IAM Audit log is not included in project level CAI data if it's enabled in org level #145
Comments
|
I don't think there's a meaningful way for us to solve this. If you're looking for audit log configs, you should look at both the org and project level configs. If you think that's unsatisfactory, I'd recommend asking the CAI team about adding a "materialized" asset. |
|
One thing I can try is change the match target to be
|
|
Yeah that should work. |
|
Umm, just tried in my Forseti instance, seems @briantkennedy do you think we can support |
|
Hi @xingao267, I believe the behavior you're requesting is already implemented, but based on the other bug, it looks like you're running a very old version of config validator in your Forseti install. @gkowalski-google will probably be able to assist with determining which version and how to upgrade. |
|
@xingao267 @briantkennedy Added a comment to this ticket. Until the next release, you can use the main branches of the Terraform module and Forseti app to have the ability to change the CV version. |
I have audit log enabled for all services at org level, but violations are still reported by Forseti in CSCC for a lot of projects and folders. I took a look at the CAI export and it seems the project level (probably folder level as well, but I didn't check), the
audit_log_configsblock is not present in the exported data, and I guess that's why it causes the forseti to still report violations.(note this is not the same issue as GoogleCloudPlatform/policy-library#367). This issue might need to be solved in CAI export data or how config validator collect project/folder level audit log information.
The text was updated successfully, but these errors were encountered: