From 5862307f93ffbb50d897aac80e7fbf7e4d9e30d4 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Thu, 5 Sep 2024 14:45:56 -0600 Subject: [PATCH 01/32] feat(modular): add modular support for cdr/ciem --- .../integrations/webhook-datasource/README.md | 101 +++++++ .../integrations/webhook-datasource/main.tf | 264 ++++++++++++++++++ .../webhook-datasource/organizational.tf | 86 ++++++ .../webhook-datasource/outputs.tf | 5 + .../webhook-datasource/variables.tf | 115 ++++++++ .../webhook-datasource/versions.tf | 17 ++ .../webhook_datasource.tf | 119 ++++++++ .../webhook_datasource.tf | 93 ++++++ 8 files changed, 800 insertions(+) create mode 100644 modules/integrations/webhook-datasource/README.md create mode 100644 modules/integrations/webhook-datasource/main.tf create mode 100644 modules/integrations/webhook-datasource/organizational.tf create mode 100644 modules/integrations/webhook-datasource/outputs.tf create mode 100644 modules/integrations/webhook-datasource/variables.tf create mode 100644 modules/integrations/webhook-datasource/versions.tf create mode 100644 test/examples/organization_cdr_test/webhook_datasource.tf create mode 100644 test/examples/single_account_cdr_test/webhook_datasource.tf diff --git a/modules/integrations/webhook-datasource/README.md b/modules/integrations/webhook-datasource/README.md new file mode 100644 index 0000000..8307a80 --- /dev/null +++ b/modules/integrations/webhook-datasource/README.md @@ -0,0 +1,101 @@ +# GCP Webhook Datasource Module + +This Module creates the resources required to send AuditLogs logs to Sysdig via GCP Pub Subscription. These resources enable Threat Detection in the given GCP project or organization. +Before applying the changes defined in this module, the following operations need to be performed on the target GCP environment: + +- Enable the following APIs in the target environment (https://support.google.com/googleapi/answer/6158841?hl=en) + - Cloud Pub/Sub API + - Identity and Access Management (IAM) API + - IAM Service Account Credentials API + - Cloud Resource Manager API + +- The following resources will be created in each instrumented project: + - A `PubSub Topic` to send the AuditLogs from the project + - A `Logging Sink` that export AuditLogs to the PubSub topic + - A `PubSub Topic IAM member` to assign a role to the PubSub topic + - A `PubSub Subscription` to allows receiving messages from the PubSub topic, including its `Service Account` + - An `IAM Workload Identity Pool` that enables identities from external systems(AWS) tp access GCP resources through IAM + - An `IAM role and member` that provides the required permissions for Sysdig Backend to read cloud resources created for data ingestion + +When run in organizational mode, this module is similar however the main difference is that an organizational sink is used +instead of a project-specific one, as well as enabling AuditLogs for all the projects that fall within the organization. + +This module will also deploy a Webhook Datasource Component in Sysdig Backend for onboarded Sysdig Cloud Account. + + +## Requirements + +| Name | Version | +|---------------------------------------------------------------------------|-----------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [google](#requirement\_google) | >= 4.21.0 | +| [sysdig](#requirement\_sysdig) | | + +## Providers + +| Name | Version | +|------------------------------------------------------------------|-----------| +| [google](#provider\_google) | >= 4.21.0 | +| [random](#requirement\_random) | >= 3.1 | +| [sysdig](#requirement\_sysdig) | + + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [google_project_iam_audit_config.audit_config](https://registry.terraform.io/providers/hashicorp/google/3.0.0-beta.1/docs/resources/google_project_iam#google_project_iam_audit_config) | resource | +| [google_pubsub_topic.ingestion_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic.html) | resource | +| [google_pubsub_topic.deadletter_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic.html) | resource | +| [google_logging_project_sink.ingestion_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource | +| [google_pubsub_topic_iam_member.publisher_iam_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam#google_pubsub_topic_iam_member) | resource | +| [google_service_account.push_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account) | resource | +| [google_service_account_iam_binding.push_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_binding) | resource | +| [google_pubsub_subscription.ingestion_topic_push_subscription](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription.html) | resource | +| [google_iam_workload_identity_pool.ingestion_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | +| [google_iam_workload_identity_pool_provider.ingestion_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | +| [google_project_iam_custom_role.custom_ingestion_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | +| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | (Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message | `number` | `60` | no | +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | +| [max\_delivery\_attempts](#input\_max\_delivery\_attempts) | (Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one | `number` | `5` | no | +| [maximum\_backoff](#input\_maximum\_backoff) | (Optional) Maximum backoff time for exponential backoff of the push subscription retry policy | `string` | `"600s"` | no | +| [message\_retention\_duration](#input\_message\_retention\_duration) | (Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published | `string` | `"604800s"` | no | +| [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data ingestion resources | `string` | `"SysdigIngestionAuthRole"` | no | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [audit\_log\_config](#input\_audit\_log\_config) | List of services and their audit log configurations to be ingested. Default is to ingest all logs. | 
list(object({
    service = string,
    log_config = list(object({
      log_type         = string,
      exempted_members = optional(list(string))
    }))
  }))
| 
[
  {
    "log_config": [
      {
        "log_type": "ADMIN_READ"
      },
      {
        "log_type": "DATA_READ"
      },
      {
        "log_type": "DATA_WRITE"
      }
    ],
    "service": "allServices"
  }
]
| no | +| [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter) | Filter the Sink is set up with. Ingests AuditLogs by default. | `string` | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"` | no | +| [exclude\_logs\_filter](#input\_exclude\_logs\_filter) | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions. | 
list(object({
    name        = string,
    description = optional(string),
    filter      = string,
    disabled    = optional(bool)
  }))
| `[]` | no | + +## Outputs + +| Name | Description | +|---------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------| +| [webhook\_datasource\_component\_id](#webhook\_datasource\_component\_id) | Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion | + + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. diff --git a/modules/integrations/webhook-datasource/main.tf b/modules/integrations/webhook-datasource/main.tf new file mode 100644 index 0000000..10c8202 --- /dev/null +++ b/modules/integrations/webhook-datasource/main.tf @@ -0,0 +1,264 @@ +#----------------------------------------------------------------------------------------------------------------------------------------- +# For Organizational installs, see organizational.tf. +# This module takes care of provisioning the necessary resources to make Sysdig's backend able to ingest data from a +# single GCP project. +# +# Note: The alternative definitions for the organizational variant of this module are contained +# in organizational.tf. The only differences w.r.t. the standalone template is in using an +# organizational sink instead of a project-specific one, as well as enabling AuditLogs for +# all the projects that fall within the organization. +#----------------------------------------------------------------------------------------------------------------------------------------- + +#----------------------------------------------------------------------------------------- +# Fetch the data sources +#----------------------------------------------------------------------------------------- +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + +data "google_project" "project" { + project_id = var.project_id +} + +data "sysdig_secure_tenant_external_id" "external_id" {} + +data "sysdig_secure_cloud_ingestion_assets" "assets" {} + +#----------------------------------------------------------------------------------------- +# These locals indicate the suffix to create unique name for resources +#----------------------------------------------------------------------------------------- +locals { + suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix +} + + +#----------------------------------------------------------------------------------------------------------------------- +# A random resource is used to generate unique Webhook Datasource name suffix for resources. +# This prevents conflicts when recreating an Webhook Datasource resources with the same name. +#----------------------------------------------------------------------------------------------------------------------- +resource "random_id" "suffix" { + count = var.suffix == null ? 1 : 0 + byte_length = 3 +} + +#----------------------------------------------------------------------------------------- +# Audit Logs +#----------------------------------------------------------------------------------------- +locals { + # Data structure will be a map for each service, that can have multiple audit_log_config + audit_log_config = { for audit in var.audit_log_config : + audit["service"] => { + log_config = audit["log_config"] + } + } +} + +resource "google_project_iam_audit_config" "audit_config" { + for_each = var.is_organizational ? {} : local.audit_log_config + project = var.project_id + service = each.key + + dynamic "audit_log_config" { + for_each = each.value.log_config + iterator = log_config + content { + log_type = log_config.value.log_type + exempted_members = log_config.value.exempted_members + } + } +} + +#----------------------------------------------------------------------------------------- +# Ingestion Topic +#----------------------------------------------------------------------------------------- +resource "google_pubsub_topic" "ingestion_topic" { + name = "ingestion_topic" + labels = var.labels + project = var.project_id + message_retention_duration = var.message_retention_duration +} + +resource "google_pubsub_topic" "deadletter_topic" { + name = "dl-${google_pubsub_topic.ingestion_topic.name}" + project = var.project_id + message_retention_duration = var.message_retention_duration +} + +#----------------------------------------------------------------------------------------- +# Sink +#----------------------------------------------------------------------------------------- +resource "google_logging_project_sink" "ingestion_sink" { + count = var.is_organizational ? 0 : 1 + name = "${google_pubsub_topic.ingestion_topic.name}_sink" + description = "Sysdig sink to direct the AuditLogs to the PubSub topic used for data gathering" + + # NOTE: The target destination is a PubSub topic + destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}" + filter = var.ingestion_sink_filter + + # Dynamic block to exclude logs from ingestion + dynamic "exclusions" { + for_each = var.exclude_logs_filter + content { + name = exclusions.value.name + description = exclusions.value.description + filter = exclusions.value.filter + disabled = exclusions.value.disabled + } + } + + # NOTE: Used to create a dedicated writer identity and not using the default one + unique_writer_identity = true +} + +resource "google_pubsub_topic_iam_member" "publisher_iam_member" { + project = google_pubsub_topic.ingestion_topic.project + topic = google_pubsub_topic.ingestion_topic.name + role = "roles/pubsub.publisher" + member = var.is_organizational ? google_logging_organization_sink.ingestion_sink[0].writer_identity : google_logging_project_sink.ingestion_sink[0].writer_identity +} + +#----------------------------------------------------------------------------------------- +# Push Subscription +#----------------------------------------------------------------------------------------- +resource "google_service_account" "push_auth" { + account_id = "sysdig-ingestion-${local.suffix}" + display_name = "Sysdig Ingestion Push Auth Service Account" + project = var.project_id +} + +resource "google_service_account_iam_binding" "push_auth_binding" { + service_account_id = google_service_account.push_auth.name + role = "roles/iam.serviceAccountTokenCreator" + + members = [ + "serviceAccount:${google_service_account.push_auth.email}", + ] +} + +resource "google_pubsub_subscription" "ingestion_topic_push_subscription" { + name = "${google_pubsub_topic.ingestion_topic.name}_push_subscription" + topic = google_pubsub_topic.ingestion_topic.name + labels = var.labels + ack_deadline_seconds = var.ack_deadline_seconds + message_retention_duration = var.message_retention_duration + project = var.project_id + + push_config { + push_endpoint = data.sysdig_secure_cloud_ingestion_assets.assets.gcp_metadata.ingestionURL + attributes = { + x-goog-version = "v1" + } + oidc_token { + service_account_email = google_service_account.push_auth.email + audience = "sysdig_secure" + } + } + + retry_policy { + minimum_backoff = var.minimum_backoff + maximum_backoff = var.maximum_backoff + } + + dead_letter_policy { + dead_letter_topic = google_pubsub_topic.deadletter_topic.id + max_delivery_attempts = var.max_delivery_attempts + } +} + +#----------------------------------------------------------------------------------------- +# Configure Workload Identity Federation for auth +# See https://cloud.google.com/iam/docs/access-resources-aws +# ----------------------------------------------------------------------------------------- + +resource "google_iam_workload_identity_pool" "ingestion_auth_pool" { + project = var.project_id + workload_identity_pool_id = "sysdig-ingestion-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "ingestion_auth_pool_provider" { + project = var.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.ingestion_auth_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-ingestion-${local.suffix}" + display_name = "Sysdigcloud ingestion auth" + description = "AWS identity pool provider for Sysdig Secure Data Ingestion resources" + disabled = false + + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +# creating custom role with project-level permissions to access data ingestion resources +resource "google_project_iam_custom_role" "custom_ingestion_auth_role" { + count = var.is_organizational ? 0 : 1 + + project = var.project_id + role_id = "${var.role_name}-${local.suffix}" + title = "Sysdigcloud Ingestion Auth Role" + description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" + permissions = [ + "pubsub.topics.get", + "pubsub.topics.list", + "pubsub.subscriptions.get", + "pubsub.subscriptions.list", + "logging.sinks.get", + "logging.sinks.list", + ] +} + +# adding custom role with project-level permissions to the service account for auth +resource "google_project_iam_member" "custom" { + count = var.is_organizational ? 0 : 1 + + project = var.project_id + role = google_project_iam_custom_role.custom_ingestion_auth_role[0].id + member = "serviceAccount:${google_service_account.push_auth.email}" +} + +# attaching WIF as a member to the service account for auth +resource "google_service_account_iam_member" "custom_auth" { + service_account_id = google_service_account.push_auth.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.ingestion_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" +} + +#----------------------------------------------------------------------------------------------------------------------------------------- +# Call Sysdig Backend to add the webhook-datasource integration to the Sysdig Cloud Account +# +# Note (optional): To ensure this gets called after all cloud resources are created, add +# explicit dependency using depends_on +#----------------------------------------------------------------------------------------------------------------------------------------- + +resource "sysdig_secure_cloud_auth_account_component" "gcp_webhook_datasource" { + account_id = var.sysdig_secure_account_id + type = "COMPONENT_WEBHOOK_DATASOURCE" + instance = "secure-runtime" + version = "v0.1.0" + webhook_datasource_metadata = jsonencode({ + gcp = { + webhook_datasource = { + pubsub_topic_name = google_pubsub_topic.ingestion_topic.name + sink_name = var.is_organizational ? google_logging_organization_sink.ingestion_sink[0].name : google_logging_project_sink.ingestion_sink[0].name + push_subscription_name = google_pubsub_subscription.ingestion_topic_push_subscription.name + push_endpoint = google_pubsub_subscription.ingestion_topic_push_subscription.push_config[0].push_endpoint + routing_key = "1f6d4677-84ec-4356-bd73-c79c8a96f96a" + } + service_principal = { + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.ingestion_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.ingestion_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.push_auth.email + } + } + }) +} \ No newline at end of file diff --git a/modules/integrations/webhook-datasource/organizational.tf b/modules/integrations/webhook-datasource/organizational.tf new file mode 100644 index 0000000..0f39a3b --- /dev/null +++ b/modules/integrations/webhook-datasource/organizational.tf @@ -0,0 +1,86 @@ +#----------------------------------------------------------------------------------------- +# Fetch the data sources +#----------------------------------------------------------------------------------------- + +data "google_organization" "org" { + count = var.is_organizational ? 