This fixes the cloud run policies in a few ways. (#162)

1. Switch `logName` to admin activity (excl. system events and data
access)

The `logName` addition pointing at `data_access` excluded mutations,
which is the key thing we want to monitor, and most of what that left
was things we want to ignore because GetService is pretty benign and
common via the console.

2. Split a separate alert policy off for RunJob monitoring

This is the main exception that IS data_access, so for simplicity just
make this it's own alert policy.

Signed-off-by: Matt Moore <[email protected]>

Author: mattmoor

modules/cron/README.md

@@ -81,6 +81,7 @@ No requirements.
 | [google_cloud_run_v2_job_iam_binding.authorize-calls](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_job_iam_binding) | resource |
 | [google_cloud_scheduler_job.cron](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
 | [google_monitoring_alert_policy.anomalous-job-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+| [google_monitoring_alert_policy.anomalous-job-execution](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_service.cloud_run_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_project_service.cloudscheduler](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_service_account.delivery](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |

modules/cron/main.tf

@@ -206,7 +206,7 @@ resource "google_monitoring_alert_policy" "anomalous-job-access" {
 
     condition_matched_log {
       filter = <<EOT
-      logName="projects/prod-enforce-fabc/logs/cloudaudit.googleapis.com%2Fdata_access"
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
       protoPayload.serviceName="run.googleapis.com"
       protoPayload.resourceName=("${join("\" OR \"", [
         "namespaces/${var.project_id}/jobs/${var.name}-cron",
@@ -216,14 +216,51 @@ resource "google_monitoring_alert_policy" "anomalous-job-access" {
       -- Allow CI to reconcile jobs and their IAM policies.
       -(
         protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
-        protoPayload.methodName=("google.cloud.run.v2.Jobs.GetJob" OR "google.cloud.run.v2.Jobs.UpdateJob" OR "google.cloud.run.v2.Jobs.GetIamPolicy" OR "google.cloud.run.v2.Jobs.SetIamPolicy")
+        protoPayload.methodName=("${join("\" OR \"", [
+          "google.cloud.run.v2.Jobs.UpdateJob",
+          "google.cloud.run.v2.Jobs.SetIamPolicy",
+        ])}")
       )
+      EOT
+    }
+  }
 
-      -- Allow the delivery service account to run the job.
-      -(
-        protoPayload.authenticationInfo.principalEmail="${google_service_account.delivery.email}"
-        protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
-      )
+  # TODO(mattmoor): Enable notifications once this stabilizes.
+  # notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
+
+// Create an alert policy to notify if the job is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-job-execution" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Job Execution: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Job Execution: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
+      protoPayload.resourceName=("${join("\" OR \"", [
+        "namespaces/${var.project_id}/jobs/${var.name}-cron",
+        "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
+      ])}")
+
+      -- Allow the delivery service account to run the job, but flag anyone else
+      -protoPayload.authenticationInfo.principalEmail="${google_service_account.delivery.email}"
       EOT
     }
   }

modules/regional-go-service/main.tf

@@ -210,7 +210,7 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" {
 
     condition_matched_log {
       filter = <<EOT
-      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
       protoPayload.serviceName="run.googleapis.com"
       protoPayload.resourceName=("${join("\" OR \"", concat([
         "namespaces/${var.project_id}/services/${var.name}"
@@ -223,8 +223,6 @@ resource "google_monitoring_alert_policy" "anomalous-service-access" {
       -(
         protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
         protoPayload.methodName=("${join("\" OR \"", [
-          "google.cloud.run.v2.Services.GetService",
-          "google.cloud.run.v2.Services.GetIamPolicy",
           "google.cloud.run.v2.Services.UpdateService",
           "google.cloud.run.v2.Services.SetIamPolicy",
         ])}")