Control: Ensure roles do not impersonate or manage Service Accounts used at project level

powerpipe control run terraform_gcp_compliance.control.iam_project_impersonation_role

powerpipe login
powerpipe control run terraform_gcp_compliance.control.iam_project_impersonation_role --share

select
  address as resource,
  case
    when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/iam.securityAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountKeyAdmin', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator', 'roles/iam.workloadIdentityUser', 'roles/dataproc.editor', 'roles/dataproc.admin', 'roles/dataflow.developer', 'roles/resourcemanager.folderAdmin', 'roles/resourcemanager.folderIamAdmin', 'roles/resourcemanager.projectIamAdmin', 'roles/resourcemanager.organizationAdmin', 'roles/serverless.serviceAgent', 'roles/dataproc.serviceAgent']) then 'alarm'
    else 'ok'
  end status,
  split_part(address, '.', 2) || case
    when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/iam.securityAdmin', 'roles/iam.serviceAccountAdmin', 'roles/iam.serviceAccountKeyAdmin', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator', 'roles/iam.workloadIdentityUser', 'roles/dataproc.editor', 'roles/dataproc.admin', 'roles/dataflow.developer', 'roles/resourcemanager.folderAdmin', 'roles/resourcemanager.folderIamAdmin', 'roles/resourcemanager.projectIamAdmin', 'roles/resourcemanager.organizationAdmin', 'roles/serverless.serviceAgent', 'roles/dataproc.serviceAgent']) then ' impersonates or manages Service Accounts'
    else ' does not impersonate or manage Service Accounts'
  end || '.' reason
  , path || ':' || start_line
from
  terraform_resource
where
  type in ('google_project_iam_member', 'google_project_iam_binding');