1 : 0 + domain = var.organization_domain +} + +#----------------------------------------------------------------------------------------- +# Audit Logs +#----------------------------------------------------------------------------------------- + +resource "google_organization_iam_audit_config" "audit_config" { + for_each = var.is_organizational ? local.audit_log_config : {} + + org_id = data.google_organization.org[0].org_id + service = each.key + + dynamic "audit_log_config" { + for_each = each.value.log_config + iterator = log_config + content { + log_type = log_config.value.log_type + exempted_members = log_config.value.exempted_members + } + } +} + +#----------------------------------------------------------------------------------------- +# Sink +#----------------------------------------------------------------------------------------- + +resource "google_logging_organization_sink" "ingestion_sink" { + count = var.is_organizational ? 1 : 0 + + name = "${google_pubsub_topic.ingestion_topic.name}_sink" + description = "Sysdig sink to direct the AuditLogs to the PubSub topic used for data gathering" + org_id = data.google_organization.org[0].org_id + + # NOTE: The target destination is a PubSub topic + destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}" + filter = var.ingestion_sink_filter + + # Dynamic block to exclude logs from ingestion + dynamic "exclusions" { + for_each = var.exclude_logs_filter + content { + name = exclusions.value.name + description = exclusions.value.description + filter = exclusions.value.filter + disabled = exclusions.value.disabled + } + } + + # NOTE: The include_children attribute is set to true in order to ingest data + # even from potential sub-organizations + include_children = true +} + +# creating custom role with organization-level permissions to access data ingestion resources +resource "google_organization_iam_custom_role" "custom_ingestion_auth_role" { + count = var.is_organizational ? 1 : 0 + + org_id = data.google_organization.org[0].org_id + role_id = "${var.role_name}-org-${local.suffix}" + title = "Sysdigcloud Ingestion Auth Role" + description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" + permissions = [ + "pubsub.topics.get", + "pubsub.topics.list", + "pubsub.subscriptions.get", + "pubsub.subscriptions.list", + "logging.sinks.get", + "logging.sinks.list", + ] +} + +# adding custom role with organization-level permissions to the service account for auth +resource "google_organization_iam_member" "custom" { + count = var.is_organizational ? 1 : 0 + + org_id = data.google_organization.org[0].org_id + role = google_organization_iam_custom_role.custom_ingestion_auth_role[0].id + member = "serviceAccount:${google_service_account.push_auth.email}" +} diff --git a/modules/integrations/webhook-datasource/outputs.tf b/modules/integrations/webhook-datasource/outputs.tf new file mode 100644 index 0000000..05c7cf2 --- /dev/null +++ b/modules/integrations/webhook-datasource/outputs.tf @@ -0,0 +1,5 @@ +output "webhook_datasource_component_id" { + value = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}" + description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion" + depends_on = [ sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource ] +} \ No newline at end of file diff --git a/modules/integrations/webhook-datasource/variables.tf b/modules/integrations/webhook-datasource/variables.tf new file mode 100644 index 0000000..79218a4 --- /dev/null +++ b/modules/integrations/webhook-datasource/variables.tf @@ -0,0 +1,115 @@ +variable "region" { + description = "Region for Google provider" + type = string + default = "us-west1" +} + +variable "project_id" { + type = string + description = "(Required) Target Project identifier provided by the customer" +} + +variable "labels" { + type = map(string) + description = "(Optional) Labels to be associated with Sysdig-originated resources" + default = { + originator = "sysdig" + } +} + +variable "ack_deadline_seconds" { + type = number + description = "(Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message" + default = 60 +} + +variable "message_retention_duration" { + type = string + description = "(Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published" + default = "604800s" +} + +variable "max_delivery_attempts" { + type = number + description = "(Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one" + default = 5 +} + +variable "minimum_backoff" { + type = string + description = "(Optional) Minimum backoff time for exponential backoff of the push subscription retry policy" + default = "10s" +} + +variable "maximum_backoff" { + type = string + description = "(Optional) Maximum backoff time for exponential backoff of the push subscription retry policy" + default = "600s" +} + +variable "is_organizational" { + description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." + type = bool + default = false +} + +variable "organization_domain" { + type = string + description = "(Optional) Organization domain. e.g. sysdig.com" + default = "" +} + +variable "role_name" { + type = string + description = "Name for the Ingestion auth Role on the Customer infrastructure" + default = "SysdigIngestionAuthRole" +} + +variable "suffix" { + type = string + description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" + default = null +} + +variable "audit_log_config" { + description = "List of services and their audit log configurations to be ingested. Default is to ingest all logs." + type = list(object({ + service = string, + log_config = list(object({ + log_type = string, + exempted_members = optional(list(string)) + })) + })) + default = [ + { + service = "allServices" + log_config = [ + { log_type = "ADMIN_READ" }, + { log_type = "DATA_READ" }, + { log_type = "DATA_WRITE" } + ] + } + ] +} + +variable "exclude_logs_filter" { + description = "Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions." + type = list(object({ + name = string, + description = optional(string), + filter = string, + disabled = optional(bool) + })) + default = [] +} + +variable "ingestion_sink_filter" { + type = string + description = "Filter the Logging Sink is set up with. Default is to ingests AuditLogs" + default = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\"" +} + +variable "sysdig_secure_account_id" { + type = string + description = "ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)" +} \ No newline at end of file diff --git a/modules/integrations/webhook-datasource/versions.tf b/modules/integrations/webhook-datasource/versions.tf new file mode 100644 index 0000000..61980a9 --- /dev/null +++ b/modules/integrations/webhook-datasource/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.21.0" + } + sysdig = { + source = "sysdiglabs/sysdig" + } + random = { + source = "hashicorp/random" + version = ">= 3.1, < 4.0" + } + } +} \ No newline at end of file diff --git a/test/examples/organization_cdr_test/webhook_datasource.tf b/test/examples/organization_cdr_test/webhook_datasource.tf new file mode 100644 index 0000000..e4d5b4d --- /dev/null +++ b/test/examples/organization_cdr_test/webhook_datasource.tf @@ -0,0 +1,119 @@ +#--------------------------------------------------------------------------------------------- +# Ensure installation flow for foundational onboarding has been completed before +# installing additional Sysdig features. +#--------------------------------------------------------------------------------------------- + +# UNCOMMENT TO TEST: FROM HERE: THIS WILL BE PART OF THE ONBOARD MODULE +# terraform { +# required_providers { +# sysdig = { +# source = "sysdiglabs/sysdig" +# version = "~> 1.34.0" +# } +# } +# } +# +# provider "sysdig" { +# sysdig_secure_url = "https://secure-staging.sysdig.com" +# sysdig_secure_api_token = "744c9bd8-f73d-4ef3-8250-32e976a5301d" +# } +# +# provider "google" { +# project = "org-child-project-1" +# region = "us-west1" +# } +# TO HERE + +module "webhook-datasource" { + source = "../../../modules/integrations/webhook-datasource" + project_id = "org-child-project-1" + # push_endpoint is no longer needed + # push_endpoint = "https://app-staging.sysdigcloud.com/api/cloudingestion/gcp/v2/84f934c6-eb2d-47d9-804b-bcfe9e6ef0b9" + is_organizational = true + organization_domain = "draios.com" + sysdig_secure_account_id = "" +} + +# UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL +# module "organization-posture" { +# source = "sysdiglabs/secure/google//modules/services/service-principal" +# project_id = "org-child-project-1" +# service_account_name = "sysdig-secure-2u6g" +# is_organizational = true +# organization_domain = "draios.com" +# } +# TO HERE + +# COMMENT TO TEST: THIS WILL BE PART OF THE SNIPPET +resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_THREAT_DETECTION" + enabled = true + components = [ module.webhook-datasource.webhook_datasource_component_id ] + depends_on = [ module.webhook-datasource ] +} + +resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" + enabled = true + components = [module.webhook-datasource.webhook_datasource_component_id] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] +} +# TO HERE + +# UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL +# resource "sysdig_secure_cloud_auth_account" "gcp_project_org-child-project-1" { +# enabled = true +# provider_id = "org-child-project-1" +# provider_type = "PROVIDER_GCP" +# +# feature { +# +# secure_threat_detection { +# enabled = true +# components = ["COMPONENT_WEBHOOK_DATASOURCE/secure-runtime"] +# } +# } +# component { +# type = "COMPONENT_WEBHOOK_DATASOURCE" +# instance = "secure-runtime" +# webhook_datasource_metadata = jsonencode({ +# gcp = { +# webhook_datasource = { +# pubsub_topic_name = module.webhook-datasource.ingestion_pubsub_topic_name +# sink_name = module.webhook-datasource.ingestion_sink_name +# push_subscription_name = module.webhook-datasource.ingestion_push_subscription_name +# push_endpoint = module.webhook-datasource.push_endpoint +# routing_key = "84f934c6-eb2d-47d9-804b-bcfe9e6ef0b9" +# } +# service_principal = { +# workload_identity_federation = { +# pool_id = module.webhook-datasource.workload_identity_pool_id +# pool_provider_id = module.webhook-datasource.workload_identity_pool_provider_id +# project_number = module.webhook-datasource.workload_identity_project_number +# } +# email = module.webhook-datasource.service_account_email +# } +# } +# }) +# } +# +# component { +# type = "COMPONENT_SERVICE_PRINCIPAL" +# instance = "secure-onboarding" +# service_principal_metadata = jsonencode({ +# gcp = { +# key = module.organization-posture.service_account_key +# } +# }) +# } +# depends_on = [module.organization-posture, module.webhook-datasource] +# } +# +# resource "sysdig_secure_organization" "gcp_organization_org-child-project-1" { +# organizational_unit_ids = [] +# management_account_id = sysdig_secure_cloud_auth_account.gcp_project_org-child-project-1.id +# depends_on = [module.organization-posture, module.webhook-datasource] +# } +# TO HERE \ No newline at end of file diff --git a/test/examples/single_account_cdr_test/webhook_datasource.tf b/test/examples/single_account_cdr_test/webhook_datasource.tf new file mode 100644 index 0000000..c4651c6 --- /dev/null +++ b/test/examples/single_account_cdr_test/webhook_datasource.tf @@ -0,0 +1,93 @@ +#--------------------------------------------------------------------------------------------- +# Ensure installation flow for foundational onboarding has been completed before +# installing additional Sysdig features. +#--------------------------------------------------------------------------------------------- + +# UNCOMMENT TO TEST: FROM HERE: THIS WILL BE PART OF THE ONBOARD MODULE +# terraform { +# required_providers { +# sysdig = { +# source = "sysdiglabs/sysdig" +# version = "~> 1.34.0" +# } +# } +# } +# +# provider "sysdig" { +# sysdig_secure_url = "https://secure-staging.sysdig.com" +# sysdig_secure_api_token = "744c9bd8-f73d-4ef3-8250-32e976a5301d" +# } +# +# provider "google" { +# project = "org-child-project-1" +# region = "us-west1" +# } +# TO HERE + +module "webhook-datasource" { + source = "../../../modules/integrations/webhook-datasource" + project_id = "org-child-project-1" + # push_endpoint and external_id are no longer needed + # push_endpoint = "https://app-staging.sysdigcloud.com/api/cloudingestion/gcp/v2/1f6d4677-84ec-4356-bd73-c79c8a96f96a" + # external_id = "87e82bdu28323" + # This will come from the onboarding module: module.onboarding.sysdig_secure_account_id + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +# COMMENT TO TEST: THIS WILL BE PART OF THE SNIPPET +resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_THREAT_DETECTION" + enabled = true + components = [ module.webhook-datasource.webhook_datasource_component_id ] + depends_on = [ module.webhook-datasource ] +} + +resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" + enabled = true + components = [module.webhook-datasource.webhook_datasource_component_id] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] +} +# TO HERE + +# UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL +# resource "sysdig_secure_cloud_auth_account" "gcp_project_org-child-project-1" { +# enabled = true +# provider_id = "org-child-project-1" +# provider_type = "PROVIDER_GCP" +# +# feature { +# +# secure_threat_detection { +# enabled = true +# components = ["COMPONENT_WEBHOOK_DATASOURCE/secure-runtime"] +# } +# } +# component { +# type = "COMPONENT_WEBHOOK_DATASOURCE" +# instance = "secure-runtime" +# webhook_datasource_metadata = jsonencode({ +# gcp = { +# webhook_datasource = { +# pubsub_topic_name = module.webhook-datasource.ingestion_pubsub_topic_name +# sink_name = module.webhook-datasource.ingestion_sink_name +# push_subscription_name = module.webhook-datasource.ingestion_push_subscription_name +# push_endpoint = module.webhook-datasource.push_endpoint +# routing_key = "1f6d4677-84ec-4356-bd73-c79c8a96f96a" +# } +# service_principal = { +# workload_identity_federation = { +# pool_id = module.webhook-datasource.workload_identity_pool_id +# pool_provider_id = module.webhook-datasource.workload_identity_pool_provider_id +# project_number = module.webhook-datasource.workload_identity_project_number +# } +# email = module.webhook-datasource.service_account_email +# } +# } +# }) +# } +# depends_on = [module.webhook-datasource] +# } +# TO HERE \ No newline at end of file From 285d3abf0f7be0bdaa398e4f1538707b2c0dcc30 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Thu, 5 Sep 2024 15:36:38 -0600 Subject: [PATCH 02/32] feat(modular): add modular support for cdr/ciem --- test/examples/organization_cdr_test/webhook_datasource.tf | 2 +- test/examples/single_account_cdr_test/webhook_datasource.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/examples/organization_cdr_test/webhook_datasource.tf b/test/examples/organization_cdr_test/webhook_datasource.tf index e4d5b4d..2d80fbc 100644 --- a/test/examples/organization_cdr_test/webhook_datasource.tf +++ b/test/examples/organization_cdr_test/webhook_datasource.tf @@ -15,7 +15,7 @@ # # provider "sysdig" { # sysdig_secure_url = "https://secure-staging.sysdig.com" -# sysdig_secure_api_token = "744c9bd8-f73d-4ef3-8250-32e976a5301d" +# sysdig_secure_api_token = # } # # provider "google" { diff --git a/test/examples/single_account_cdr_test/webhook_datasource.tf b/test/examples/single_account_cdr_test/webhook_datasource.tf index c4651c6..babebac 100644 --- a/test/examples/single_account_cdr_test/webhook_datasource.tf +++ b/test/examples/single_account_cdr_test/webhook_datasource.tf @@ -15,7 +15,7 @@ # # provider "sysdig" { # sysdig_secure_url = "https://secure-staging.sysdig.com" -# sysdig_secure_api_token = "744c9bd8-f73d-4ef3-8250-32e976a5301d" +# sysdig_secure_api_token = # } # # provider "google" { From 86f419c1e2cc2aa32fbf86a5412d08e40579686d Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Thu, 5 Sep 2024 15:44:16 -0600 Subject: [PATCH 03/32] feat(modular): add modular support for cdr/ciem --- modules/integrations/webhook-datasource/variables.tf | 6 ------ modules/integrations/webhook-datasource/versions.tf | 1 + 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/modules/integrations/webhook-datasource/variables.tf b/modules/integrations/webhook-datasource/variables.tf index 79218a4..6541b5f 100644 --- a/modules/integrations/webhook-datasource/variables.tf +++ b/modules/integrations/webhook-datasource/variables.tf @@ -1,9 +1,3 @@ -variable "region" { - description = "Region for Google provider" - type = string - default = "us-west1" -} - variable "project_id" { type = string description = "(Required) Target Project identifier provided by the customer" diff --git a/modules/integrations/webhook-datasource/versions.tf b/modules/integrations/webhook-datasource/versions.tf index 61980a9..269cfb8 100644 --- a/modules/integrations/webhook-datasource/versions.tf +++ b/modules/integrations/webhook-datasource/versions.tf @@ -8,6 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" + version = ">= 1.34.0" } random = { source = "hashicorp/random" From 5ff322f6aa204423498750a1c24983987007c834 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Thu, 5 Sep 2024 15:45:09 -0600 Subject: [PATCH 04/32] feat(modular): add modular support for cdr/ciem --- .../integrations/webhook-datasource/main.tf | 18 +++++++++--------- .../webhook-datasource/organizational.tf | 2 +- .../integrations/webhook-datasource/outputs.tf | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/integrations/webhook-datasource/main.tf b/modules/integrations/webhook-datasource/main.tf index 10c8202..accf57d 100644 --- a/modules/integrations/webhook-datasource/main.tf +++ b/modules/integrations/webhook-datasource/main.tf @@ -55,8 +55,8 @@ locals { resource "google_project_iam_audit_config" "audit_config" { for_each = var.is_organizational ? {} : local.audit_log_config - project = var.project_id - service = each.key + project = var.project_id + service = each.key dynamic "audit_log_config" { for_each = each.value.log_config @@ -79,7 +79,7 @@ resource "google_pubsub_topic" "ingestion_topic" { } resource "google_pubsub_topic" "deadletter_topic" { - name = "dl-${google_pubsub_topic.ingestion_topic.name}" + name = "dl-${google_pubsub_topic.ingestion_topic.name}" project = var.project_id message_retention_duration = var.message_retention_duration } @@ -88,13 +88,13 @@ resource "google_pubsub_topic" "deadletter_topic" { # Sink #----------------------------------------------------------------------------------------- resource "google_logging_project_sink" "ingestion_sink" { - count = var.is_organizational ? 0 : 1 + count = var.is_organizational ? 