Fixing gcp onboarding on gcp regions

sysdiglabs · Dec 17, 2024 · f26768d · f26768d
1 parent 76e9fe9
commit f26768d
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf
@@ -1,3 +1,8 @@
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+data "sysdig_secure_agentless_scanning_assets" "assets" {}
+
 locals {
   suffix = random_id.suffix.hex
 }
@@ -54,6 +59,8 @@ resource "google_iam_workload_identity_pool" "agentless" {
 }
 
 resource "google_iam_workload_identity_pool_provider" "agentless" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? 1 : 0
+
   project                            = var.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.agentless.workload_identity_pool_id
   workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}"
@@ -76,11 +83,42 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
 }
 
 resource "google_service_account_iam_member" "controller_binding" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? 1 : 0
+
   service_account_id = google_service_account.controller.name
   role               = "roles/iam.workloadIdentityUser"
   member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}"
 }
 
+resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "gcp" ? 1 : 0
+
+  workload_identity_pool_id          = google_iam_workload_identity_pool.agentless.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-ws-${local.suffix}-gcp"
+  display_name                       = "Sysdig Agentless Workload Controller"
+  description                        = "GCP identity pool provider for Sysdig Secure Agentless Workload Scanning"
+  disabled                           = false
+
+  attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloudId}\""
+
+  attribute_mapping = {
+    "google.subject"  = "assertion.sub"
+    "attribute.sa_id" = "assertion.sub"
+  }
+
+  oidc {
+    issuer_uri = "https://accounts.google.com"
+  }
+}
+
+resource "google_service_account_iam_member" "controller_binding_gcp" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "gcp" ? 1 : 0
+
+  service_account_id = google_service_account.controller.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloudId}"
+}
+
 
 #--------------------------------------------------------------------------------------------------------------
 # Call Sysdig Backend to add the service-principal integration for VM Workload Scanning to the Sysdig Cloud Account
@@ -105,6 +143,10 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
     google_project_iam_custom_role.controller,
     google_project_iam_binding.controller_binding,
     google_iam_workload_identity_pool.agentless,
+    google_iam_workload_identity_pool_provider.agentless,
+    google_iam_workload_identity_pool_provider.agentless_gcp,
+    google_service_account_iam_member.controller_binding,
+    google_service_account_iam_member.controller_binding_gcp,
     google_organization_iam_member.controller,
   ]
 }