feat(webhook-datasource) - customize sink filter (#32)

sysdiglabs · Jul 11, 2024 · 0a4c979 · 0a4c979
1 parent 4ea84ca
commit 0a4c979
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 2 deletions.
diff --git a/modules/services/webhook-datasource/README.md b/modules/services/webhook-datasource/README.md
@@ -73,6 +73,7 @@ No modules.
 | <a name="input_external_id"></a> [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes |
 | <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
 | <a name="input_audit_log_config"></a> [audit\_log\_config](#input\_audit\_log\_config) | List of services and their audit log configurations to be ingested. Default is to ingest all logs. | <pre>list(object({<br>    service = string,<br>    log_config = list(object({<br>      log_type         = string,<br>      exempted_members = optional(list(string))<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "log_config": [<br>      {<br>        "log_type": "ADMIN_READ"<br>      },<br>      {<br>        "log_type": "DATA_READ"<br>      },<br>      {<br>        "log_type": "DATA_WRITE"<br>      }<br>    ],<br>    "service": "allServices"<br>  }<br>]</pre> | no |
+| <a name="ingestion_sink_filter"></a> [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter) | Filter the Sink is set up with. Ingests AuditLogs by default. | `string` | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"` | no |
 | <a name="input_exclude_logs_filter"></a> [exclude\_logs\_filter](#input\_exclude\_logs\_filter) | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions. | <pre>list(object({<br>    name        = string,<br>    description = optional(string),<br>    filter      = string,<br>    disabled    = optional(bool)<br>  }))</pre> | `[]` | no |
 
 ## Outputs

diff --git a/modules/services/webhook-datasource/main.tf b/modules/services/webhook-datasource/main.tf
@@ -83,7 +83,7 @@ resource "google_logging_project_sink" "ingestion_sink" {
   # NOTE: The target destination is a PubSub topic
   destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}"
 
-  filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\""
+  filter = var.ingestion_sink_filter
 
   # Dynamic block to exclude logs from ingestion
   dynamic "exclusions" {

diff --git a/modules/services/webhook-datasource/organizational.tf b/modules/services/webhook-datasource/organizational.tf
@@ -39,7 +39,7 @@ resource "google_logging_organization_sink" "ingestion_sink" {
 
   # NOTE: The target destination is a PubSub topic
   destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}"
-  filter      = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\""
+  filter      = var.ingestion_sink_filter
 
   # Dynamic block to exclude logs from ingestion
   dynamic "exclusions" {

diff --git a/modules/services/webhook-datasource/variables.tf b/modules/services/webhook-datasource/variables.tf
@@ -96,6 +96,12 @@ variable "audit_log_config" {
   ]
 }
 
+variable "ingestion_sink_filter" {
+  type        = string
+  description = "Filter the Sink is set up with. Ingests AuditLogs by default."
+  default     = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\""
+}
+
 variable "exclude_logs_filter" {
   description = "Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions."
   type = list(object({

diff --git a/test/examples/secure_threat_detection/organization/main.tf b/test/examples/secure_threat_detection/organization/main.tf
@@ -10,6 +10,7 @@ module "organization-threat-detection" {
   is_organizational   = true
   organization_domain = "mytestorg.com"
   external_id         = "external_id"
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
   audit_log_config = [
     {
       service = "cloudsql.googleapis.com"

diff --git a/test/examples/secure_threat_detection/single/main.tf b/test/examples/secure_threat_detection/single/main.tf
@@ -8,6 +8,7 @@ module "single-project-threat-detection" {
   project_id    = "mytestproject"
   push_endpoint = "test_sysdig_secure_cloudingestion_endpoint"
   external_id   = "external_id"
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
   audit_log_config = [
     {
       service = "cloudsql.googleapis.com"