0 : 1 name = "${google_pubsub_topic.ingestion_topic.name}_sink" description = "Sysdig sink to direct the AuditLogs to the PubSub topic used for data gathering" # NOTE: The target destination is a PubSub topic destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}" - filter = var.ingestion_sink_filter + filter = var.ingestion_sink_filter # Dynamic block to exclude logs from ingestion dynamic "exclusions" { @@ -238,10 +238,10 @@ resource "google_service_account_iam_member" "custom_auth" { #----------------------------------------------------------------------------------------------------------------------------------------- resource "sysdig_secure_cloud_auth_account_component" "gcp_webhook_datasource" { - account_id = var.sysdig_secure_account_id - type = "COMPONENT_WEBHOOK_DATASOURCE" - instance = "secure-runtime" - version = "v0.1.0" + account_id = var.sysdig_secure_account_id + type = "COMPONENT_WEBHOOK_DATASOURCE" + instance = "secure-runtime" + version = "v0.1.0" webhook_datasource_metadata = jsonencode({ gcp = { webhook_datasource = { diff --git a/modules/integrations/webhook-datasource/organizational.tf b/modules/integrations/webhook-datasource/organizational.tf index 0f39a3b..45233bb 100644 --- a/modules/integrations/webhook-datasource/organizational.tf +++ b/modules/integrations/webhook-datasource/organizational.tf @@ -63,7 +63,7 @@ resource "google_organization_iam_custom_role" "custom_ingestion_auth_role" { count = var.is_organizational ? 1 : 0 org_id = data.google_organization.org[0].org_id - role_id = "${var.role_name}-org-${local.suffix}" + role_id = "${var.role_name}-org-${local.suffix}" title = "Sysdigcloud Ingestion Auth Role" description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" permissions = [ diff --git a/modules/integrations/webhook-datasource/outputs.tf b/modules/integrations/webhook-datasource/outputs.tf index 05c7cf2..f55b862 100644 --- a/modules/integrations/webhook-datasource/outputs.tf +++ b/modules/integrations/webhook-datasource/outputs.tf @@ -1,5 +1,5 @@ output "webhook_datasource_component_id" { value = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}" description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion" - depends_on = [ sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource ] + depends_on = [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource] } \ No newline at end of file From 519d695f422937bbdb6b24915a1f8588b6366a30 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Thu, 5 Sep 2024 15:48:02 -0600 Subject: [PATCH 05/32] feat(modular): add modular support for cdr/ciem --- modules/integrations/webhook-datasource/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/integrations/webhook-datasource/README.md b/modules/integrations/webhook-datasource/README.md index 8307a80..1acf8e3 100644 --- a/modules/integrations/webhook-datasource/README.md +++ b/modules/integrations/webhook-datasource/README.md @@ -35,9 +35,9 @@ This module will also deploy a Webhook Datasource Component in Sysdig Backend fo | Name | Version | |------------------------------------------------------------------|-----------| -| [google](#provider\_google) | >= 4.21.0 | +| [google](#provider\_google) | >= 4.21.0 | | [random](#requirement\_random) | >= 3.1 | -| [sysdig](#requirement\_sysdig) | +| [sysdig](#requirement\_sysdig) | | ## Modules From 72b6314f50ae8ce348985e26ea5a1f0ce0a0dbb5 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Tue, 10 Sep 2024 14:22:41 -0600 Subject: [PATCH 06/32] feat(modular): address feedback for modular support for cdr/ciem --- modules/integrations/webhook-datasource/README.md | 5 +---- modules/integrations/webhook-datasource/main.tf | 11 ++++++++++- .../integrations/webhook-datasource/organizational.tf | 9 +++++++++ modules/integrations/webhook-datasource/versions.tf | 2 +- .../organization_cdr_test/webhook_datasource.tf | 8 ++++---- 5 files changed, 25 insertions(+), 10 deletions(-) diff --git a/modules/integrations/webhook-datasource/README.md b/modules/integrations/webhook-datasource/README.md index 1acf8e3..e9cd058 100644 --- a/modules/integrations/webhook-datasource/README.md +++ b/modules/integrations/webhook-datasource/README.md @@ -3,11 +3,8 @@ This Module creates the resources required to send AuditLogs logs to Sysdig via GCP Pub Subscription. These resources enable Threat Detection in the given GCP project or organization. Before applying the changes defined in this module, the following operations need to be performed on the target GCP environment: -- Enable the following APIs in the target environment (https://support.google.com/googleapi/answer/6158841?hl=en) +- The APIs needed for the CDR/CIEM feature are listed below: - Cloud Pub/Sub API - - Identity and Access Management (IAM) API - - IAM Service Account Credentials API - - Cloud Resource Manager API - The following resources will be created in each instrumented project: - A `PubSub Topic` to send the AuditLogs from the project diff --git a/modules/integrations/webhook-datasource/main.tf b/modules/integrations/webhook-datasource/main.tf index accf57d..46cd3f7 100644 --- a/modules/integrations/webhook-datasource/main.tf +++ b/modules/integrations/webhook-datasource/main.tf @@ -129,7 +129,7 @@ resource "google_service_account" "push_auth" { resource "google_service_account_iam_binding" "push_auth_binding" { service_account_id = google_service_account.push_auth.name - role = "roles/iam.serviceAccountTokenCreator" + role = "roles/iam.workloadIdentityUser" members = [ "serviceAccount:${google_service_account.push_auth.email}", @@ -230,6 +230,15 @@ resource "google_service_account_iam_member" "custom_auth" { member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.ingestion_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } +# adding ciem role with permissions to the service account +resource "google_project_iam_member" "identity_mgmt" { + for_each = var.is_organizational ? [] : toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) + + project = var.project_id + role = each.key + member = "serviceAccount:${google_service_account.push_auth.email}" +} + #----------------------------------------------------------------------------------------------------------------------------------------- # Call Sysdig Backend to add the webhook-datasource integration to the Sysdig Cloud Account # diff --git a/modules/integrations/webhook-datasource/organizational.tf b/modules/integrations/webhook-datasource/organizational.tf index 45233bb..098014c 100644 --- a/modules/integrations/webhook-datasource/organizational.tf +++ b/modules/integrations/webhook-datasource/organizational.tf @@ -84,3 +84,12 @@ resource "google_organization_iam_member" "custom" { role = google_organization_iam_custom_role.custom_ingestion_auth_role[0].id member = "serviceAccount:${google_service_account.push_auth.email}" } + +# adding ciem role with permissions to the service account for org +resource "google_organization_iam_member" "identity_mgmt" { + for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : [] + + org_id = data.google_organization.org[0].org_id + role = each.key + member = "serviceAccount:${google_service_account.push_auth.email}" +} \ No newline at end of file diff --git a/modules/integrations/webhook-datasource/versions.tf b/modules/integrations/webhook-datasource/versions.tf index 269cfb8..adb6e1a 100644 --- a/modules/integrations/webhook-datasource/versions.tf +++ b/modules/integrations/webhook-datasource/versions.tf @@ -12,7 +12,7 @@ terraform { } random = { source = "hashicorp/random" - version = ">= 3.1, < 4.0" + version = ">= 3.1" } } } \ No newline at end of file diff --git a/test/examples/organization_cdr_test/webhook_datasource.tf b/test/examples/organization_cdr_test/webhook_datasource.tf index 2d80fbc..62c54ad 100644 --- a/test/examples/organization_cdr_test/webhook_datasource.tf +++ b/test/examples/organization_cdr_test/webhook_datasource.tf @@ -26,12 +26,12 @@ module "webhook-datasource" { source = "../../../modules/integrations/webhook-datasource" - project_id = "org-child-project-1" + project_id = module.onboarding.project_id # push_endpoint is no longer needed # push_endpoint = "https://app-staging.sysdigcloud.com/api/cloudingestion/gcp/v2/84f934c6-eb2d-47d9-804b-bcfe9e6ef0b9" - is_organizational = true - organization_domain = "draios.com" - sysdig_secure_account_id = "" + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } # UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL From e51c02d5a352acfba7e224b1a84a5ed224f597cc Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 16:22:32 -0700 Subject: [PATCH 07/32] adding modular onboarding module --- modules/onboarding/README.md | 88 +++++++++++++++++++++++ modules/onboarding/main.tf | 100 +++++++++++++++++++++++++++ modules/onboarding/organizational.tf | 35 ++++++++++ modules/onboarding/outputs.tf | 34 +++++++++ modules/onboarding/variables.tf | 35 ++++++++++ modules/onboarding/versions.tf | 18 +++++ 6 files changed, 310 insertions(+) create mode 100644 modules/onboarding/README.md create mode 100644 modules/onboarding/main.tf create mode 100644 modules/onboarding/organizational.tf create mode 100644 modules/onboarding/outputs.tf create mode 100644 modules/onboarding/variables.tf create mode 100644 modules/onboarding/versions.tf diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md new file mode 100644 index 0000000..c59db6d --- /dev/null +++ b/modules/onboarding/README.md @@ -0,0 +1,88 @@ +# GCP Onboarding Module + +This module will deploy Foundational Onboarding resources in GCP for a single project, or for a GCP Organization. +The Foundational Onboarding module serves the following functions: +- retrieving inventory for single project, or for all projects within an Organization. +- running organization scraping in the case of organizational onboarding within GCP Organization. + +If instrumenting a project, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the foundational functions. + +If instrumenting an Organziation, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve the foundational functions. +- A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on. + +Note: +- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [google](#requirement\_google) | >= 4.21.0 | +| [sysdig](#requirement\_sysdig) | >= 1.23.1 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.0.0 | +| [random](#provider\_random) | >= 3.1 | + +## Modules + +No modules. + +## Resources + +| [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account_iam_binding.onboarding_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | +| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | +| [google_project_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | +| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | +| [google_organization_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | +| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data onboarding resources | `string` | `"SysdigOnboardingAuthRole-{random_id}"` | no | +| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access data ingestion resources | +| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access data ingestion resources | +| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | +| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. \ No newline at end of file diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf new file mode 100644 index 0000000..bf2431e --- /dev/null +++ b/modules/onboarding/main.tf @@ -0,0 +1,100 @@ +#------------------------------------------------------------------# +# Fetch and compute required data for Workload Identity Federation # +#------------------------------------------------------------------# + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + +data "google_project" "project" { + project_id = var.project_id +} + +// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value. +resource "random_id" "suffix" { + count = var.suffix == null ? 1 : 0 + byte_length = 3 +} + +locals { + suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix +} + +resource "google_service_account" "onboarding_auth" { + account_id = "sysdig-onboarding-${local.suffix}" + display_name = "Sysdig Onboarding Auth Service Account" + project = var.project_id +} + +resource "google_service_account_iam_binding" "onboarding_auth_binding" { + service_account_id = google_service_account.push_auth.name + role = "roles/iam.workloadIdentityUser" + + members = [ + "serviceAccount:${google_service_account.onboarding_auth.email}", + ] +} + +#------------------------------------------------------------# +# Configure Workload Identity Federation for auth # +# See https://cloud.google.com/iam/docs/access-resources-aws # +#------------------------------------------------------------# + +resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { + project = var.project_id + workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { + project = var.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" + display_name = "Sysdigcloud onboarding auth" + description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" + disabled = false + + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +# creating custom role with project-level permissions to access onboarding resources +resource "google_project_iam_custom_role" "custom_onboarding_auth_role" { + count = var.is_organizational ? 0 : 1 + + project = var.project_id + role_id = var.role_name + title = "Sysdigcloud Onboarding Auth Role" + description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" + permissions = [ + "pubsub.topics.get", + "pubsub.topics.list", + "pubsub.subscriptions.get", + "pubsub.subscriptions.list", + "logging.sinks.get", + "logging.sinks.list", + ] +} + +# adding custom role with project-level permissions to the service account for auth +resource "google_project_iam_member" "custom" { + count = var.is_organizational ? 0 : 1 + + project = var.project_id + role = google_project_iam_custom_role.custom_onboarding_auth_role[0].id + member = "serviceAccount:${google_service_account.onboarding_auth.email}" +} + +# attaching WIF as a member to the service account for auth +resource "google_service_account_iam_member" "custom_auth" { + service_account_id = google_service_account.onboarding_auth.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" +} \ No newline at end of file diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf new file mode 100644 index 0000000..a83553b --- /dev/null +++ b/modules/onboarding/organizational.tf @@ -0,0 +1,35 @@ +#--------------# +# Organization # +#--------------# + +data "google_organization" "org" { + count = var.is_organizational ? 1 : 0 + domain = var.organization_domain +} + +# creating custom role with organization-level permissions to access onboarding resources +resource "google_organization_iam_custom_role" "custom_onboarding_auth_role" { + count = var.is_organizational ? 1 : 0 + + org_id = data.google_organization.org[0].org_id + role_id = var.role_name + title = "Sysdigcloud Onboarding Auth Role" + description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" + permissions = [ + "pubsub.topics.get", + "pubsub.topics.list", + "pubsub.subscriptions.get", + "pubsub.subscriptions.list", + "logging.sinks.get", + "logging.sinks.list", + ] +} + +# adding custom role with organization-level permissions to the service account for auth +resource "google_organization_iam_member" "custom" { + count = var.is_organizational ? 1 : 0 + + org_id = data.google_organization.org[0].org_id + role = google_organization_iam_custom_role.custom_onboarding_auth_role[0].id + member = "serviceAccount:${google_service_account.onboarding_auth.email}" +} \ No newline at end of file diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf new file mode 100644 index 0000000..75ec94c --- /dev/null +++ b/modules/onboarding/outputs.tf @@ -0,0 +1,34 @@ +output "workload_identity_pool_id" { + value = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + description = "Id of Workload Identity Pool for authenticating to GCP to access data onboarding resources" +} + +output "workload_identity_pool_provider_id" { + value = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + description = "Id of Workload Identity Pool Provider for authenticating to GCP to access data onboarding resources" +} + +output "workload_identity_project_number" { + value = data.google_project.project.number + description = "GCP project number" +} + +output "service_account_email" { + value = google_service_account.onboarding_auth.email + description = "email of the Service Account created" +} + +output "project_id" { + value = var.project_id + description = "Project ID in which secure-for-cloud onboarding resources are created. For organizational installs it is the Management Project ID selected during install" +} + +output "sysdig_secure_project_id" { + value = sysdig_secure_cloud_auth_account.google_account.id + description = "ID of the Sysdig Cloud Account created" +} + +output "is_organizational" { + value = var.is_organizational + description = "Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not" +} diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf new file mode 100644 index 0000000..3da88f8 --- /dev/null +++ b/modules/onboarding/variables.tf @@ -0,0 +1,35 @@ +variable "project_id" { + type = string + description = "(Required) Target Project identifier provided by the customer" +} + +variable "labels" { + type = map(string) + description = "(Optional) Labels to be associated with Sysdig-originated resources" + default = { + originator = "sysdig" + } +} + +variable "is_organizational" { + description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." + type = bool + default = false +} + +variable "organization_domain" { + type = string + description = "(Optional) Organization domain. e.g. sysdig.com" + default = "" +} + +variable "external_id" { + type = string + description = "(Required) Random string generated unique to a customer" +} + +variable "suffix" { + type = string + description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" + default = null +} \ No newline at end of file diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf new file mode 100644 index 0000000..b6453f7 --- /dev/null +++ b/modules/onboarding/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.21.0" + } + sysdig = { + source = "sysdiglabs/sysdig" + version = ">= 1.23.1" + } + random = { + source = "hashicorp/random" + version = ">= 3.1, < 4.0" + } + } +} \ No newline at end of file From 80b782a3c6293659be3ceec48ff61150a2bafae9 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 21:03:36 -0700 Subject: [PATCH 08/32] fix var refns --- modules/onboarding/main.tf | 68 +++++++++++++++++++--------- modules/onboarding/organizational.tf | 38 ++++++++-------- modules/onboarding/variables.tf | 6 +++ modules/onboarding/versions.tf | 2 +- 4 files changed, 72 insertions(+), 42 deletions(-) diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index bf2431e..bc01928 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -27,7 +27,7 @@ resource "google_service_account" "onboarding_auth" { } resource "google_service_account_iam_binding" "onboarding_auth_binding" { - service_account_id = google_service_account.push_auth.name + service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" members = [ @@ -65,30 +65,14 @@ resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_prov } } -# creating custom role with project-level permissions to access onboarding resources -resource "google_project_iam_custom_role" "custom_onboarding_auth_role" { - count = var.is_organizational ? 