := strings.Split(data.Name, "/")[3]
+
+	// Create Service Connection
+	service, err := CloudRunService(ctx, d)
+	if err != nil {
+		plugin.Logger(ctx).Error("gcp_cloud_run_service.getCloudRunServiceIamPolicy", "service_error", err)
+		return nil, err
+	}
+
+	// Get project details
+	getProjectCached := plugin.HydrateFunc(getProject).WithCache()
+	projectId, err := getProjectCached(ctx, d, h)
+	if err != nil {
+		return nil, err
+	}
+	project := projectId.(string)
+
+	input := "projects/" + project + "/locations/" + location + "/services/" + serviceName
+
+	resp, err := service.Projects.Locations.Services.GetIamPolicy(input).Do()
+	if err != nil {
+		plugin.Logger(ctx).Error("gcp_cloud_run_service.getCloudRunServiceIamPolicy", "api_error", err)
+		return nil, err
+	}
+
+	return resp, err
+}
+
 //// TRANSFORM FUNCTIONS
 
 func cloudRunServiceSelfLink(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {