From d2037abd48c9061b57134dcdc9489cf6e76b26b6 Mon Sep 17 00:00:00 2001
From: Irwin Kennedy <irwin.kennedy@lacework.net>
Date: Fri, 28 Jan 2022 12:50:51 +0000
Subject: [PATCH 1/4] RAIN-27045 Script to generate a GCP resource count and
 breakdown by asset-type.

---
 resource_management/gcp/README.md             | 65 +++++++++++++++++++
 .../gcp/gcp_asset_breakdown.sh                | 53 +++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 resource_management/gcp/README.md
 create mode 100755 resource_management/gcp/gcp_asset_breakdown.sh

diff --git a/resource_management/gcp/README.md b/resource_management/gcp/README.md
new file mode 100644
index 0000000..a1a45f5
--- /dev/null
+++ b/resource_management/gcp/README.md
@@ -0,0 +1,65 @@
+# Overview
+
+BASH script to produce a GCP resource breakdown and total resource count.
+It examines every project in the current org. that the executing user has access to (see Roles below).
+If a project request receives permission denied, an error will be displayed on screen, but the remaining projects will still be examined.
+
+# Pre-requisites
+
+A Unix like shell (MacOS/Linux) with gcloud, sed, bc utilities installed is the required execution environment.
+We recommend using the [gcp cloud shell](https://console.cloud.google.com/home/dashboard?cloudshell=true) - it has all the dependencies.
+
+# Roles
+
+The user executing the script must have roles/cloudassset.viewer and roles/serviceusage.serviceUsageConsumer on the parent of the resources to be examined.
+
+### A) We recommend granting at the org level:
+
+`gcloud organizations add-iam-policy-binding TARGET_ORGANIZATION_ID \
+     --member user:USER_ACCOUNT_EMAIL \
+     --role roles/cloudasset.viewer`
+
+`gcloud organizations add-iam-policy-binding TARGET_ORGANIZATION_ID \
+     --member user:USER_ACCOUNT_EMAIL \
+     --role roles/serviceusage.serviceUsageConsumer`
+
+### B) Alternative is granting for each project to be examined:
+
+`gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \
+     --member user:USER_ACCOUNT_EMAIL \
+     --role roles/cloudasset.viewer`
+
+`gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \
+     --member user:USER_ACCOUNT_EMAIL \
+     --role roles/serviceusage.serviceUsageConsumer`
+
+# API enablement
+
+Script requires access to cloudasset API.
+
+### A) We recommend granting at the org level:
+
+`gcloud --organization <organization_id> services enable cloudasset.googleapis.com`
+
+### B) Alternative is granting for each project to be examined:
+
+`gcloud --project <project_id> services enable cloudasset.googleapis.com`
+
+# Usage
+
+1. Download the script:
+
+wget <script url>
+
+2. Run the script:
+
+`chmod +x ./gcp_asset_breakdown.sh; mkdir -p /tmp/lacework; ./gcp_asset_breakdown.sh 2>&1 | tee /tmp/lacework/output`
+
+# Results
+
+Summary output is displayed on screen.
+When the script finishes, we recommend uploading the contents of directory:
+
+`/tmp/lacework/output`
+
+This can be done in GCP cloud shell by clicking on the more icon (vertial '...') and selecting download.
diff --git a/resource_management/gcp/gcp_asset_breakdown.sh b/resource_management/gcp/gcp_asset_breakdown.sh
new file mode 100755
index 0000000..cb6a59f
--- /dev/null
+++ b/resource_management/gcp/gcp_asset_breakdown.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+STAR=*
+FILEENDING=".assets"
+
+echo "Installing utility bc"
+sudo apt install -y bc
+
+echo "This script gives a breakdown of resources by asset type for all projects the authenticated account has access to"
+echo "For pre-requisites, including permissions, please see the README"
+echo "It is recommened to use gcp's cloud shell to execute the script"
+echo "Recommended invocation: chmod +x ./gcp_asset_breakdown.sh; mkdir -p /tmp/lacework; ./gcp_asset_breakdown.sh 2>&1 | tee /tmp/lacework/output"
+echo ""
+
+mkdir -p /tmp/lacework
+gcloud config set accessibility/screen_reader false
+
+var=$(gcloud projects list --filter='lifecycleState:ACTIVE' | sed "1 d" | cut -d ' ' -f 1)
+number_projects=$(echo "$var" | wc -l)
+
+echo "==> Project list:"
+echo $var | tr " " "\n"
+echo "==> Total number of projects = $number_projects"
+
+read -p "Continue to summarise assetTypes and count on all projects? " -n 1 -r
+echo    # (optional) move to a new line
+if [[ ! $REPLY =~ ^[Yy]$ ]]
+then
+    [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+for val in $var; do
+    echo "=> Examining Project $val"
+    if gcloud asset list --page-size=1000 --project $val | grep "assetType" > /tmp/lacework/$val$FILEENDING
+    then
+       echo "==> Done."
+    else
+       echo "==> Error examining."
+    fi
+    echo "***************************************"
+done
+# Concatenate all assets into a single file, count assets, reduce each line to just the asset count and then sum the counts to find the total.
+cat /tmp/lacework/*.assets > /tmp/lacework/combined; cat /tmp/lacework/combined | sort | uniq -c | sort -bgr > /tmp/lacework/combined_count
+echo "asset-type breakdown"
+cat /tmp/lacework/combined_count
+sed 's/assetType.*$//g' /tmp/lacework/combined_count > /tmp/lacework/combined_count_numbers
+total_assets=$(paste -sd+ /tmp/lacework/combined_count_numbers | bc)
+echo ""
+echo ""
+echo "Total assets=$total_assets"
+echo ""
+echo "Please take a copy of the contents of directory /tmp/lacework and send for more analysis"
+echo "In GCP cloudshell this can be done by clicking on more (the vertical \"...\") and selecting Download"

From d59b6a6ac41e40e7fb33b589bac5308977f352a6 Mon Sep 17 00:00:00 2001
From: Irwin Kennedy <irwin.kennedy@lacework.net>
Date: Fri, 28 Jan 2022 15:05:15 +0000
Subject: [PATCH 2/4] Updated URL in README to wget script

---
 resource_management/gcp/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resource_management/gcp/README.md b/resource_management/gcp/README.md
index a1a45f5..ddd7687 100644
--- a/resource_management/gcp/README.md
+++ b/resource_management/gcp/README.md
@@ -49,7 +49,7 @@ Script requires access to cloudasset API.
 