0 : 1 - - project = var.project_id - role_id = var.role_name - title = "Sysdigcloud Onboarding Auth Role" - description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" - permissions = [ - "pubsub.topics.get", - "pubsub.topics.list", - "pubsub.subscriptions.get", - "pubsub.subscriptions.list", - "logging.sinks.get", - "logging.sinks.list", - ] -} - -# adding custom role with project-level permissions to the service account for auth -resource "google_project_iam_member" "custom" { +#--------------------------------- +# role permissions for onboarding +#--------------------------------- +resource "google_project_iam_member" "browser" { count = var.is_organizational ? 0 : 1 project = var.project_id - role = google_project_iam_custom_role.custom_onboarding_auth_role[0].id + role = "roles/browser" member = "serviceAccount:${google_service_account.onboarding_auth.email}" } @@ -97,4 +81,44 @@ resource "google_service_account_iam_member" "custom_auth" { service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" +} + +#--------------------------------------------------------------------------------------------- +# Call Sysdig Backend to create account with foundational onboarding +# (ensure it is called after all above cloud resources are created using explicit depends_on) +#--------------------------------------------------------------------------------------------- + +resource "sysdig_secure_cloud_auth_account" "google_account" { + enabled = true + provider_id = var.project_id + provider_type = "PROVIDER_GCP" + provider_alias = data.google_project.project.name + provider_tenant_id = var.organization_domain + + component { + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-onboarding" + version = "v0.1.0" + service_principal_metadata = jsonencode({ + gcp = { + service_principal = { + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.onboarding_auth.email + } + } + }) + } + + depends_on = [google_service_account_iam_member.custom_auth] + + lifecycle { + ignore_changes = [ + component, + feature + ] + } } \ No newline at end of file diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index a83553b..4ff434a 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -7,29 +7,29 @@ data "google_organization" "org" { domain = var.organization_domain } -# creating custom role with organization-level permissions to access onboarding resources -resource "google_organization_iam_custom_role" "custom_onboarding_auth_role" { +################################################### +# Setup Service Account permissions +################################################### + +#--------------------------------- +# role permissions for onboarding +#--------------------------------- +resource "google_organization_iam_member" "browser" { count = var.is_organizational ? 1 : 0 - org_id = data.google_organization.org[0].org_id - role_id = var.role_name - title = "Sysdigcloud Onboarding Auth Role" - description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" - permissions = [ - "pubsub.topics.get", - "pubsub.topics.list", - "pubsub.subscriptions.get", - "pubsub.subscriptions.list", - "logging.sinks.get", - "logging.sinks.list", - ] + org_id = data.google_organization.org[0].org_id + role = "roles/browser" + member = "serviceAccount:${google_service_account.onboarding_auth.email}" } -# adding custom role with organization-level permissions to the service account for auth -resource "google_organization_iam_member" "custom" { +#--------------------------------------------------------------------------------------------- +# Call Sysdig Backend to create organization with foundational onboarding +# (ensure it is called after all above cloud resources are created) +#--------------------------------------------------------------------------------------------- +resource "sysdig_secure_organization" "azure_organization" { count = var.is_organizational ? 1 : 0 - org_id = data.google_organization.org[0].org_id - role = google_organization_iam_custom_role.custom_onboarding_auth_role[0].id - member = "serviceAccount:${google_service_account.onboarding_auth.email}" + management_account_id = sysdig_secure_cloud_auth_account.google_account.id + organizational_unit_ids = var.management_group_ids + depends_on = [google_organization_iam_member.browser] } \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index 3da88f8..a90da48 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -23,6 +23,12 @@ variable "organization_domain" { default = "" } +variable "management_group_ids" { + type = set(string) + description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" + default = [] +} + variable "external_id" { type = string description = "(Required) Random string generated unique to a customer" diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index b6453f7..0ef54f7 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -8,7 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.23.1" + version = ">= 1.29.2" } random = { source = "hashicorp/random" From 6795442e7b9f7133983dc75bafebb88b977c731f Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 22:24:18 -0700 Subject: [PATCH 09/32] adding modular onboarding example --- .../onboarding_with_posture.tf | 25 +++++++++++++++++++ .../onboarding_with_posture.tf | 24 ++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 test/examples/modular_organization/onboarding_with_posture.tf create mode 100644 test/examples/modular_single_project/onboarding_with_posture.tf diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf new file mode 100644 index 0000000..63b1c09 --- /dev/null +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -0,0 +1,25 @@ +provider "google" { + project = "org-child-project-3" + region = "us-west1" +} + +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.29.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "https://secure-staging.sysdig.com" + sysdig_secure_api_token = "API_TOKEN" +} + +module "onboarding" { + source = "../../../modules/onboarding" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" + is_organizational = true +} \ No newline at end of file diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf new file mode 100644 index 0000000..6372874 --- /dev/null +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -0,0 +1,24 @@ +provider "google" { + project = "org-child-project-3" + region = "us-west1" +} + +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.29.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "https://secure-staging.sysdig.com" + sysdig_secure_api_token = "API_TOKEN" +} + +module "onboarding" { + source = "../../../modules/onboarding" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" +} \ No newline at end of file From 7a076255f5ebe332dc2249bed3cb3e471b4cd695 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 23:37:57 -0700 Subject: [PATCH 10/32] adding config posture module for modular onboarding --- modules/config-posture/README.md | 0 modules/config-posture/main.tf | 109 +++++++++++++++++++++++ modules/config-posture/organizational.tf | 23 +++++ modules/config-posture/outputs.tf | 5 ++ modules/config-posture/variables.tf | 38 ++++++++ modules/config-posture/versions.tf | 18 ++++ modules/onboarding/variables.tf | 8 -- modules/onboarding/versions.tf | 2 +- 8 files changed, 194 insertions(+), 9 deletions(-) create mode 100644 modules/config-posture/README.md create mode 100644 modules/config-posture/main.tf create mode 100644 modules/config-posture/organizational.tf create mode 100644 modules/config-posture/outputs.tf create mode 100644 modules/config-posture/variables.tf create mode 100644 modules/config-posture/versions.tf diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md new file mode 100644 index 0000000..e69de29 diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf new file mode 100644 index 0000000..35e105e --- /dev/null +++ b/modules/config-posture/main.tf @@ -0,0 +1,109 @@ +#------------------------------------------------------------------# +# Fetch and compute required data for Workload Identity Federation # +#------------------------------------------------------------------# + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + +data "google_project" "project" { + project_id = var.project_id +} + +// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value. +resource "random_id" "suffix" { + count = var.suffix == null ? 1 : 0 + byte_length = 3 +} + +locals { + suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix +} + +resource "google_service_account" "posture_auth" { + account_id = "sysdig-posture-${local.suffix}" + display_name = "Sysdig Config Posture Auth Service Account" + project = var.project_id +} + +resource "google_service_account_iam_binding" "posture_auth_binding" { + service_account_id = google_service_account.posture_auth.name + role = "roles/iam.workloadIdentityUser" + + members = [ + "serviceAccount:${google_service_account.posture_auth.email}", + ] +} + +#------------------------------------------------------------# +# Configure Workload Identity Federation for auth # +# See https://cloud.google.com/iam/docs/access-resources-aws # +#------------------------------------------------------------# + +resource "google_iam_workload_identity_pool" "posture_auth_pool" { + project = var.project_id + workload_identity_pool_id = "sysdig-posture-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" { + project = var.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" + display_name = "Sysdigcloud config posture auth" + description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" + disabled = false + + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +#--------------------------------------------------------------------------------------------- +# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management) +#--------------------------------------------------------------------------------------------- +resource "google_project_iam_member" "cspm" { + for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) + + project = var.project_id + role = each.key + member = "serviceAccount:${google_service_account.posture_auth.email}" +} + +# attaching WIF as a member to the service account for auth +resource "google_service_account_iam_member" "custom_auth" { + service_account_id = google_service_account.posture_auth.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" +} + +#-------------------------------------------------------------------------------------------------------------- +# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account +# +# Note (optional): To ensure this gets called after all cloud resources are created, add +# explicit dependency using depends_on +#-------------------------------------------------------------------------------------------------------------- +resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { + account_id = var.sysdig_secure_account_id + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-posture" + verion = "v0.1.0" + service_principal_metadata = jsonencode({ + gcp = { + service_principal = { + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.posture_auth.email + } + } + }) +} diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf new file mode 100644 index 0000000..77d85b0 --- /dev/null +++ b/modules/config-posture/organizational.tf @@ -0,0 +1,23 @@ +#--------------# +# Organization # +#--------------# + +data "google_organization" "org" { + count = var.is_organizational ? 1 : 0 + domain = var.organization_domain +} + +################################################### +# Setup Service Account permissions +################################################### + +#--------------------------------------------------------------------------------------------- +# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management) +#--------------------------------------------------------------------------------------------- +resource "google_organization_iam_member" "cspm" { + for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : [] + + org_id = data.google_organization.org[0].org_id + role = each.key + member = "serviceAccount:${google_service_account.posture_auth.email}" +} \ No newline at end of file diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf new file mode 100644 index 0000000..20c9f5d --- /dev/null +++ b/modules/config-posture/outputs.tf @@ -0,0 +1,5 @@ +output "service_principal_component_id" { + value = "${sysdig_secure_cloud_auth_account_component.google_service_principal.type}/${sysdig_secure_cloud_auth_account_component.google_service_principal.instance}" + description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture" + depends_on = [sysdig_secure_cloud_auth_account_component.google_service_principal] +} \ No newline at end of file diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf new file mode 100644 index 0000000..b1d3d9e --- /dev/null +++ b/modules/config-posture/variables.tf @@ -0,0 +1,38 @@ +variable "project_id" { + type = string + description = "(Required) Target Project identifier provided by the customer" +} + +variable "is_organizational" { + description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." + type = bool + default = false +} + +variable "organization_domain" { + type = string + description = "(Optional) Organization domain. e.g. sysdig.com" + default = "" +} + +variable "management_group_ids" { + type = set(string) + description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" + default = [] +} + +variable "external_id" { + type = string + description = "(Required) Random string generated unique to a customer" +} + +variable "suffix" { + type = string + description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" + default = null +} + +variable "sysdig_secure_account_id" { + type = string + description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)" +} \ No newline at end of file diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf new file mode 100644 index 0000000..7f82c5f --- /dev/null +++ b/modules/config-posture/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.21.0" + } + sysdig = { + source = "sysdiglabs/sysdig" + version = ">= 1.29.2" + } + random = { + source = "hashicorp/random" + version = ">= 3.1" + } + } +} \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index a90da48..7564fc6 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -3,14 +3,6 @@ variable "project_id" { description = "(Required) Target Project identifier provided by the customer" } -variable "labels" { - type = map(string) - description = "(Optional) Labels to be associated with Sysdig-originated resources" - default = { - originator = "sysdig" - } -} - variable "is_organizational" { description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." type = bool diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 0ef54f7..7f82c5f 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -12,7 +12,7 @@ terraform { } random = { source = "hashicorp/random" - version = ">= 3.1, < 4.0" + version = ">= 3.1" } } } \ No newline at end of file From 5581c6a39807e1833c5cdeed8d036adda1240b2a Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 13:35:04 -0700 Subject: [PATCH 11/32] updating README --- modules/config-posture/README.md | 87 ++++++++++++++++++++++++++++++++ modules/config-posture/main.tf | 6 +-- modules/onboarding/README.md | 15 +++--- modules/onboarding/main.tf | 6 +-- 4 files changed, 100 insertions(+), 14 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index e69de29..9557b9a 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -0,0 +1,87 @@ +# GCP Config Posture Module + +This module will deploy Config Posture resources in GCP for a single project, or for a GCP Organization. +The Config Posture module serves the following functions: +- retrieving inventory for single project, or for all projects within an Organization. +- retrieving organization metadata in the case of organizational onboarding within GCP Organization. + +If instrumenting a project, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Config posture operation at the project level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions. + +If instrumenting an Organziation, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Config Posture operation at the organization level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions. + +Note: +- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [google](#requirement\_google) | >= 4.21.0 | +| [sysdig](#requirement\_sysdig) | >= 1.23.1 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.0.0 | +| [random](#provider\_random) | >= 3.1 | + +## Modules + +No modules. + +## Resources + +| [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | +| [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | +| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | +| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | +| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | +| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for posture resources | `string` | `"SysdigPostureAuthRole-{random_id}"` | no | +| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|----------------------------------------------------------------------------------------------------| +| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access config posture resources | +| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access config posture resources | +| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | +| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. \ No newline at end of file diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index 35e105e..a14dc39 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -21,7 +21,7 @@ locals { } resource "google_service_account" "posture_auth" { - account_id = "sysdig-posture-${local.suffix}" + account_id = "sysdig-secure-posture-${local.suffix}" display_name = "Sysdig Config Posture Auth Service Account" project = var.project_id } @@ -42,13 +42,13 @@ resource "google_service_account_iam_binding" "posture_auth_binding" { resource "google_iam_workload_identity_pool" "posture_auth_pool" { project = var.project_id - workload_identity_pool_id = "sysdig-posture-${local.suffix}" + workload_identity_pool_id = "sysdig-secure-posture-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-secure-posture-${local.suffix}" display_name = "Sysdigcloud config posture auth" description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" disabled = false diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index c59db6d..135f4c0 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -63,19 +63,18 @@ No modules. | [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data onboarding resources | `string` | `"SysdigOnboardingAuthRole-{random_id}"` | no | | [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access data ingestion resources | -| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access data ingestion resources | -| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | -| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | +| Name | Description | +|------|------------------------------------------------------------------------------------------------| +| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access onboarding resources | +| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access onboarding resources | +| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | +| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | | [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index bc01928..f14db18 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -21,7 +21,7 @@ locals { } resource "google_service_account" "onboarding_auth" { - account_id = "sysdig-onboarding-${local.suffix}" + account_id = "sysdig-secure-onboarding-${local.suffix}" display_name = "Sysdig Onboarding Auth Service Account" project = var.project_id } @@ -42,13 +42,13 @@ resource "google_service_account_iam_binding" "onboarding_auth_binding" { resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { project = var.project_id - workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" + workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-secure-onboarding-${local.suffix}" display_name = "Sysdigcloud onboarding auth" description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" disabled = false From 4abc7b2ccc3f579d9332b1681b4ad632efd0ffc9 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 14:30:24 -0700 Subject: [PATCH 12/32] fix role naming & version metadata --- modules/config-posture/main.tf | 25 +++++++++++-------------- modules/onboarding/main.tf | 23 +++++++++++------------ modules/onboarding/outputs.tf | 22 +--------------------- 3 files changed, 23 insertions(+), 47 deletions(-) diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index a14dc39..bbb8e80 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -21,7 +21,8 @@ locals { } resource "google_service_account" "posture_auth" { - account_id = "sysdig-secure-posture-${local.suffix}" + # service account name cannot be longer than 30 characters + account_id = "sysdig-posture-${local.suffix}" display_name = "Sysdig Config Posture Auth Service Account" project = var.project_id } @@ -48,7 +49,7 @@ resource "google_iam_workload_identity_pool" "posture_auth_pool" { resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-secure-posture-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" display_name = "Sysdigcloud config posture auth" description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" disabled = false @@ -77,7 +78,7 @@ resource "google_project_iam_member" "cspm" { } # attaching WIF as a member to the service account for auth -resource "google_service_account_iam_member" "custom_auth" { +resource "google_service_account_iam_member" "custom_posture_auth" { service_account_id = google_service_account.posture_auth.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" @@ -85,25 +86,21 @@ resource "google_service_account_iam_member" "custom_auth" { #-------------------------------------------------------------------------------------------------------------- # Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account -# -# Note (optional): To ensure this gets called after all cloud resources are created, add -# explicit dependency using depends_on #-------------------------------------------------------------------------------------------------------------- resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { account_id = var.sysdig_secure_account_id type = "COMPONENT_SERVICE_PRINCIPAL" instance = "secure-posture" - verion = "v0.1.0" + version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { - service_principal = { - workload_identity_federation = { - pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id - pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id - project_number = data.google_project.project.number - } - email = google_service_account.posture_auth.email + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number } + email = google_service_account.posture_auth.email } }) + depends_on = [google_service_account_iam_member.custom_posture_auth] } diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index f14db18..0cc8518 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -21,7 +21,8 @@ locals { } resource "google_service_account" "onboarding_auth" { - account_id = "sysdig-secure-onboarding-${local.suffix}" + # service account name cannot be longer than 30 characters + account_id = "sysdig-onboarding-${local.suffix}" display_name = "Sysdig Onboarding Auth Service Account" project = var.project_id } @@ -42,13 +43,13 @@ resource "google_service_account_iam_binding" "onboarding_auth_binding" { resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { project = var.project_id - workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}" + workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-secure-onboarding-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" display_name = "Sysdigcloud onboarding auth" description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" disabled = false @@ -77,7 +78,7 @@ resource "google_project_iam_member" "browser" { } # attaching WIF as a member to the service account for auth -resource "google_service_account_iam_member" "custom_auth" { +resource "google_service_account_iam_member" "custom_onboarding_auth" { service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" @@ -101,19 +102,17 @@ resource "sysdig_secure_cloud_auth_account" "google_account" { version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { - service_principal = { - workload_identity_federation = { - pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id - project_number = data.google_project.project.number - } - email = google_service_account.onboarding_auth.email + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number } + email = google_service_account.onboarding_auth.email } }) } - depends_on = [google_service_account_iam_member.custom_auth] + depends_on = [google_service_account_iam_member.custom_onboarding_auth] lifecycle { ignore_changes = [ diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index 75ec94c..6edda10 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -1,29 +1,9 @@ -output "workload_identity_pool_id" { - value = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - description = "Id of Workload Identity Pool for authenticating to GCP to access data onboarding resources" -} - -output "workload_identity_pool_provider_id" { - value = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id - description = "Id of Workload Identity Pool Provider for authenticating to GCP to access data onboarding resources" -} - -output "workload_identity_project_number" { - value = data.google_project.project.number - description = "GCP project number" -} - -output "service_account_email" { - value = google_service_account.onboarding_auth.email - description = "email of the Service Account created" -} - output "project_id" { value = var.project_id description = "Project ID in which secure-for-cloud onboarding resources are created. For organizational installs it is the Management Project ID selected during install" } -output "sysdig_secure_project_id" { +output "sysdig_secure_account_id" { value = sysdig_secure_cloud_auth_account.google_account.id description = "ID of the Sysdig Cloud Account created" } From b4d8e07e37886b6be97381eaa00d8311722e975a Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 15:08:44 -0700 Subject: [PATCH 13/32] updating examples for onboarding & cspm org --- modules/onboarding/organizational.tf | 2 +- modules/onboarding/outputs.tf | 5 ++++ .../onboarding_with_posture.tf | 26 ++++++++++++++++--- .../onboarding_with_posture.tf | 15 +++++++++++ 4 files changed, 43 insertions(+), 5 deletions(-) diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index 4ff434a..09554ea 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -26,7 +26,7 @@ resource "google_organization_iam_member" "browser" { # Call Sysdig Backend to create organization with foundational onboarding # (ensure it is called after all above cloud resources are created) #--------------------------------------------------------------------------------------------- -resource "sysdig_secure_organization" "azure_organization" { +resource "sysdig_secure_organization" "google_organization" { count = var.is_organizational ? 1 : 0 management_account_id = sysdig_secure_cloud_auth_account.google_account.id diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index 6edda10..7db7f22 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -12,3 +12,8 @@ output "is_organizational" { value = var.is_organizational description = "Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not" } + +output "organization_domain" { + value = var.organization_domain + description = "Organization domain. e.g. sysdig.com" +} diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 63b1c09..ca933bd 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -18,8 +18,26 @@ provider "sysdig" { } module "onboarding" { - source = "../../../modules/onboarding" - project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" - is_organizational = true + source = "../../../modules/onboarding" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" + is_organizational = true + organization_domain = "draios.com" +} + +module "config-posture" { + source = "../../../modules/config-posture" + project_id = module.onboarding.project_id + external_id = "25ef0d887bc7a2b30089a025618e1c62" + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_CONFIG_POSTURE" + enabled = true + components = [module.config-posture.service_principal_component_id] + depends_on = [module.config-posture] } \ No newline at end of file diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 6372874..c2db178 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -21,4 +21,19 @@ module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" external_id = "25ef0d887bc7a2b30089a025618e1c62" +} + +module "config-posture" { + source = "../../../modules/config-posture" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_CONFIG_POSTURE" + enabled = true + components = [module.config-posture.service_principal_component_id] + depends_on = [module.config-posture] } \ No newline at end of file From e9a212d6409a516350cade895c1ae3a69b619188 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 15:24:07 -0700 Subject: [PATCH 14/32] cleanup foundational READMEs --- modules/config-posture/README.md | 29 ++++++++++++----------------- modules/onboarding/README.md | 15 ++++++--------- 2 files changed, 18 insertions(+), 26 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 9557b9a..42ba8d6 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -56,26 +56,21 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for posture resources | `string` | `"SysdigPostureAuthRole-{random_id}"` | no | -| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | +| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | yes | ## Outputs -| Name | Description | -|------|----------------------------------------------------------------------------------------------------| -| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access config posture resources | -| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access config posture resources | -| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | -| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | -| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | +| Name | Description | +|--------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------| +| [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | The component id of the config posture service principal with its WIF metadata | ## Authors diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 135f4c0..de459c5 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -60,7 +60,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | | [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | @@ -68,14 +67,12 @@ No modules. ## Outputs -| Name | Description | -|------|------------------------------------------------------------------------------------------------| -| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access onboarding resources | -| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access onboarding resources | -| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | -| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | -| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | +| Name | Description | +|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------| +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | +| [organization\_domain](#output\_organization\_domain) | Organization domain of the GCP org being onboarded | +| [project\_id](#output\_project\_id) | The management project id chosen during install, where global resources are deployed | ## Authors From 2885cccf7c0c971ad8920ad612ad4d009910456f Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Fri, 6 Sep 2024 10:01:12 -0700 Subject: [PATCH 15/32] use external_id datasource --- modules/config-posture/main.tf | 6 ++++-- modules/onboarding/main.tf | 6 ++++-- .../modular_organization/onboarding_with_posture.tf | 2 -- .../modular_single_project/onboarding_with_posture.tf | 2 -- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index bbb8e80..6b27a79 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -6,6 +6,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "gcp" } +data "sysdig_secure_tenant_external_id" "external_id" {} + data "google_project" "project" { project_id = var.project_id } @@ -54,7 +56,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" disabled = false - attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" attribute_mapping = { "google.subject" = "assertion.arn", @@ -81,7 +83,7 @@ resource "google_project_iam_member" "cspm" { resource "google_service_account_iam_member" "custom_posture_auth" { service_account_id = google_service_account.posture_auth.name role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } #-------------------------------------------------------------------------------------------------------------- diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 0cc8518..5ed3c49 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -6,6 +6,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "gcp" } +data "sysdig_secure_tenant_external_id" "external_id" {} + data "google_project" "project" { project_id = var.project_id } @@ -54,7 +56,7 @@ resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_prov description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" disabled = false - attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" attribute_mapping = { "google.subject" = "assertion.arn", @@ -81,7 +83,7 @@ resource "google_project_iam_member" "browser" { resource "google_service_account_iam_member" "custom_onboarding_auth" { service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } #--------------------------------------------------------------------------------------------- diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index ca933bd..29c2e38 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -20,7 +20,6 @@ provider "sysdig" { module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" is_organizational = true organization_domain = "draios.com" } @@ -28,7 +27,6 @@ module "onboarding" { module "config-posture" { source = "../../../modules/config-posture" project_id = module.onboarding.project_id - external_id = "25ef0d887bc7a2b30089a025618e1c62" is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index c2db178..7325f9d 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -20,13 +20,11 @@ provider "sysdig" { module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" } module "config-posture" { source = "../../../modules/config-posture" project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } From 628a2d63f575c98cfff6e772a6f707a432574000 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Fri, 6 Sep 2024 10:06:19 -0700 Subject: [PATCH 16/32] update README --- modules/config-posture/README.md | 13 ++++++------- modules/config-posture/variables.tf | 5 ----- modules/onboarding/README.md | 1 - modules/onboarding/variables.tf | 5 ----- 4 files changed, 6 insertions(+), 18 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 42ba8d6..7e6c42b 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -58,13 +58,12 @@ No modules. | Name | Description | Type | Default | Required | |------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | -| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | -| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | yes | +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | +| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | no | ## Outputs diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index b1d3d9e..c6630bd 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -21,11 +21,6 @@ variable "management_group_ids" { default = [] } -variable "external_id" { - type = string - description = "(Required) Random string generated unique to a customer" -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index de459c5..1fbd585 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -62,7 +62,6 @@ No modules. | [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | ## Outputs diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index 7564fc6..9571e7e 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -21,11 +21,6 @@ variable "management_group_ids" { default = [] } -variable "external_id" { - type = string - description = "(Required) Random string generated unique to a customer" -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" From 211a8deeb48f234df51383a6849ce3d09f23443d Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Fri, 6 Sep 2024 10:40:38 -0700 Subject: [PATCH 17/32] remove mgmt_group_ids in cspm module --- modules/config-posture/variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index c6630bd..b975bc2 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -15,12 +15,6 @@ variable "organization_domain" { default = "" } -variable "management_group_ids" { - type = set(string) - description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" - default = [] -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" From ec938f075e84051574f839ab4aa4e7d39268c946 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 9 Sep 2024 20:47:46 -0700 Subject: [PATCH 18/32] bump sysdig provider version to be consistent & have latest datasources --- modules/config-posture/versions.tf | 2 +- modules/onboarding/versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf index 7f82c5f..adb6e1a 100644 --- a/modules/config-posture/versions.tf +++ b/modules/config-posture/versions.tf @@ -8,7 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.29.2" + version = ">= 1.34.0" } random = { source = "hashicorp/random" diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 7f82c5f..adb6e1a 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -8,7 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.29.2" + version = ">= 1.34.0" } random = { source = "hashicorp/random" From b37fe73cb4a32f4e3e752bfe3d22f79b1b60962c Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 9 Sep 2024 20:49:56 -0700 Subject: [PATCH 19/32] updating examples --- test/examples/modular_organization/onboarding_with_posture.tf | 2 +- test/examples/modular_single_project/onboarding_with_posture.