From 65c35d2b4f0138bbef327ddeca8d440d6b53e6db Mon Sep 17 00:00:00 2001 From: seolmin Date: Thu, 11 Apr 2024 14:04:49 +0900 Subject: [PATCH] fix: add trusting organization options Signed-off-by: seolmin --- src/plugin/connector/cloud_asset_connector.py | 35 ------------ .../resource_manager_v1_connector.py | 4 -- .../manager/account_collector_manager.py | 53 +++++-------------- 3 files changed, 14 insertions(+), 78 deletions(-) delete mode 100644 src/plugin/connector/cloud_asset_connector.py diff --git a/src/plugin/connector/cloud_asset_connector.py b/src/plugin/connector/cloud_asset_connector.py deleted file mode 100644 index e906740..0000000 --- a/src/plugin/connector/cloud_asset_connector.py +++ /dev/null @@ -1,35 +0,0 @@ -import logging - -from plugin.connector.base_connector import GoogleCloudConnector - -__all__ = ["CloudAssetConnector"] - -_LOGGER = logging.getLogger(__name__) - - -class CloudAssetConnector(GoogleCloudConnector): - google_client_service = "cloudasset" - version = "v1" - - def __init__(self, **kwargs): - super().__init__(**kwargs) - self.secret_data = kwargs.get("secret_data", {}) - - def list_iam_polices_in_project(self, project_id): - total_assets = [] - query = { - "parent": f"projects/{project_id}", - "contentType": "IAM_POLICY", - "assetTypes": "cloudresourcemanager.googleapis.com.Project", - "pageSize": 1000, - } - request = self.client.assets().list(**query) - - while request is not None: - response = request.execute() - for asset in response.get("assets", {}): - total_assets.append(asset) - request = self.client.assets().list_next( - previous_request=request, previous_response=response - ) - return total_assets diff --git a/src/plugin/connector/resource_manager_v1_connector.py b/src/plugin/connector/resource_manager_v1_connector.py index f4422d5..798f56d 100644 --- a/src/plugin/connector/resource_manager_v1_connector.py +++ b/src/plugin/connector/resource_manager_v1_connector.py @@ -18,7 +18,3 @@ def __init__(self, **kwargs): def list_projects(self): result = self.client.projects().list().execute() return result.get("projects", []) - - def get_iam_policy(self, resource=None): - resource = resource or f"{self.project_id}" - return self.client.projects().getIamPolicy(resource=resource).execute() diff --git a/src/plugin/manager/account_collector_manager.py b/src/plugin/manager/account_collector_manager.py index d2e7dc2..534c6b3 100644 --- a/src/plugin/manager/account_collector_manager.py +++ b/src/plugin/manager/account_collector_manager.py @@ -7,7 +7,6 @@ from spaceone.core.manager import BaseManager from plugin.connector.resource_manager_v1_connector import ResourceManagerV1Connector from plugin.connector.resource_manager_v3_connector import ResourceManagerV3Connector -from plugin.connector.cloud_asset_connector import CloudAssetConnector _LOGGER = logging.getLogger("spaceone") @@ -16,17 +15,22 @@ class AccountCollectorManager(BaseManager): def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.options = kwargs["options"] + self.trusting_organization = self.options.get("trusting_organization", False) + self.exclude_projects = self.options.get("exclude_projects", []) + self.exclude_folders = self.options.get("exclude_folders", []) + self.exclude_folders = [ + str(int(folder_id)) for folder_id in self.exclude_folders + ] + self.secret_data = kwargs["secret_data"] self.trusted_service_account = self.secret_data["client_email"] + self.resource_manager_v1_connector = ResourceManagerV1Connector( secret_data=self.secret_data ) self.resource_manager_v3_connector = ResourceManagerV3Connector( secret_data=self.secret_data ) - self.cloud_asset_connector = CloudAssetConnector(secret_data=self.secret_data) - self.exclude_projects = None - self.exclude_folders = None self.results = [] def sync(self) -> list: @@ -43,12 +47,6 @@ def sync(self) -> list: } ] """ - self.exclude_projects = self.options.get("exclude_projects", []) - self.exclude_folders = self.options.get("exclude_folders", []) - self.exclude_folders = [ - str(int(folder_id)) for folder_id in self.exclude_folders - ] - projects_info = self.resource_manager_v1_connector.list_projects() organization_info = self._get_organization_info(projects_info) @@ -148,8 +146,12 @@ def _create_project_response(self, parent, locations): self._check_exclude_project(project_id) and project_state == "ACTIVE" ): - self._check_list_iam_polices_by_api(project_id) - if self._is_trusting_project(project_id): + if self.trusting_organization: + _LOGGER.debug( + f"[sync] ServiceAccount is Trusted with Organization (ServiceAccount: {self.trusted_service_account}, Project ID: {project_id})" + ) + self.results.append(self._make_result(project_info, locations)) + elif self._is_trusting_project(project_id): self.results.append(self._make_result(project_info, locations)) else: self.results.append( @@ -180,30 +182,3 @@ def _check_exclude_project(self, project_id): if fnmatch.fnmatch(project_id, exclude_project_id): return False return True - - def _check_list_iam_polices_by_api(self, project_id): - try: - rm_project_polices = self.resource_manager_v1_connector.get_iam_policy( - resource=project_id - ) - _LOGGER.debug( - f"[sync] project_polices by resource manager api: {rm_project_polices}" - ) - except Exception as e: - _LOGGER.error( - f"[sync] failed to get project_polices by resource manager api => {e}" - ) - - try: - ca_project_polices = self.cloud_asset_connector.list_iam_polices_in_project( - project_id - ) - sleep(2) - - _LOGGER.debug( - f"[sync] project_polices by cloud asset api : {ca_project_polices}" - ) - except Exception as e: - _LOGGER.error( - f"[sync] failed to get project_polices by cloud asset api => {e}" - )