apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: siem-bucket
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
    cnrm.cloud.google.com/state-into-spec: merge
spec:
  location: US
  publicAccessPrevention: inherited
  resourceID: ${gcp_project_id}-siem
  storageClass: STANDARD
  versioning:
    enabled: true
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: splunk-siem-reader
spec:
  displayName: splunk-siem-reader
  resourceID: splunk-siem-reader
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccountKey
metadata:
  name: splunk-siem-reader-key
spec:
  serviceAccountRef:
    name: splunk-siem-reader
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: siem-partial-policy
spec:
  bindings:
  - members:
    - member: serviceAccount:7008838691-0-account@partnercontent.gserviceaccount.com
    - member: serviceAccount:splunk-siem-reader@${gcp_project_id}.iam.gserviceaccount.com
    role: roles/storage.objectViewer
  resourceRef:
    name: siem-bucket
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: siem-bucket-writer
spec:
  member: serviceAccount:cloud-logs@system.gserviceaccount.com
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: ${gcp_project_id}-siem
  role: roles/storage.objectCreator
---
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogSink
metadata:
  name: siem
  annotations:
    cnrm.cloud.google.com/reconcile-interval-in-seconds: "6200"
spec:
  destination:
    storageBucketRef:
      external: storage.googleapis.com/${gcp_project_id}-siem
  filter: '(jsonPayload.log_class="audit" OR jsonPayload.log_class="security") AND labels.cluster_edge_id="5f700d64-bfbc-4430-a870-e63eccc148e8"'
  projectRef:
    external: ${gcp_project_id}
  uniqueWriterIdentity: false
---
# PUB SUB 
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  name: siem
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubSubscription
metadata:
  name: siem-subscription
spec:
  # 31 day retention. max allowed by GCP
  messageRetentionDuration: 2678400s
  retainAckedMessages: false
  topicRef:
    name: siem
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: siem-users-pubsub-access
spec:
  bindings:
  - members:
    - member: user:ak185158@ncr.com
    - member: user:ag185392@ncr.com
    - member: user:rs185722@ncr.com
    role: roles/pubsub.subscriber
  resourceRef:
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubSubscription
    external: projects/${gcp_project_id}/subscriptions/siem-subscription