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 29c2e38..c902e5e 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -7,7 +7,7 @@ terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" - version = "~> 1.29.2" + version = "~> 1.34.0" } } } diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 7325f9d..7222a68 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -7,7 +7,7 @@ terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" - version = "~> 1.29.2" + version = "~> 1.34.0" } } } From 99b4062677ae9d44549ae828a6084742d3638ec0 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Tue, 10 Sep 2024 13:42:10 -0700 Subject: [PATCH 20/32] update example --- test/examples/modular_single_project/onboarding_with_posture.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 7222a68..01c0705 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -24,7 +24,7 @@ module "onboarding" { module "config-posture" { source = "../../../modules/config-posture" - project_id = "org-child-project-3" + project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } From af3f570db834d51b2e532b4562c2b5e1be764bdb Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Tue, 10 Sep 2024 17:51:12 -0600 Subject: [PATCH 21/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- .../integrations/webhook-datasource/main.tf | 2 +- .../webhook-datasource/organizational.tf | 2 +- .../webhook_datasource.tf | 28 ++++++ .../onboarding_with_posture.tf | 6 +- .../webhook_datasource.tf | 26 ++++++ .../webhook_datasource.tf | 93 +------------------ .../webhook_datasource.tf | 71 +------------- 7 files changed, 62 insertions(+), 166 deletions(-) create mode 100644 test/examples/modular_organization/webhook_datasource.tf create mode 100644 test/examples/modular_single_project/webhook_datasource.tf diff --git a/modules/integrations/webhook-datasource/main.tf b/modules/integrations/webhook-datasource/main.tf index 46cd3f7..3ba941f 100644 --- a/modules/integrations/webhook-datasource/main.tf +++ b/modules/integrations/webhook-datasource/main.tf @@ -201,7 +201,7 @@ resource "google_project_iam_custom_role" "custom_ingestion_auth_role" { count = var.is_organizational ? 0 : 1 project = var.project_id - role_id = "${var.role_name}-${local.suffix}" + role_id = "${var.role_name}${local.suffix}" title = "Sysdigcloud Ingestion Auth Role" description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" permissions = [ diff --git a/modules/integrations/webhook-datasource/organizational.tf b/modules/integrations/webhook-datasource/organizational.tf index 098014c..664c285 100644 --- a/modules/integrations/webhook-datasource/organizational.tf +++ b/modules/integrations/webhook-datasource/organizational.tf @@ -63,7 +63,7 @@ resource "google_organization_iam_custom_role" "custom_ingestion_auth_role" { count = var.is_organizational ? 1 : 0 org_id = data.google_organization.org[0].org_id - role_id = "${var.role_name}-org-${local.suffix}" + role_id = "${var.role_name}Org${local.suffix}" title = "Sysdigcloud Ingestion Auth Role" description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" permissions = [ diff --git a/test/examples/modular_organization/webhook_datasource.tf b/test/examples/modular_organization/webhook_datasource.tf new file mode 100644 index 0000000..6b45215 --- /dev/null +++ b/test/examples/modular_organization/webhook_datasource.tf @@ -0,0 +1,28 @@ +#--------------------------------------------------------------------------------------------- +# Ensure installation flow for foundational onboarding has been completed before +# installing additional Sysdig features. +#--------------------------------------------------------------------------------------------- + +module "webhook-datasource" { + source = "../../../modules/integrations/webhook-datasource" + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_THREAT_DETECTION" + enabled = true + components = [ module.webhook-datasource.webhook_datasource_component_id ] + depends_on = [ module.webhook-datasource ] +} + +resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" + enabled = true + components = [module.webhook-datasource.webhook_datasource_component_id] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] +} \ No newline at end of file diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 01c0705..53eda45 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -1,5 +1,5 @@ provider "google" { - project = "org-child-project-3" + project = "org-child-project-1" region = "us-west1" } @@ -14,12 +14,12 @@ terraform { provider "sysdig" { sysdig_secure_url = "https://secure-staging.sysdig.com" - sysdig_secure_api_token = "API_TOKEN" + sysdig_secure_api_token = "3aec5684-d355-4dd0-8e0e-4b87af8537f3" } module "onboarding" { source = "../../../modules/onboarding" - project_id = "org-child-project-3" + project_id = "org-child-project-1" } module "config-posture" { diff --git a/test/examples/modular_single_project/webhook_datasource.tf b/test/examples/modular_single_project/webhook_datasource.tf new file mode 100644 index 0000000..9effcf5 --- /dev/null +++ b/test/examples/modular_single_project/webhook_datasource.tf @@ -0,0 +1,26 @@ +#--------------------------------------------------------------------------------------------- +# Ensure installation flow for foundational onboarding has been completed before +# installing additional Sysdig features. +#--------------------------------------------------------------------------------------------- + +module "webhook-datasource" { + source = "../../../modules/integrations/webhook-datasource" + project_id = module.onboarding.project_id + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_THREAT_DETECTION" + enabled = true + components = [ module.webhook-datasource.webhook_datasource_component_id ] + depends_on = [ module.webhook-datasource ] +} + +resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" + enabled = true + components = [module.webhook-datasource.webhook_datasource_component_id] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] +} \ No newline at end of file diff --git a/test/examples/organization_cdr_test/webhook_datasource.tf b/test/examples/organization_cdr_test/webhook_datasource.tf index 62c54ad..6b45215 100644 --- a/test/examples/organization_cdr_test/webhook_datasource.tf +++ b/test/examples/organization_cdr_test/webhook_datasource.tf @@ -3,48 +3,14 @@ # installing additional Sysdig features. #--------------------------------------------------------------------------------------------- -# UNCOMMENT TO TEST: FROM HERE: THIS WILL BE PART OF THE ONBOARD MODULE -# terraform { -# required_providers { -# sysdig = { -# source = "sysdiglabs/sysdig" -# version = "~> 1.34.0" -# } -# } -# } -# -# provider "sysdig" { -# sysdig_secure_url = "https://secure-staging.sysdig.com" -# sysdig_secure_api_token = -# } -# -# provider "google" { -# project = "org-child-project-1" -# region = "us-west1" -# } -# TO HERE - module "webhook-datasource" { source = "../../../modules/integrations/webhook-datasource" project_id = module.onboarding.project_id - # push_endpoint is no longer needed - # push_endpoint = "https://app-staging.sysdigcloud.com/api/cloudingestion/gcp/v2/84f934c6-eb2d-47d9-804b-bcfe9e6ef0b9" is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } -# UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL -# module "organization-posture" { -# source = "sysdiglabs/secure/google//modules/services/service-principal" -# project_id = "org-child-project-1" -# service_account_name = "sysdig-secure-2u6g" -# is_organizational = true -# organization_domain = "draios.com" -# } -# TO HERE - -# COMMENT TO TEST: THIS WILL BE PART OF THE SNIPPET resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" @@ -59,61 +25,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { enabled = true components = [module.webhook-datasource.webhook_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] -} -# TO HERE - -# UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL -# resource "sysdig_secure_cloud_auth_account" "gcp_project_org-child-project-1" { -# enabled = true -# provider_id = "org-child-project-1" -# provider_type = "PROVIDER_GCP" -# -# feature { -# -# secure_threat_detection { -# enabled = true -# components = ["COMPONENT_WEBHOOK_DATASOURCE/secure-runtime"] -# } -# } -# component { -# type = "COMPONENT_WEBHOOK_DATASOURCE" -# instance = "secure-runtime" -# webhook_datasource_metadata = jsonencode({ -# gcp = { -# webhook_datasource = { -# pubsub_topic_name = module.webhook-datasource.ingestion_pubsub_topic_name -# sink_name = module.webhook-datasource.ingestion_sink_name -# push_subscription_name = module.webhook-datasource.ingestion_push_subscription_name -# push_endpoint = module.webhook-datasource.push_endpoint -# routing_key = "84f934c6-eb2d-47d9-804b-bcfe9e6ef0b9" -# } -# service_principal = { -# workload_identity_federation = { -# pool_id = module.webhook-datasource.workload_identity_pool_id -# pool_provider_id = module.webhook-datasource.workload_identity_pool_provider_id -# project_number = module.webhook-datasource.workload_identity_project_number -# } -# email = module.webhook-datasource.service_account_email -# } -# } -# }) -# } -# -# component { -# type = "COMPONENT_SERVICE_PRINCIPAL" -# instance = "secure-onboarding" -# service_principal_metadata = jsonencode({ -# gcp = { -# key = module.organization-posture.service_account_key -# } -# }) -# } -# depends_on = [module.organization-posture, module.webhook-datasource] -# } -# -# resource "sysdig_secure_organization" "gcp_organization_org-child-project-1" { -# organizational_unit_ids = [] -# management_account_id = sysdig_secure_cloud_auth_account.gcp_project_org-child-project-1.id -# depends_on = [module.organization-posture, module.webhook-datasource] -# } -# TO HERE \ No newline at end of file +} \ No newline at end of file diff --git a/test/examples/single_account_cdr_test/webhook_datasource.tf b/test/examples/single_account_cdr_test/webhook_datasource.tf index babebac..9effcf5 100644 --- a/test/examples/single_account_cdr_test/webhook_datasource.tf +++ b/test/examples/single_account_cdr_test/webhook_datasource.tf @@ -3,38 +3,12 @@ # installing additional Sysdig features. #--------------------------------------------------------------------------------------------- -# UNCOMMENT TO TEST: FROM HERE: THIS WILL BE PART OF THE ONBOARD MODULE -# terraform { -# required_providers { -# sysdig = { -# source = "sysdiglabs/sysdig" -# version = "~> 1.34.0" -# } -# } -# } -# -# provider "sysdig" { -# sysdig_secure_url = "https://secure-staging.sysdig.com" -# sysdig_secure_api_token = -# } -# -# provider "google" { -# project = "org-child-project-1" -# region = "us-west1" -# } -# TO HERE - module "webhook-datasource" { source = "../../../modules/integrations/webhook-datasource" - project_id = "org-child-project-1" - # push_endpoint and external_id are no longer needed - # push_endpoint = "https://app-staging.sysdigcloud.com/api/cloudingestion/gcp/v2/1f6d4677-84ec-4356-bd73-c79c8a96f96a" - # external_id = "87e82bdu28323" - # This will come from the onboarding module: module.onboarding.sysdig_secure_account_id + project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } -# COMMENT TO TEST: THIS WILL BE PART OF THE SNIPPET resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" @@ -49,45 +23,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { enabled = true components = [module.webhook-datasource.webhook_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] -} -# TO HERE - -# UNCOMMENT TO TEST: THIS IS NOT GOING TO BE LONGER NEEDED, SINCE WILL BE PART OF FOUNDATIONAL -# resource "sysdig_secure_cloud_auth_account" "gcp_project_org-child-project-1" { -# enabled = true -# provider_id = "org-child-project-1" -# provider_type = "PROVIDER_GCP" -# -# feature { -# -# secure_threat_detection { -# enabled = true -# components = ["COMPONENT_WEBHOOK_DATASOURCE/secure-runtime"] -# } -# } -# component { -# type = "COMPONENT_WEBHOOK_DATASOURCE" -# instance = "secure-runtime" -# webhook_datasource_metadata = jsonencode({ -# gcp = { -# webhook_datasource = { -# pubsub_topic_name = module.webhook-datasource.ingestion_pubsub_topic_name -# sink_name = module.webhook-datasource.ingestion_sink_name -# push_subscription_name = module.webhook-datasource.ingestion_push_subscription_name -# push_endpoint = module.webhook-datasource.push_endpoint -# routing_key = "1f6d4677-84ec-4356-bd73-c79c8a96f96a" -# } -# service_principal = { -# workload_identity_federation = { -# pool_id = module.webhook-datasource.workload_identity_pool_id -# pool_provider_id = module.webhook-datasource.workload_identity_pool_provider_id -# project_number = module.webhook-datasource.workload_identity_project_number -# } -# email = module.webhook-datasource.service_account_email -# } -# } -# }) -# } -# depends_on = [module.webhook-datasource] -# } -# TO HERE \ No newline at end of file +} \ No newline at end of file From 70263ab28075e79fb37571295c0c872e1c82237e Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Tue, 10 Sep 2024 17:52:48 -0600 Subject: [PATCH 22/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- test/examples/modular_single_project/onboarding_with_posture.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 53eda45..1281087 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -14,7 +14,7 @@ terraform { provider "sysdig" { sysdig_secure_url = "https://secure-staging.sysdig.com" - sysdig_secure_api_token = "3aec5684-d355-4dd0-8e0e-4b87af8537f3" + sysdig_secure_api_token = "API_TOKEN" } module "onboarding" { From dfd45daf30ec3dd6642fdc37992362f49c4779e2 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Tue, 10 Sep 2024 21:28:15 -0700 Subject: [PATCH 23/32] add explicit dependency --- modules/onboarding/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 5ed3c49..499712d 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -114,7 +114,14 @@ resource "sysdig_secure_cloud_auth_account" "google_account" { }) } - depends_on = [google_service_account_iam_member.custom_onboarding_auth] + depends_on = [ + google_service_account.onboarding_auth, + google_service_account_iam_binding.onboarding_auth_binding, + google_iam_workload_identity_pool.onboarding_auth_pool, + google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider, + google_project_iam_member.browser, + google_service_account_iam_member.custom_onboarding_auth + ] lifecycle { ignore_changes = [ From e834d16abfafe89b6b5d95ae87edcb04a3b241e2 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Wed, 11 Sep 2024 14:15:22 -0600 Subject: [PATCH 24/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- modules/integrations/{webhook-datasource => pub-sub}/README.md | 2 +- modules/integrations/{webhook-datasource => pub-sub}/main.tf | 2 +- .../{webhook-datasource => pub-sub}/organizational.tf | 0 modules/integrations/{webhook-datasource => pub-sub}/outputs.tf | 0 .../integrations/{webhook-datasource => pub-sub}/variables.tf | 0 .../integrations/{webhook-datasource => pub-sub}/versions.tf | 0 modules/services/webhook-datasource/main.tf | 2 +- .../modular_organization/{webhook_datasource.tf => pub-sub.tf} | 2 +- .../{webhook_datasource.tf => pub-sub.tf} | 2 +- .../organization_cdr_test/{webhook_datasource.tf => pub-sub.tf} | 2 +- .../{webhook_datasource.tf => pub-sub.tf} | 2 +- 11 files changed, 7 insertions(+), 7 deletions(-) rename modules/integrations/{webhook-datasource => pub-sub}/README.md (99%) rename modules/integrations/{webhook-datasource => pub-sub}/main.tf (99%) rename modules/integrations/{webhook-datasource => pub-sub}/organizational.tf (100%) rename modules/integrations/{webhook-datasource => pub-sub}/outputs.tf (100%) rename modules/integrations/{webhook-datasource => pub-sub}/variables.tf (100%) rename modules/integrations/{webhook-datasource => pub-sub}/versions.tf (100%) rename test/examples/modular_organization/{webhook_datasource.tf => pub-sub.tf} (94%) rename test/examples/modular_single_project/{webhook_datasource.tf => pub-sub.tf} (94%) rename test/examples/organization_cdr_test/{webhook_datasource.tf => pub-sub.tf} (94%) rename test/examples/single_account_cdr_test/{webhook_datasource.tf => pub-sub.tf} (94%) diff --git a/modules/integrations/webhook-datasource/README.md b/modules/integrations/pub-sub/README.md similarity index 99% rename from modules/integrations/webhook-datasource/README.md rename to modules/integrations/pub-sub/README.md index e9cd058..7c9c00a 100644 --- a/modules/integrations/webhook-datasource/README.md +++ b/modules/integrations/pub-sub/README.md @@ -1,4 +1,4 @@ -# GCP Webhook Datasource Module +# GCP PubSub Module This Module creates the resources required to send AuditLogs logs to Sysdig via