ignore authorized adder performing secret manipulation in abnormal secret alert (#1028)

The authorized adder is allowed to manipulate the sercret version (e.g.
destroy old version, create new versions, enable versions). Ignore these
in the abnormal access alert.

Signed-off-by: Colin Douglas <[email protected]>

Author: cmdpdx

modules/secret/main.tf

@@ -25,6 +25,8 @@ resource "google_secret_manager_secret_version" "placeholder" {
 locals {
   accessors       = [for sa in concat([var.service-account], var.service-accounts) : "serviceAccount:${sa}" if sa != ""]
   accessor_emails = [for sa in concat([var.service-account], var.service-accounts) : sa if sa != ""]
+  # Extract the email portion of the authorized adder member
+  authorized_adder_email = strcontains(var.authorized-adder, ":") ? split(":", var.authorized-adder)[1] : var.authorized-adder
 
   default_labels = {
     basename(abspath(path.module)) = var.name
@@ -92,6 +94,11 @@ resource "google_monitoring_alert_policy" "anomalous-secret-access" {
         protoPayload.authenticationInfo.principalEmail=~"${join("|", local.accessor_emails)}"
         protoPayload.methodName=~"google.cloud.secretmanager.v1.SecretManagerService.(AccessSecretVersion|GetSecretVersion)"
       )
+      -- Ignore the identity that is authorized to manipulate secret versions.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${local.authorized_adder_email}"
+        protoPayload.methodName=~"google.cloud.secretmanager.v1.SecretManagerService.(DestroySecretVersion|AddSecretVersion|EnableSecretVersion)"
+      )
       EOT
 
       label_extractors = {