Add additional fields to the GCP pub/sub resources

New security checks enabled:
- Ensure Pub/Sub topics are not publicly accessible (via iamPolicy)
- Ensure Pub/Sub subscriptions are not publicly accessible (via iamPolicy)

New fields on topic:
- iamPolicy: IAM policy bindings for the topic
- config.state: topic state (ACTIVE, INGESTION_RESOURCE_ERROR)

New fields on subscription:
- iamPolicy: IAM policy bindings for the subscription
- config.enableMessageOrdering: whether ordered key delivery is enabled
- config.enableExactlyOnceDelivery: whether exactly-once delivery is enabled
- config.filter: message filter expression
- config.detached: whether the subscription is detached from its topic
- config.state: subscription state (ACTIVE, RESOURCE_ERROR)

Signed-off-by: Tim Smith <tsmith84@gmail.com>

Author: tas50

providers/gcp/resources/gcp.lr

@@ -2216,6 +2216,8 @@ private gcp.project.pubsubService.topic @defaults("name") {
   name string
   // Topic configuration
   config() gcp.project.pubsubService.topic.config
+  // IAM policy for this topic
+  iamPolicy() []gcp.resourcemanager.binding
 }
 
 // Google Cloud (GCP) Pub/Sub topic configuration
@@ -2230,6 +2232,8 @@ private gcp.project.pubsubService.topic.config @defaults("kmsKeyName messageStor
   kmsKeyName string
   // Message storage policy
   messageStoragePolicy gcp.project.pubsubService.topic.config.messagestoragepolicy
+  // State of the topic (ACTIVE, INGESTION_RESOURCE_ERROR)
+  state string
 }
 
 // Google Cloud (GCP) Pub/Sub topic message storage policy
@@ -2248,6 +2252,8 @@ private gcp.project.pubsubService.subscription @defaults("name") {
   name string
   // Subscription configuration
   config() gcp.project.pubsubService.subscription.config
+  // IAM policy for this subscription
+  iamPolicy() []gcp.resourcemanager.binding
 }
 
 // Google Cloud (GCP) Pub/Sub subscription configuration
@@ -2270,6 +2276,16 @@ private gcp.project.pubsubService.subscription.config @defaults("topic.name ackD
   expirationPolicy time
   // The labels associated with this subscription
   labels map[string]string
+  // Whether message ordering is enabled
+  enableMessageOrdering bool
+  // Whether exactly-once delivery is enabled
+  enableExactlyOnceDelivery bool
+  // Filter expression for the subscription
+  filter string
+  // Whether the subscription is detached from its topic
+  detached bool
+  // State of the subscription (ACTIVE, RESOURCE_ERROR)
+  state string
 }
 
 // GCP Pub/Sub configuration for subscriptions that operate in push mode

providers/gcp/resources/gcp.lr.go

@@ -2042,6 +2042,7 @@ resources:
   gcp.project.pubsubService.subscription:
     fields:
       config: {}
+      iamPolicy: {}
       name: {}
       projectId: {}
     is_private: true
@@ -2055,12 +2056,17 @@ resources:
   gcp.project.pubsubService.subscription.config:
     fields:
       ackDeadline: {}
+      detached: {}
+      enableExactlyOnceDelivery: {}
+      enableMessageOrdering: {}
       expirationPolicy: {}
+      filter: {}
       labels: {}
       projectId: {}
       pushConfig: {}
       retainAckedMessages: {}
       retentionDuration: {}
+      state: {}
       subscriptionName: {}
       topic: {}
     is_private: true
@@ -2087,6 +2093,7 @@ resources:
   gcp.project.pubsubService.topic:
     fields:
       config: {}
+      iamPolicy: {}
       name: {}
       projectId: {}
     is_private: true
@@ -2103,6 +2110,7 @@ resources:
       labels: {}
       messageStoragePolicy: {}
       projectId: {}
+      state: {}
       topicName: {}
     is_private: true
     min_mondoo_version: latest

providers/gcp/resources/gcp.lr.manifest.yaml

@@ -225,6 +225,7 @@ func (g *mqlGcpProjectPubsubServiceTopic) config() (*mqlGcpProjectPubsubServiceT
 		"labels":               llx.MapData(convert.MapToInterfaceMap(cfg.Labels), types.String),
 		"kmsKeyName":           llx.StringData(cfg.KMSKeyName),
 		"messageStoragePolicy": llx.ResourceData(messageStoragePolicy, "gcp.project.pubsubService.topic.config.messagestoragepolicy"),
+		"state":                llx.StringData(topicStateToString(cfg.State)),
 	})
 	if err != nil {
 		return nil, err
@@ -327,15 +328,20 @@ func (g *mqlGcpProjectPubsubServiceSubscription) config() (*mqlGcpProjectPubsubS
 		expPolicy = llx.DurationToTime(int64(exp.Seconds()))
 	}
 	res, err := CreateResource(g.MqlRuntime, "gcp.project.pubsubService.subscription.config", map[string]*llx.RawData{
-		"projectId":           llx.StringData(projectId),
-		"subscriptionName":    llx.StringData(s.ID()),
-		"topic":               llx.ResourceData(topic, "gcp.project.pubsubService.topic"),
-		"pushConfig":          llx.ResourceData(pushConfig, "gcp.project.pubsubService.subscription.config.pushconfig"),
-		"ackDeadline":         llx.TimeData(llx.DurationToTime(int64(cfg.AckDeadline.Seconds()))),
-		"retainAckedMessages": llx.BoolData(cfg.RetainAckedMessages),
-		"retentionDuration":   llx.TimeData(llx.DurationToTime(int64(cfg.RetentionDuration.Seconds()))),
-		"expirationPolicy":    llx.TimeData(expPolicy),
-		"labels":              llx.MapData(convert.MapToInterfaceMap(cfg.Labels), types.String),
+		"projectId":                 llx.StringData(projectId),
+		"subscriptionName":          llx.StringData(s.ID()),
+		"topic":                     llx.ResourceData(topic, "gcp.project.pubsubService.topic"),
+		"pushConfig":                llx.ResourceData(pushConfig, "gcp.project.pubsubService.subscription.config.pushconfig"),
+		"ackDeadline":               llx.TimeData(llx.DurationToTime(int64(cfg.AckDeadline.Seconds()))),
+		"retainAckedMessages":       llx.BoolData(cfg.RetainAckedMessages),
+		"retentionDuration":         llx.TimeData(llx.DurationToTime(int64(cfg.RetentionDuration.Seconds()))),
+		"expirationPolicy":          llx.TimeData(expPolicy),
+		"labels":                    llx.MapData(convert.MapToInterfaceMap(cfg.Labels), types.String),
+		"enableMessageOrdering":     llx.BoolData(cfg.EnableMessageOrdering),
+		"enableExactlyOnceDelivery": llx.BoolData(cfg.EnableExactlyOnceDelivery),
+		"filter":                    llx.StringData(cfg.Filter),
+		"detached":                  llx.BoolData(cfg.Detached),
+		"state":                     llx.StringData(subscriptionStateToString(cfg.State)),
 	})
 	if err != nil {
 		return nil, err
@@ -401,6 +407,122 @@ func (g *mqlGcpProjectPubsubService) snapshots() ([]any, error) {
 	return subs, nil
 }
 
+func (g *mqlGcpProjectPubsubServiceTopic) iamPolicy() ([]any, error) {
+	if g.Name.Error != nil {
+		return nil, g.Name.Error
+	}
+	name := g.Name.Data
+
+	if g.ProjectId.Error != nil {
+		return nil, g.ProjectId.Error
+	}
+	projectId := g.ProjectId.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+
+	creds, err := conn.Credentials(pubsub.ScopePubSub)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+
+	pubsubSvc, err := pubsub.NewClient(ctx, projectId, option.WithCredentials(creds))
+	if err != nil {
+		return nil, err
+	}
+	defer pubsubSvc.Close()
+
+	policy, err := pubsubSvc.Topic(name).IAM().Policy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	res := []any{}
+	for i, role := range policy.Roles() {
+		members := policy.Members(role)
+		mqlBinding, err := CreateResource(g.MqlRuntime, "gcp.resourcemanager.binding", map[string]*llx.RawData{
+			"id":      llx.StringData(fmt.Sprintf("projects/%s/topics/%s-%d", projectId, name, i)),
+			"role":    llx.StringData(string(role)),
+			"members": llx.ArrayData(convert.SliceAnyToInterface(members), types.String),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlBinding)
+	}
+	return res, nil
+}
+
+func (g *mqlGcpProjectPubsubServiceSubscription) iamPolicy() ([]any, error) {
+	if g.Name.Error != nil {
+		return nil, g.Name.Error
+	}
+	name := g.Name.Data
+
+	if g.ProjectId.Error != nil {
+		return nil, g.ProjectId.Error
+	}
+	projectId := g.ProjectId.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+
+	creds, err := conn.Credentials(pubsub.ScopePubSub)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+
+	pubsubSvc, err := pubsub.NewClient(ctx, projectId, option.WithCredentials(creds))
+	if err != nil {
+		return nil, err
+	}
+	defer pubsubSvc.Close()
+
+	policy, err := pubsubSvc.Subscription(name).IAM().Policy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	res := []any{}
+	for i, role := range policy.Roles() {
+		members := policy.Members(role)
+		mqlBinding, err := CreateResource(g.MqlRuntime, "gcp.resourcemanager.binding", map[string]*llx.RawData{
+			"id":      llx.StringData(fmt.Sprintf("projects/%s/subscriptions/%s-%d", projectId, name, i)),
+			"role":    llx.StringData(string(role)),
+			"members": llx.ArrayData(convert.SliceAnyToInterface(members), types.String),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlBinding)
+	}
+	return res, nil
+}
+
+func topicStateToString(state pubsub.TopicState) string {
+	switch state {
+	case pubsub.TopicStateActive:
+		return "ACTIVE"
+	case pubsub.TopicStateIngestionResourceError:
+		return "INGESTION_RESOURCE_ERROR"
+	default:
+		return "STATE_UNSPECIFIED"
+	}
+}
+
+func subscriptionStateToString(state pubsub.SubscriptionState) string {
+	switch state {
+	case pubsub.SubscriptionStateActive:
+		return "ACTIVE"
+	case pubsub.SubscriptionStateResourceError:
+		return "RESOURCE_ERROR"
+	default:
+		return "STATE_UNSPECIFIED"
+	}
+}
+
 func pubsubConfigId(projectId, parentName string) string {
 	return fmt.Sprintf("%s/%s/config", projectId, parentName)
 }