GCP Pub Subscription. These resources enable Threat Detection in the given GCP project or organization. Before applying the changes defined in this module, the following operations need to be performed on the target GCP environment: diff --git a/modules/integrations/webhook-datasource/main.tf b/modules/integrations/pub-sub/main.tf similarity index 99% rename from modules/integrations/webhook-datasource/main.tf rename to modules/integrations/pub-sub/main.tf index 3ba941f..66738ad 100644 --- a/modules/integrations/webhook-datasource/main.tf +++ b/modules/integrations/pub-sub/main.tf @@ -240,7 +240,7 @@ resource "google_project_iam_member" "identity_mgmt" { } #----------------------------------------------------------------------------------------------------------------------------------------- -# Call Sysdig Backend to add the webhook-datasource integration to the Sysdig Cloud Account +# Call Sysdig Backend to add the pub-sub integration to the Sysdig Cloud Account # # Note (optional): To ensure this gets called after all cloud resources are created, add # explicit dependency using depends_on diff --git a/modules/integrations/webhook-datasource/organizational.tf b/modules/integrations/pub-sub/organizational.tf similarity index 100% rename from modules/integrations/webhook-datasource/organizational.tf rename to modules/integrations/pub-sub/organizational.tf diff --git a/modules/integrations/webhook-datasource/outputs.tf b/modules/integrations/pub-sub/outputs.tf similarity index 100% rename from modules/integrations/webhook-datasource/outputs.tf rename to modules/integrations/pub-sub/outputs.tf diff --git a/modules/integrations/webhook-datasource/variables.tf b/modules/integrations/pub-sub/variables.tf similarity index 100% rename from modules/integrations/webhook-datasource/variables.tf rename to modules/integrations/pub-sub/variables.tf diff --git a/modules/integrations/webhook-datasource/versions.tf b/modules/integrations/pub-sub/versions.tf similarity index 100% rename from modules/integrations/webhook-datasource/versions.tf rename to modules/integrations/pub-sub/versions.tf diff --git a/modules/services/webhook-datasource/main.tf b/modules/services/webhook-datasource/main.tf index b86d4f7..149db43 100644 --- a/modules/services/webhook-datasource/main.tf +++ b/modules/services/webhook-datasource/main.tf @@ -1,5 +1,5 @@ ######################################################################################## -# The webhook-datasource module takes care of provisioning the necessary resources to make Sysdig's +# The pub-sub module takes care of provisioning the necessary resources to make Sysdig's # backend able to ingest data from a single GCP project. # # Before applying the changes defined in this module, the following operations need to diff --git a/test/examples/modular_organization/webhook_datasource.tf b/test/examples/modular_organization/pub-sub.tf similarity index 94% rename from test/examples/modular_organization/webhook_datasource.tf rename to test/examples/modular_organization/pub-sub.tf index 6b45215..a8f0201 100644 --- a/test/examples/modular_organization/webhook_datasource.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -4,7 +4,7 @@ #--------------------------------------------------------------------------------------------- module "webhook-datasource" { - source = "../../../modules/integrations/webhook-datasource" + source = "../../../modules/integrations/pub-sub" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain diff --git a/test/examples/modular_single_project/webhook_datasource.tf b/test/examples/modular_single_project/pub-sub.tf similarity index 94% rename from test/examples/modular_single_project/webhook_datasource.tf rename to test/examples/modular_single_project/pub-sub.tf index 9effcf5..655ce2c 100644 --- a/test/examples/modular_single_project/webhook_datasource.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -4,7 +4,7 @@ #--------------------------------------------------------------------------------------------- module "webhook-datasource" { - source = "../../../modules/integrations/webhook-datasource" + source = "../../../modules/integrations/pub-sub" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } diff --git a/test/examples/organization_cdr_test/webhook_datasource.tf b/test/examples/organization_cdr_test/pub-sub.tf similarity index 94% rename from test/examples/organization_cdr_test/webhook_datasource.tf rename to test/examples/organization_cdr_test/pub-sub.tf index 6b45215..a8f0201 100644 --- a/test/examples/organization_cdr_test/webhook_datasource.tf +++ b/test/examples/organization_cdr_test/pub-sub.tf @@ -4,7 +4,7 @@ #--------------------------------------------------------------------------------------------- module "webhook-datasource" { - source = "../../../modules/integrations/webhook-datasource" + source = "../../../modules/integrations/pub-sub" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain diff --git a/test/examples/single_account_cdr_test/webhook_datasource.tf b/test/examples/single_account_cdr_test/pub-sub.tf similarity index 94% rename from test/examples/single_account_cdr_test/webhook_datasource.tf rename to test/examples/single_account_cdr_test/pub-sub.tf index 9effcf5..655ce2c 100644 --- a/test/examples/single_account_cdr_test/webhook_datasource.tf +++ b/test/examples/single_account_cdr_test/pub-sub.tf @@ -4,7 +4,7 @@ #--------------------------------------------------------------------------------------------- module "webhook-datasource" { - source = "../../../modules/integrations/webhook-datasource" + source = "../../../modules/integrations/pub-sub" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } From 72aafe067e256f97f160118d821241dcedc8d188 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Wed, 11 Sep 2024 14:17:15 -0600 Subject: [PATCH 25/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- modules/services/webhook-datasource/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/webhook-datasource/main.tf b/modules/services/webhook-datasource/main.tf index b7d3c30..a28709e 100644 --- a/modules/services/webhook-datasource/main.tf +++ b/modules/services/webhook-datasource/main.tf @@ -1,5 +1,5 @@ ######################################################################################## -# The pub-sub module takes care of provisioning the necessary resources to make Sysdig's +# The webhook-datasource module takes care of provisioning the necessary resources to make Sysdig's # backend able to ingest data from a single GCP project. # # Before applying the changes defined in this module, the following operations need to From 4d60c2d88e6d305643c9dca3aa852bd824337daf Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Wed, 11 Sep 2024 16:24:17 -0600 Subject: [PATCH 26/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- modules/integrations/pub-sub/outputs.tf | 2 +- test/examples/modular_organization/pub-sub.tf | 8 ++++---- test/examples/modular_single_project/pub-sub.tf | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/integrations/pub-sub/outputs.tf b/modules/integrations/pub-sub/outputs.tf index f55b862..6638b24 100644 --- a/modules/integrations/pub-sub/outputs.tf +++ b/modules/integrations/pub-sub/outputs.tf @@ -1,4 +1,4 @@ -output "webhook_datasource_component_id" { +output "pubsub_datasource_component_id" { value = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}" description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion" depends_on = [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource] diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf index a8f0201..9dc58aa 100644 --- a/test/examples/modular_organization/pub-sub.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -3,7 +3,7 @@ # installing additional Sysdig features. #--------------------------------------------------------------------------------------------- -module "webhook-datasource" { +module "pub-sub" { source = "../../../modules/integrations/pub-sub" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational @@ -15,14 +15,14 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.webhook-datasource.webhook_datasource_component_id ] - depends_on = [ module.webhook-datasource ] + components = [ module.pub-sub.pubsub_datasource_component_id ] + depends_on = [ module.pub-sub ] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true - components = [module.webhook-datasource.webhook_datasource_component_id] + components = [module.pub-sub.pubsub_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] } \ No newline at end of file diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf index 655ce2c..86114b8 100644 --- a/test/examples/modular_single_project/pub-sub.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -3,7 +3,7 @@ # installing additional Sysdig features. #--------------------------------------------------------------------------------------------- -module "webhook-datasource" { +module "pub-sub" { source = "../../../modules/integrations/pub-sub" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id @@ -13,14 +13,14 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.webhook-datasource.webhook_datasource_component_id ] - depends_on = [ module.webhook-datasource ] + components = [ module.pub-sub.pubsub_datasource_component_id ] + depends_on = [ module.pub-sub ] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true - components = [module.webhook-datasource.webhook_datasource_component_id] + components = [module.pub-sub.pubsub_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] } \ No newline at end of file From 0af9292c87df2a672d85392e54c5f8e4e6066ccf Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Fri, 13 Sep 2024 16:41:54 -0600 Subject: [PATCH 27/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- test/examples/modular_organization/pub-sub.tf | 2 +- .../modular_single_project/pub-sub.tf | 2 +- .../examples/organization_cdr_test/pub-sub.tf | 28 ------------------- .../single_account_cdr_test/pub-sub.tf | 26 ----------------- 4 files changed, 2 insertions(+), 56 deletions(-) delete mode 100644 test/examples/organization_cdr_test/pub-sub.tf delete mode 100644 test/examples/single_account_cdr_test/pub-sub.tf diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf index 9dc58aa..691c6e9 100644 --- a/test/examples/modular_organization/pub-sub.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -24,5 +24,5 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true components = [module.pub-sub.pubsub_datasource_component_id] - depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture] } \ No newline at end of file diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf index 86114b8..be8e2e3 100644 --- a/test/examples/modular_single_project/pub-sub.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -22,5 +22,5 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true components = [module.pub-sub.pubsub_datasource_component_id] - depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture] } \ No newline at end of file diff --git a/test/examples/organization_cdr_test/pub-sub.tf b/test/examples/organization_cdr_test/pub-sub.tf deleted file mode 100644 index a8f0201..0000000 --- a/test/examples/organization_cdr_test/pub-sub.tf +++ /dev/null @@ -1,28 +0,0 @@ -#--------------------------------------------------------------------------------------------- -# Ensure installation flow for foundational onboarding has been completed before -# installing additional Sysdig features. -#--------------------------------------------------------------------------------------------- - -module "webhook-datasource" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id - is_organizational = module.onboarding.is_organizational - organization_domain = module.onboarding.organization_domain - sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id -} - -resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { - account_id = module.onboarding.sysdig_secure_account_id - type = "FEATURE_SECURE_THREAT_DETECTION" - enabled = true - components = [ module.webhook-datasource.webhook_datasource_component_id ] - depends_on = [ module.webhook-datasource ] -} - -resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { - account_id = module.onboarding.sysdig_secure_account_id - type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" - enabled = true - components = [module.webhook-datasource.webhook_datasource_component_id] - depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] -} \ No newline at end of file diff --git a/test/examples/single_account_cdr_test/pub-sub.tf b/test/examples/single_account_cdr_test/pub-sub.tf deleted file mode 100644 index 655ce2c..0000000 --- a/test/examples/single_account_cdr_test/pub-sub.tf +++ /dev/null @@ -1,26 +0,0 @@ -#--------------------------------------------------------------------------------------------- -# Ensure installation flow for foundational onboarding has been completed before -# installing additional Sysdig features. -#--------------------------------------------------------------------------------------------- - -module "webhook-datasource" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id - sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id -} - -resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { - account_id = module.onboarding.sysdig_secure_account_id - type = "FEATURE_SECURE_THREAT_DETECTION" - enabled = true - components = [ module.webhook-datasource.webhook_datasource_component_id ] - depends_on = [ module.webhook-datasource ] -} - -resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { - account_id = module.onboarding.sysdig_secure_account_id - type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" - enabled = true - components = [module.webhook-datasource.webhook_datasource_component_id] - depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, sysdig_secure_cloud_auth_account_feature.threat_detection] -} \ No newline at end of file From d5c0e1172af77090ef7b88592cd8bf6af7fbd12d Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Mon, 16 Sep 2024 09:59:10 -0600 Subject: [PATCH 28/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- test/examples/modular_organization/pub-sub.tf | 2 +- test/examples/modular_single_project/pub-sub.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf index 691c6e9..7cbaad9 100644 --- a/test/examples/modular_organization/pub-sub.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -24,5 +24,5 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true components = [module.pub-sub.pubsub_datasource_component_id] - depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub] } \ No newline at end of file diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf index be8e2e3..dbe4c43 100644 --- a/test/examples/modular_single_project/pub-sub.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -22,5 +22,5 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true components = [module.pub-sub.pubsub_datasource_component_id] - depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture] + depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub] } \ No newline at end of file From c0ede5fd1827f0c775cfdb5cfa4cde85ce56a9e8 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Mon, 16 Sep 2024 12:10:04 -0600 Subject: [PATCH 29/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- modules/integrations/pub-sub/README.md | 43 ++++++++++++------- modules/integrations/pub-sub/outputs.tf | 2 +- modules/integrations/pub-sub/variables.tf | 2 +- test/examples/modular_organization/pub-sub.tf | 4 +- .../modular_single_project/pub-sub.tf | 4 +- 5 files changed, 33 insertions(+), 22 deletions(-) diff --git a/modules/integrations/pub-sub/README.md b/modules/integrations/pub-sub/README.md index 7c9c00a..bda468b 100644 --- a/modules/integrations/pub-sub/README.md +++ b/modules/integrations/pub-sub/README.md @@ -58,28 +58,39 @@ No modules. | [google_iam_workload_identity_pool_provider.ingestion_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | | [google_project_iam_custom_role.custom_ingestion_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | | [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_project_iam_member.identity_mgmt](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member) | resource | | [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource | +| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source | +| [sysdig_secure_cloud_ingestion_assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets) | data source | | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | +| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | +| [google_organization_iam_audit_config.audit_config](https://registry.terraform.io/providers/hashicorp/google/3.24.0/docs/resources/google_organization_iam_audit_config) | resource | +| [google_logging_organization_sink.ingestion_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink) | resoruce | +| [google_organization_iam_custom_role.custom_ingestion_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | +| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | +| [google_organization_iam_member.identity_mgmt](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | (Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message | `number` | `60` | no | -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | -| [max\_delivery\_attempts](#input\_max\_delivery\_attempts) | (Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one | `number` | `5` | no | -| [maximum\_backoff](#input\_maximum\_backoff) | (Optional) Maximum backoff time for exponential backoff of the push subscription retry policy | `string` | `"600s"` | no | -| [message\_retention\_duration](#input\_message\_retention\_duration) | (Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published | `string` | `"604800s"` | no | -| [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data ingestion resources | `string` | `"SysdigIngestionAuthRole"` | no | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | -| [audit\_log\_config](#input\_audit\_log\_config) | List of services and their audit log configurations to be ingested. Default is to ingest all logs. | 
list(object({
    service = string,
    log_config = list(object({
      log_type         = string,
      exempted_members = optional(list(string))
    }))
  }))
| 
[
  {
    "log_config": [
      {
        "log_type": "ADMIN_READ"
      },
      {
        "log_type": "DATA_READ"
      },
      {
        "log_type": "DATA_WRITE"
      }
    ],
    "service": "allServices"
  }
]
