Feature Description
Automated alerting triggered when infrastructure changes are made outside of the authorized Terraform CI/CD service account.
Use Case
To maintain strict compliance and security, administrators need to know immediately if a human operator makes manual edits (drift) in the Google Cloud Console.
Proposed Solution
Create a dedicated blueprint utilizing Google Cloud Log Router and Pub/Sub to filter for administrative write operations missing the Terraform service account identity, and route those events to an alerting topic.
Compliance & Deployment Context
- Target Deployment Type(s):
- Relevant NIST 800-53r5 Controls: AU-6 (Audit Record Review, Analysis, and Reporting), SI-4 (System Monitoring).
Reusability Check
Stellar Engine prioritizes reusability.
Alternatives Considered
Relying strictly on Security Command Center, which does not provide immediate granular alerting for out-of-band IAM/Compute modifications.
Additional Context
This was explicitly requested in the legacy Feature Braindump from 2023.
Feature Description
Automated alerting triggered when infrastructure changes are made outside of the authorized Terraform CI/CD service account.
Use Case
To maintain strict compliance and security, administrators need to know immediately if a human operator makes manual edits (drift) in the Google Cloud Console.
Proposed Solution
Create a dedicated blueprint utilizing Google Cloud Log Router and Pub/Sub to filter for administrative write operations missing the Terraform service account identity, and route those events to an alerting topic.
Compliance & Deployment Context
Reusability Check
Stellar Engine prioritizes reusability.
Alternatives Considered
Relying strictly on Security Command Center, which does not provide immediate granular alerting for out-of-band IAM/Compute modifications.
Additional Context
This was explicitly requested in the legacy Feature Braindump from 2023.