 1. Download the script:
 
-wget <script url>
+wget https://github.com/lacework-dev/scripts/blob/main/resource_management/gcp/gcp_asset_breakdown.sh
 
 2. Run the script:
 

From 826a2a6d5a42adf41270cb905949b1f41764f95b Mon Sep 17 00:00:00 2001
From: Irwin Kennedy <irwin.kennedy@lacework.net>
Date: Fri, 28 Jan 2022 15:18:58 +0000
Subject: [PATCH 3/4] Adding cloudasset_enable.sh convenience script

Updated README to include guidance on usage
---
 resource_management/gcp/README.md            | 16 +++++++---
 resource_management/gcp/cloudasset_enable.sh | 32 ++++++++++++++++++++
 2 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100755 resource_management/gcp/cloudasset_enable.sh

diff --git a/resource_management/gcp/README.md b/resource_management/gcp/README.md
index ddd7687..0ff864e 100644
--- a/resource_management/gcp/README.md
+++ b/resource_management/gcp/README.md
@@ -37,11 +37,17 @@ The user executing the script must have roles/cloudassset.viewer and roles/servi
 
 Script requires access to cloudasset API.
 
-### A) We recommend granting at the org level:
+### A) We recommend granting for all projects in the org:
 
-`gcloud --organization <organization_id> services enable cloudasset.googleapis.com`
+1. Download the script cloudasset_enable.sh
 
-### B) Alternative is granting for each project to be examined:
+wget https://github.com/lacework-dev/scripts/blob/main/resource_management/gcp/cloudasset_enable.sh
+
+2. Run the script:
+
+`chmod +x ./cloudasset_enable.sh; mkdir -p /tmp/lacework; ./cloudasset_enable.sh 2>&1 | tee /tmp/lacework/enable_output`
+
+### B) Alternative is manually granting for each project to be examined:
 
 `gcloud --project <project_id> services enable cloudasset.googleapis.com`
 
@@ -60,6 +66,6 @@ wget https://github.com/lacework-dev/scripts/blob/main/resource_management/gcp/g
 Summary output is displayed on screen.
 When the script finishes, we recommend uploading the contents of directory:
 
-`/tmp/lacework/output`
+`/tmp/lacework/`
 
-This can be done in GCP cloud shell by clicking on the more icon (vertial '...') and selecting download.
+This can be done in GCP cloud shell by clicking on the more icon (vertical '...') and selecting download.
diff --git a/resource_management/gcp/cloudasset_enable.sh b/resource_management/gcp/cloudasset_enable.sh
new file mode 100755
index 0000000..44545ef
--- /dev/null
+++ b/resource_management/gcp/cloudasset_enable.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+STAR=*
+FILEENDING=".enable"
+
+mkdir -p /tmp/lacework
+gcloud config set accessibility/screen_reader false
+
+var=$(gcloud projects list --filter='lifecycleState:ACTIVE' | sed "1 d" | cut -d ' ' -f 1)
+number_projects=$(echo "$var" | wc -l)
+
+echo "==> Project list:"
+echo $var | tr " " "\n"
+echo "==> Total number of projects = $number_projects"
+
+read -p "Continue to enable on all projects? " -n 1 -r
+echo    # (optional) move to a new line
+if [[ ! $REPLY =~ ^[Yy]$ ]]
+then
+    [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+for val in $var; do
+    echo "=> Enabling for Project $val"
+    if gcloud --project $val services enable cloudasset.googleapis.com > /tmp/lacework/$val$FILEENDING
+    then
+       echo "==> Done."
+    else
+       echo "==> Error enabling."
+    fi
+    echo "***************************************"
+done

From 5763601013303bef02f8ab3aee3aca9d85ed264d Mon Sep 17 00:00:00 2001
From: Irwin Kennedy <irwin.kennedy@lacework.net>
Date: Fri, 28 Jan 2022 20:08:31 +0000
Subject: [PATCH 4/4] Add README note on sufficiennt existing permissions to
 skip step of adding roles

---
 resource_management/gcp/README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/resource_management/gcp/README.md b/resource_management/gcp/README.md
index 0ff864e..43c0a11 100644
--- a/resource_management/gcp/README.md
+++ b/resource_management/gcp/README.md
@@ -11,7 +11,10 @@ We recommend using the [gcp cloud shell](https://console.cloud.google.com/home/d
 
 # Roles
 
-The user executing the script must have roles/cloudassset.viewer and roles/serviceusage.serviceUsageConsumer on the parent of the resources to be examined.
+If your account has roles/cloudasset.owner or roles/owner on the resource's parent, it has sufficient permissions.
+Please skip to the section API enablement.
+
+Otherwise, the account executing the script must have roles/cloudassset.viewer and roles/serviceusage.serviceUsageConsumer on the parent of the resources to be examined.
 
 ### A) We recommend granting at the org level: