1apiVersion: storage.cnrm.cloud.google.com/v1beta1
2kind: StorageBucket
3metadata:
4 name: siem-bucket
5 annotations:
6 cnrm.cloud.google.com/deletion-policy: abandon
7 cnrm.cloud.google.com/state-into-spec: merge
8spec:
9 location: US
10 publicAccessPrevention: inherited
11 resourceID: ${gcp_project_id}-siem
12 storageClass: STANDARD
13 versioning:
14 enabled: true
15---
16apiVersion: iam.cnrm.cloud.google.com/v1beta1
17kind: IAMServiceAccount
18metadata:
19 name: splunk-siem-reader
20spec:
21 displayName: splunk-siem-reader
22 resourceID: splunk-siem-reader
23---
24apiVersion: iam.cnrm.cloud.google.com/v1beta1
25kind: IAMServiceAccountKey
26metadata:
27 name: splunk-siem-reader-key
28spec:
29 serviceAccountRef:
30 name: splunk-siem-reader
31---
32apiVersion: iam.cnrm.cloud.google.com/v1beta1
33kind: IAMPartialPolicy
34metadata:
35 name: siem-partial-policy
36spec:
37 bindings:
38 - members:
39 - member: serviceAccount:7008838691-0-account@partnercontent.gserviceaccount.com
40 - member: serviceAccount:splunk-siem-reader@${gcp_project_id}.iam.gserviceaccount.com
41 role: roles/storage.objectViewer
42 resourceRef:
43 name: siem-bucket
44 apiVersion: storage.cnrm.cloud.google.com/v1beta1
45 kind: StorageBucket
46---
47apiVersion: iam.cnrm.cloud.google.com/v1beta1
48kind: IAMPolicyMember
49metadata:
50 name: siem-bucket-writer
51spec:
52 member: serviceAccount:cloud-logs@system.gserviceaccount.com
53 resourceRef:
54 apiVersion: storage.cnrm.cloud.google.com/v1beta1
55 kind: StorageBucket
56 external: ${gcp_project_id}-siem
57 role: roles/storage.objectCreator
58---
59apiVersion: logging.cnrm.cloud.google.com/v1beta1
60kind: LoggingLogSink
61metadata:
62 name: siem
63 annotations:
64 cnrm.cloud.google.com/reconcile-interval-in-seconds: "6200"
65spec:
66 destination:
67 storageBucketRef:
68 external: storage.googleapis.com/${gcp_project_id}-siem
69 filter: '(jsonPayload.log_class="audit" OR jsonPayload.log_class="security") AND labels.cluster_edge_id="5f700d64-bfbc-4430-a870-e63eccc148e8"'
70 projectRef:
71 external: ${gcp_project_id}
72 uniqueWriterIdentity: false
73---
74# PUB SUB
75apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
76kind: PubSubTopic
77metadata:
78 name: siem
79---
80apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
81kind: PubSubSubscription
82metadata:
83 name: siem-subscription
84spec:
85 # 31 day retention. max allowed by GCP
86 messageRetentionDuration: 2678400s
87 retainAckedMessages: false
88 topicRef:
89 name: siem
90---
91apiVersion: iam.cnrm.cloud.google.com/v1beta1
92kind: IAMPartialPolicy
93metadata:
94 name: siem-users-pubsub-access
95spec:
96 bindings:
97 - members:
98 - member: user:ak185158@ncr.com
99 - member: user:ag185392@ncr.com
100 - member: user:rs185722@ncr.com
101 role: roles/pubsub.subscriber
102 resourceRef:
103 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
104 kind: PubSubSubscription
105 external: projects/${gcp_project_id}/subscriptions/siem-subscription
View as plain text