| no | -| [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter) | Filter the Sink is set up with. Ingests AuditLogs by default. | `string` | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"` | no | -| [exclude\_logs\_filter](#input\_exclude\_logs\_filter) | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions. | 
list(object({
    name        = string,
    description = optional(string),
    filter      = string,
    disabled    = optional(bool)
  }))
| `[]` | no | +| Name | Description | Type | Default | Required | +|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------:| +| [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | (Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message | `number` | `60` | no | +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | +| [max\_delivery\_attempts](#input\_max\_delivery\_attempts) | (Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one | `number` | `5` | no | +| [maximum\_backoff](#input\_maximum\_backoff) | (Optional) Maximum backoff time for exponential backoff of the push subscription retry policy | `string` | `"600s"` | no | +| [message\_retention\_duration](#input\_message\_retention\_duration) | (Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published | `string` | `"604800s"` | no | +| [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data ingestion resources | `string` | `"SysdigIngestionAuthRole"` | no | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [audit\_log\_config](#input\_audit\_log\_config) | List of services and their audit log configurations to be ingested. Default is to ingest all logs. | 
list(object({
    service = string,
    log_config = list(object({
      log_type         = string,
      exempted_members = optional(list(string))
    }))
  }))
| 
[
  {
    "log_config": [
      {
        "log_type": "ADMIN_READ"
      },
      {
        "log_type": "DATA_READ"
      },
      {
        "log_type": "DATA_WRITE"
      }
    ],
    "service": "allServices"
  }
]
| no | +| [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter) | Filter the Sink is set up with. Ingests AuditLogs by default. | `string` | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"` | no | +| [exclude\_logs\_filter](#input\_exclude\_logs\_filter) | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions. | 
list(object({
    name        = string,
    description = optional(string),
    filter      = string,
    disabled    = optional(bool)
  }))
| `[]` | no | +| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | `""` | no | ## Outputs diff --git a/modules/integrations/pub-sub/outputs.tf b/modules/integrations/pub-sub/outputs.tf index 6638b24..f55b862 100644 --- a/modules/integrations/pub-sub/outputs.tf +++ b/modules/integrations/pub-sub/outputs.tf @@ -1,4 +1,4 @@ -output "pubsub_datasource_component_id" { +output "webhook_datasource_component_id" { value = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}" description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion" depends_on = [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource] diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf index 6541b5f..df19f63 100644 --- a/modules/integrations/pub-sub/variables.tf +++ b/modules/integrations/pub-sub/variables.tf @@ -105,5 +105,5 @@ variable "ingestion_sink_filter" { variable "sysdig_secure_account_id" { type = string - description = "ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)" + description = "ID of the Sysdig Cloud Account to enable to enable Webhook Datasource integration for (incase of organization, ID of the Sysdig management account)" } \ No newline at end of file diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf index 7cbaad9..6325553 100644 --- a/test/examples/modular_organization/pub-sub.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -15,7 +15,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] + components = [ module.pub-sub.webhook_datasource_component_id ] depends_on = [ module.pub-sub ] } @@ -23,6 +23,6 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true - components = [module.pub-sub.pubsub_datasource_component_id] + components = [module.pub-sub.webhook_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub] } \ No newline at end of file diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf index dbe4c43..4983358 100644 --- a/test/examples/modular_single_project/pub-sub.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -13,7 +13,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] + components = [ module.pub-sub.webhook_datasource_component_id ] depends_on = [ module.pub-sub ] } @@ -21,6 +21,6 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true - components = [module.pub-sub.pubsub_datasource_component_id] + components = [module.pub-sub.webhook_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub] } \ No newline at end of file From 30d4786782a9536655ae048c08936499063fd6a7 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Tue, 17 Sep 2024 09:27:24 -0600 Subject: [PATCH 30/32] feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup --- modules/integrations/pub-sub/README.md | 9 ++++----- modules/integrations/pub-sub/main.tf | 11 ++++++----- modules/integrations/pub-sub/organizational.tf | 4 ++-- modules/integrations/pub-sub/outputs.tf | 6 +++--- modules/integrations/pub-sub/variables.tf | 8 +------- test/examples/modular_organization/pub-sub.tf | 4 ++-- test/examples/modular_single_project/pub-sub.tf | 4 ++-- 7 files changed, 20 insertions(+), 26 deletions(-) diff --git a/modules/integrations/pub-sub/README.md b/modules/integrations/pub-sub/README.md index bda468b..27d53a6 100644 --- a/modules/integrations/pub-sub/README.md +++ b/modules/integrations/pub-sub/README.md @@ -61,7 +61,7 @@ No modules. | [google_project_iam_member.identity_mgmt](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member) | resource | | [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | -| [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource | +| [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource | | [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source | | [sysdig_secure_cloud_ingestion_assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets) | data source | | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | @@ -85,7 +85,6 @@ No modules. | [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data ingestion resources | `string` | `"SysdigIngestionAuthRole"` | no | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | | [audit\_log\_config](#input\_audit\_log\_config) | List of services and their audit log configurations to be ingested. Default is to ingest all logs. | 
list(object({
    service = string,
    log_config = list(object({
      log_type         = string,
      exempted_members = optional(list(string))
    }))
  }))
| 
[
  {
    "log_config": [
      {
        "log_type": "ADMIN_READ"
      },
      {
        "log_type": "DATA_READ"
      },
      {
        "log_type": "DATA_WRITE"
      }
    ],
    "service": "allServices"
  }
]
| no | | [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter) | Filter the Sink is set up with. Ingests AuditLogs by default. | `string` | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"` | no | @@ -94,9 +93,9 @@ No modules. ## Outputs -| Name | Description | -|---------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------| -| [webhook\_datasource\_component\_id](#webhook\_datasource\_component\_id) | Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion | +| Name | Description | +|------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------| +| [pubsub\_datasource\_component\_id](#pubsub\_datasource\_component\_id) | Component identifier of Pub Sub integration created in Sysdig Backend for Log Ingestion | diff --git a/modules/integrations/pub-sub/main.tf b/modules/integrations/pub-sub/main.tf index 66738ad..e87f34d 100644 --- a/modules/integrations/pub-sub/main.tf +++ b/modules/integrations/pub-sub/main.tf @@ -29,12 +29,13 @@ data "sysdig_secure_cloud_ingestion_assets" "assets" {} #----------------------------------------------------------------------------------------- locals { suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix + role_name = "SysdigIngestionAuthRole" } #----------------------------------------------------------------------------------------------------------------------- -# A random resource is used to generate unique Webhook Datasource name suffix for resources. -# This prevents conflicts when recreating an Webhook Datasource resources with the same name. +# A random resource is used to generate unique Pub Sub name suffix for resources. +# This prevents conflicts when recreating a Pub Sub resources with the same name. #----------------------------------------------------------------------------------------------------------------------- resource "random_id" "suffix" { count = var.suffix == null ? 1 : 0 @@ -201,7 +202,7 @@ resource "google_project_iam_custom_role" "custom_ingestion_auth_role" { count = var.is_organizational ? 0 : 1 project = var.project_id - role_id = "${var.role_name}${local.suffix}" + role_id = "${local.role_name}${local.suffix}" title = "Sysdigcloud Ingestion Auth Role" description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" permissions = [ @@ -246,7 +247,7 @@ resource "google_project_iam_member" "identity_mgmt" { # explicit dependency using depends_on #----------------------------------------------------------------------------------------------------------------------------------------- -resource "sysdig_secure_cloud_auth_account_component" "gcp_webhook_datasource" { +resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" { account_id = var.sysdig_secure_account_id type = "COMPONENT_WEBHOOK_DATASOURCE" instance = "secure-runtime" @@ -258,7 +259,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_webhook_datasource" { sink_name = var.is_organizational ? google_logging_organization_sink.ingestion_sink[0].name : google_logging_project_sink.ingestion_sink[0].name push_subscription_name = google_pubsub_subscription.ingestion_topic_push_subscription.name push_endpoint = google_pubsub_subscription.ingestion_topic_push_subscription.push_config[0].push_endpoint - routing_key = "1f6d4677-84ec-4356-bd73-c79c8a96f96a" + routing_key = data.sysdig_secure_cloud_ingestion_assets.assets.gcp_routing_key } service_principal = { workload_identity_federation = { diff --git a/modules/integrations/pub-sub/organizational.tf b/modules/integrations/pub-sub/organizational.tf index 664c285..b721906 100644 --- a/modules/integrations/pub-sub/organizational.tf +++ b/modules/integrations/pub-sub/organizational.tf @@ -63,8 +63,8 @@ resource "google_organization_iam_custom_role" "custom_ingestion_auth_role" { count = var.is_organizational ? 1 : 0 org_id = data.google_organization.org[0].org_id - role_id = "${var.role_name}Org${local.suffix}" - title = "Sysdigcloud Ingestion Auth Role" + role_id = "${local.role_name}Org${local.suffix}" + title = "Sysdigcloud Ingestion Org Auth Role" description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion" permissions = [ "pubsub.topics.get", diff --git a/modules/integrations/pub-sub/outputs.tf b/modules/integrations/pub-sub/outputs.tf index f55b862..a1f7b73 100644 --- a/modules/integrations/pub-sub/outputs.tf +++ b/modules/integrations/pub-sub/outputs.tf @@ -1,5 +1,5 @@ -output "webhook_datasource_component_id" { - value = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}" +output "pubsub_datasource_component_id" { + value = "${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.instance}" description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion" - depends_on = [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource] + depends_on = [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource] } \ No newline at end of file diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf index df19f63..6cf397b 100644 --- a/modules/integrations/pub-sub/variables.tf +++ b/modules/integrations/pub-sub/variables.tf @@ -53,12 +53,6 @@ variable "organization_domain" { default = "" } -variable "role_name" { - type = string - description = "Name for the Ingestion auth Role on the Customer infrastructure" - default = "SysdigIngestionAuthRole" -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" @@ -105,5 +99,5 @@ variable "ingestion_sink_filter" { variable "sysdig_secure_account_id" { type = string - description = "ID of the Sysdig Cloud Account to enable to enable Webhook Datasource integration for (incase of organization, ID of the Sysdig management account)" + description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)" } \ No newline at end of file diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf index 6325553..7cbaad9 100644 --- a/test/examples/modular_organization/pub-sub.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -15,7 +15,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.webhook_datasource_component_id ] + components = [ module.pub-sub.pubsub_datasource_component_id ] depends_on = [ module.pub-sub ] } @@ -23,6 +23,6 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true - components = [module.pub-sub.webhook_datasource_component_id] + components = [module.pub-sub.pubsub_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub] } \ No newline at end of file diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf index 4983358..dbe4c43 100644 --- a/test/examples/modular_single_project/pub-sub.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -13,7 +13,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.webhook_datasource_component_id ] + components = [ module.pub-sub.pubsub_datasource_component_id ] depends_on = [ module.pub-sub ] } @@ -21,6 +21,6 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true - components = [module.pub-sub.webhook_datasource_component_id] + components = [module.pub-sub.pubsub_datasource_component_id] depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub] } \ No newline at end of file From 634ce2a55855cb93bed89583a51d3e4794153436 Mon Sep 17 00:00:00 2001 From: jose-pablo-camacho Date: Mon, 16 Sep 2024 16:39:09 -0600 Subject: [PATCH 31/32] enhance(modular): use org domain instead of org ID for gcp api enablement (#40) --- .../cdr_ciem/main.tf | 19 +++++++++++++++---- .../organization_api_enablement/cspm/main.tf | 19 +++++++++++++++---- .../organization_api_enablement/vm/main.tf | 17 ++++++++++++++--- 3 files changed, 44 insertions(+), 11 deletions(-) diff --git a/test/examples/organization_api_enablement/cdr_ciem/main.tf b/test/examples/organization_api_enablement/cdr_ciem/main.tf index 58e2528..2179f67 100644 --- a/test/examples/organization_api_enablement/cdr_ciem/main.tf +++ b/test/examples/organization_api_enablement/cdr_ciem/main.tf @@ -9,7 +9,6 @@ The APIs needed for the CDR/CIEM feature are listed below: # Set local variables for Organization ID and API services to enable locals { - organizationID = "933620940614" services = [ "pubsub.googleapis.com" ] @@ -33,7 +32,11 @@ provider "google" { # Get list of projects under the specified organization data "google_projects" "organization_projects" { - filter = "parent.type:organization parent.id:${local.organizationID}" + filter = "parent.type:organization parent.id:${data.google_organization.org.org_id}" +} + +data "google_organization" "org" { + domain = "draios.com" } data "local_file" "projects_from_folder" { @@ -65,7 +68,7 @@ resource "null_resource" "get_projects_from_folders" { provisioner "local-exec" { command = < "project_ids.json" echo "Projects listed and saved to local file." diff --git a/test/examples/organization_api_enablement/cspm/main.tf b/test/examples/organization_api_enablement/cspm/main.tf index 3b4349c..4321609 100644 --- a/test/examples/organization_api_enablement/cspm/main.tf +++ b/test/examples/organization_api_enablement/cspm/main.tf @@ -16,7 +16,6 @@ In addition, since CSPM is needed for onboard any GCP project these other APIs a # Set local variables for Organization ID and API services to enable locals { - organizationID = "933620940614" services = [ # CSPM specific APIs "sts.googleapis.com", @@ -49,7 +48,11 @@ provider "google" { # Get list of projects under the specified organization data "google_projects" "organization_projects" { - filter = "parent.type:organization parent.id:${local.organizationID}" + filter = "parent.type:organization parent.id:${data.google_organization.org.org_id}" +} + +data "google_organization" "org" { + domain = "draios.com" } data "local_file" "projects_from_folder" { @@ -81,7 +84,7 @@ resource "null_resource" "get_projects_from_folders" { provisioner "local-exec" { command = < "project_ids.json" echo "Projects listed and saved to local file." diff --git a/test/examples/organization_api_enablement/vm/main.tf b/test/examples/organization_api_enablement/vm/main.tf index ae54c1c..e395948 100644 --- a/test/examples/organization_api_enablement/vm/main.tf +++ b/test/examples/organization_api_enablement/vm/main.tf @@ -9,7 +9,6 @@ The APIs needed for the VM feature are listed below: # Set local variables for Organization ID and API services to enable locals { - organizationID = "933620940614" services = [ "compute.googleapis.com" ] @@ -33,7 +32,11 @@ provider "google" { # Get list of projects under the specified organization data "google_projects" "organization_projects" { - filter = "parent.type:organization parent.id:${local.organizationID}" + filter = "parent.type:organization parent.id:${data.google_organization.org.org_id}" +} + +data "google_organization" "org" { + domain = "draios.com" } data "local_file" "projects_from_folder" { @@ -66,7 +69,7 @@ resource "null_resource" "get_projects_from_folders" { provisioner "local-exec" { command = < "project_ids.json" From 11655a0d0b5f9ce74c0e5858fb96d7be11d30386 Mon Sep 17 00:00:00 2001 From: Jose Pablo Camacho Date: Tue, 17 Sep 2024 10:20:50 -0600 Subject: [PATCH 32/32] rebase and merge fix --- modules/integrations/pub-sub/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/integrations/pub-sub/main.tf b/modules/integrations/pub-sub/main.tf index e87f34d..afe2c9e 100644 --- a/modules/integrations/pub-sub/main.tf +++ b/modules/integrations/pub-sub/main.tf @@ -28,7 +28,7 @@ data "sysdig_secure_cloud_ingestion_assets" "assets" {} # These locals indicate the suffix to create unique name for resources #----------------------------------------------------------------------------------------- locals { - suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix + suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix role_name = "SysdigIngestionAuthRole" }