sysdiglabs · jose-pablo-camacho · Sep 17, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
@@ -0,0 +1,81 @@
+# GCP Config Posture Module
+
+This module will deploy Config Posture resources in GCP for a single project, or for a GCP Organization.
+The Config Posture module serves the following functions:
+- retrieving inventory for single project, or for all projects within an Organization.
+- retrieving organization metadata in the case of organizational onboarding within GCP Organization.
+
+If instrumenting a project, the following resources will be created:
+- All the necessary `Service Accounts` and `Policies` to enable the Config posture operation at the project level
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions.
+
+If instrumenting an Organziation, the following resources will be created:
+- All the necessary `Service Accounts` and `Policies` to enable the Config Posture operation at the organization level
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions.
+
+Note:
+- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.23.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 5.0.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
+| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
+| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
+| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
+| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
+| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+
+## Inputs
+
+| Name                                                                                                             | Description                                                                                                               | Type | Default                                       | Required |
+|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                     | `bool` | `false`                                       |    no    |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                    | Organization domain. e.g. sysdig.com                                                                                      | `string` | `""`                                          |    no    |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                               | (Required) Target Project identifier provided by the customer                                                             | `string` | n/a                                           |   yes    |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                                                             | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null`                                        |    no    |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation                                 | `string` | n/a                                           |   yes    |
+| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids)               | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1'         | `string` | n/a                                           |    no    |
+
+## Outputs
+
+| Name                                                                                                                                 | Description                                                                    |
+|--------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|
+| <a name="output_service_principal_component_id"></a> [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | The component id of the config posture service principal with its WIF metadata |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -0,0 +1,108 @@
+#------------------------------------------------------------------#
+# Fetch and compute required data for Workload Identity Federation #
+#------------------------------------------------------------------#
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "gcp"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value.
+resource "random_id" "suffix" {
+  count       = var.suffix == null ? 1 : 0
+  byte_length = 3
+}
+
+locals {
+  suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
+}
+
+resource "google_service_account" "posture_auth" {
+  # service account name cannot be longer than 30 characters
+  account_id   = "sysdig-posture-${local.suffix}"
+  display_name = "Sysdig Config Posture Auth Service Account"
+  project      = var.project_id
+}
+
+resource "google_service_account_iam_binding" "posture_auth_binding" {
+  service_account_id = google_service_account.posture_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.posture_auth.email}",
+  ]
+}
+
+#------------------------------------------------------------#
+# Configure Workload Identity Federation for auth            #
+# See https://cloud.google.com/iam/docs/access-resources-aws #
+#------------------------------------------------------------#
+
+resource "google_iam_workload_identity_pool" "posture_auth_pool" {
+  project                   = var.project_id
+  workload_identity_pool_id = "sysdig-secure-posture-${local.suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" {
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}"
+  display_name                       = "Sysdigcloud config posture auth"
+  description                        = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
+  disabled                           = false
+
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
+
+  attribute_mapping = {
+    "google.subject"     = "assertion.arn",
+    "attribute.aws_role" = "assertion.arn"
+  }
+
+  aws {
+    account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
+  }
+}
+
+#---------------------------------------------------------------------------------------------
+# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
+#---------------------------------------------------------------------------------------------
+resource "google_project_iam_member" "cspm" {
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"])
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.posture_auth.email}"
+}
+
+# attaching WIF as a member to the service account for auth
+resource "google_service_account_iam_member" "custom_posture_auth" {
+  service_account_id = google_service_account.posture_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" {
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_SERVICE_PRINCIPAL"
+  instance   = "secure-posture"
+  version    = "v0.1.0"
+  service_principal_metadata = jsonencode({
+    gcp = {
+      workload_identity_federation = {
+        pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
+        pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id
+        project_number   = data.google_project.project.number
+      }
+      email = google_service_account.posture_auth.email
+    }
+  })
+  depends_on = [google_service_account_iam_member.custom_posture_auth]
+}
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
@@ -0,0 +1,23 @@
+#--------------#
+# Organization #
+#--------------#
+
+data "google_organization" "org" {
+  count  = var.is_organizational ? 1 : 0
+  domain = var.organization_domain
+}
+
+###################################################
+# Setup Service Account permissions
+###################################################
+
+#---------------------------------------------------------------------------------------------
+# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
+#---------------------------------------------------------------------------------------------
+resource "google_organization_iam_member" "cspm" {
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : []
+
+  org_id = data.google_organization.org[0].org_id
+  role   = each.key
+  member = "serviceAccount:${google_service_account.posture_auth.email}"
+}
diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf
@@ -0,0 +1,5 @@
+output "service_principal_component_id" {
+  value       = "${sysdig_secure_cloud_auth_account_component.google_service_principal.type}/${sysdig_secure_cloud_auth_account_component.google_service_principal.instance}"
+  description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture"
+  depends_on  = [sysdig_secure_cloud_auth_account_component.google_service_principal]
+}
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
@@ -0,0 +1,27 @@
+variable "project_id" {
+  type        = string
+  description = "(Required) Target Project identifier provided by the customer"
+}
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization."
+  type        = bool
+  default     = false
+}
+
+variable "organization_domain" {
+  type        = string
+  description = "(Optional) Organization domain. e.g. sysdig.com"
+  default     = ""
+}
+
+variable "suffix" {
+  type        = string
+  description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
+  default     = null
+}
+
+variable "sysdig_secure_account_id" {
+  type        = string
+  description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
+}
diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.21.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 1.34.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+  }
+}