Control: Ensure that Cloud Storage buckets used for exporting logs have retention policy enabled

powerpipe control run gcp_compliance.control.storage_bucket_log_retention_policy_enabled

powerpipe login
powerpipe control run gcp_compliance.control.storage_bucket_log_retention_policy_enabled --share

with log_sink_buckets as (
  select
    split_part(destination, '/', 2) as bucket_name,
    project
  from
    gcp_logging_sink
  where
    destination like 'storage.googleapis.com/%'
)
select
  b.self_link resource,
  case
    when s.bucket_name is null then 'skip'
    when b.retention_policy is not null then 'ok'
    else 'ok'
  end as status,
  case
    when s.bucket_name is null then title || ' does not export logs.'
    when b.retention_policy is not null then title || ' retention policy defined.'
    else title || ' retention policy not defined.'
  end as reason
  
  , b.location as location, b.project as project
from
  gcp_storage_bucket as b
  left join log_sink_buckets as s on s.bucket_name = b.name and b.project = s.project;