1515fi
1616
1717PROJECT_ID=" ${PROJECT_ID:- ${1:- observatudo-infra} } "
18-
1918EXPECTED_LABELS=(${EXPECTED_LABELS[@]:- infra-base dns-zones-observatudo observatudo-www-app} )
2019
2120# === 📂 Diretório de saída ===
@@ -27,34 +26,63 @@ ALL_ASSETS_FILE="$OUTPUT_DIR/all-assets.json"
2726ORPHANS_FILE=" $OUTPUT_DIR /possible-orphans.json"
2827CSV_FILE=" $OUTPUT_DIR /possible-orphans.csv"
2928
30- # === 🛰️ Coleta de dados ===
29+ # === 🛰️ Coleta de dados gerais (Asset Inventory) ===
3130echo -e " ${YELLOW} 📦 Coletando todos os recursos do projeto: $PROJECT_ID ...${NC} "
3231gcloud asset search-all-resources --project=" $PROJECT_ID " > " $ALL_ASSETS_FILE "
3332
34- # === 🧠 Filtro de órfãos ===
33+ # === 🧠 Filtro de órfãos (sem labels ou labels inválidos) ===
3534echo -e " ${YELLOW} 🔍 Filtrando recursos órfãos (sem label 'provisioned_by' ou valor inesperado)...${NC} "
36-
3735jq --argjson expected_labels " $( printf ' %s\n' " ${EXPECTED_LABELS[@]} " | jq -R . | jq -s .) " '
3836 map(select(
3937 (.labels.provisioned_by == null) or
4038 (.labels.provisioned_by != null and (.labels.provisioned_by as $val | $expected_labels | index($val) | not))
4139 ))
4240' " $ALL_ASSETS_FILE " > " $ORPHANS_FILE "
4341
44- # === 📊 Resumo ===
4542COUNT=$( jq length " $ORPHANS_FILE " )
4643echo -e " ${GREEN} ✅ Resultado salvo em: $ORPHANS_FILE ${NC} "
4744echo -e " ${YELLOW} ⚠️ Recursos órfãos encontrados: $COUNT ${NC} "
4845
4946echo -e " ${YELLOW} 📊 Tipos de recursos órfãos:${NC} "
5047jq ' .[].assetType' " $ORPHANS_FILE " | sort | uniq -c
5148
52- # === 📄 Geração de CSV ===
5349jq -r ' .[] | [.assetType, .name] | @csv' " $ORPHANS_FILE " > " $CSV_FILE "
5450echo -e " ${GREEN} 📄 CSV gerado em: $CSV_FILE ${NC} "
5551
56- # === ✅ Modo resumo para CI ou pipelines ===
52+ # === ✅ Modo resumo termina aqui ===
5753if [[ " $SUMMARY_MODE " == true ]]; then
5854 exit 0
5955fi
6056
57+ # === 🔐 Auditoria de Service Accounts ===
58+ SA_FILE=" $OUTPUT_DIR /iam-service-accounts.json"
59+ SA_ORPHANS_FILE=" $OUTPUT_DIR /iam-service-account-orphans.json"
60+
61+ echo -e " ${YELLOW} 🔍 Coletando todas as Service Accounts...${NC} "
62+ gcloud iam service-accounts list --project=" $PROJECT_ID " > " $SA_FILE "
63+
64+ jq '
65+ map(select(
66+ (.labels == null) or (.labels.provisioned_by == null)
67+ ))
68+ ' " $SA_FILE " > " $SA_ORPHANS_FILE "
69+
70+ SA_ORPHANS_COUNT=$( jq length " $SA_ORPHANS_FILE " )
71+ echo -e " ${YELLOW} ⚠️ Service Accounts sem 'provisioned_by': $SA_ORPHANS_COUNT ${NC} "
72+ echo -e " ${GREEN} 📄 Detalhes salvos em: $SA_ORPHANS_FILE ${NC} "
73+
74+ # === 🔐 Auditoria de IAM bindings com Service Accounts ===
75+ IAM_BINDINGS_FILE=" $OUTPUT_DIR /iam-bindings.json"
76+ IAM_SA_BINDINGS_FILE=" $OUTPUT_DIR /iam-bindings-service-accounts.json"
77+
78+ echo -e " ${YELLOW} 🔍 Coletando todos os IAM bindings do projeto...${NC} "
79+ gcloud projects get-iam-policy " $PROJECT_ID " > " $IAM_BINDINGS_FILE "
80+
81+ jq '
82+ .bindings
83+ | map(select(.members[]? | startswith("serviceAccount:")))
84+ ' " $IAM_BINDINGS_FILE " > " $IAM_SA_BINDINGS_FILE "
85+
86+ IAM_SA_BINDINGS_COUNT=$( jq length " $IAM_SA_BINDINGS_FILE " )
87+ echo -e " ${YELLOW} ⚠️ Total de papéis atribuídos a service accounts: $IAM_SA_BINDINGS_COUNT ${NC} "
88+ echo -e " ${GREEN} 📄 Bindings com SAs salvos em: $IAM_SA_BINDINGS_FILE ${NC} "
0 commit comments