From 5e6e5db036be05622ff867f5464637bbd0ee8a51 Mon Sep 17 00:00:00 2001
From: Haresh Suresh <haresh.suresh@sysdig.com>
Date: Wed, 23 Oct 2024 23:16:25 -0700
Subject: [PATCH 1/2] SSPROD-48612: adding ciem roles to the cspm service
 account

---
 modules/config-posture/main.tf       | 4 +++-
 modules/integrations/pub-sub/main.tf | 9 ---------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
index 87e5a90..964b399 100644
--- a/modules/config-posture/main.tf
+++ b/modules/config-posture/main.tf
@@ -63,7 +63,9 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
 # role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
 #---------------------------------------------------------------------------------------------
 resource "google_project_iam_member" "cspm" {
-  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"])
+  # adding ciem role with permissions to the service account alongside cspm roles
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer",
+  "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
 
   project = var.project_id
   role    = each.key
diff --git a/modules/integrations/pub-sub/main.tf b/modules/integrations/pub-sub/main.tf
index a02c6d7..e92b50a 100644
--- a/modules/integrations/pub-sub/main.tf
+++ b/modules/integrations/pub-sub/main.tf
@@ -235,15 +235,6 @@ resource "google_service_account_iam_member" "custom_auth" {
   member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.ingestion_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
 }
 
-# adding ciem role with permissions to the service account
-resource "google_project_iam_member" "identity_mgmt" {
-  for_each = var.is_organizational ? [] : toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
-
-  project = var.project_id
-  role    = each.key
-  member  = "serviceAccount:${google_service_account.push_auth.email}"
-}
-
 #-----------------------------------------------------------------------------------------------------------------------------------------
 # Call Sysdig Backend to add the pub-sub integration to the Sysdig Cloud Account
 #

From 2bc6e4ab3303f7cea5e0f77587e5d543dff0945a Mon Sep 17 00:00:00 2001
From: Haresh Suresh <haresh.suresh@sysdig.com>
Date: Wed, 23 Oct 2024 23:19:46 -0700
Subject: [PATCH 2/2] rm whiteline

---
 modules/config-posture/main.tf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
index 964b399..008e32a 100644
--- a/modules/config-posture/main.tf
+++ b/modules/config-posture/main.tf
@@ -64,8 +64,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
 #---------------------------------------------------------------------------------------------
 resource "google_project_iam_member" "cspm" {
   # adding ciem role with permissions to the service account alongside cspm roles
-  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer",
-  "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"])
 
   project = var.project_id
   role    = each.key