From b114965754608be7dc059a5054124c2121a1ef0e Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 16:22:32 -0700 Subject: [PATCH 01/20] adding modular onboarding module --- modules/onboarding/README.md | 88 +++++++++++++++++++++++ modules/onboarding/main.tf | 100 +++++++++++++++++++++++++++ modules/onboarding/organizational.tf | 35 ++++++++++ modules/onboarding/outputs.tf | 34 +++++++++ modules/onboarding/variables.tf | 35 ++++++++++ modules/onboarding/versions.tf | 18 +++++ 6 files changed, 310 insertions(+) create mode 100644 modules/onboarding/README.md create mode 100644 modules/onboarding/main.tf create mode 100644 modules/onboarding/organizational.tf create mode 100644 modules/onboarding/outputs.tf create mode 100644 modules/onboarding/variables.tf create mode 100644 modules/onboarding/versions.tf diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md new file mode 100644 index 0000000..c59db6d --- /dev/null +++ b/modules/onboarding/README.md @@ -0,0 +1,88 @@ +# GCP Onboarding Module + +This module will deploy Foundational Onboarding resources in GCP for a single project, or for a GCP Organization. +The Foundational Onboarding module serves the following functions: +- retrieving inventory for single project, or for all projects within an Organization. +- running organization scraping in the case of organizational onboarding within GCP Organization. + +If instrumenting a project, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the foundational functions. + +If instrumenting an Organziation, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve the foundational functions. +- A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on. + +Note: +- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [google](#requirement\_google) | >= 4.21.0 | +| [sysdig](#requirement\_sysdig) | >= 1.23.1 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.0.0 | +| [random](#provider\_random) | >= 3.1 | + +## Modules + +No modules. + +## Resources + +| [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account_iam_binding.onboarding_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | +| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | +| [google_project_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | +| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | +| [google_organization_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | +| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data onboarding resources | `string` | `"SysdigOnboardingAuthRole-{random_id}"` | no | +| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access data ingestion resources | +| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access data ingestion resources | +| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | +| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. \ No newline at end of file diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf new file mode 100644 index 0000000..bf2431e --- /dev/null +++ b/modules/onboarding/main.tf @@ -0,0 +1,100 @@ +#------------------------------------------------------------------# +# Fetch and compute required data for Workload Identity Federation # +#------------------------------------------------------------------# + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + +data "google_project" "project" { + project_id = var.project_id +} + +// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value. +resource "random_id" "suffix" { + count = var.suffix == null ? 1 : 0 + byte_length = 3 +} + +locals { + suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix +} + +resource "google_service_account" "onboarding_auth" { + account_id = "sysdig-onboarding-${local.suffix}" + display_name = "Sysdig Onboarding Auth Service Account" + project = var.project_id +} + +resource "google_service_account_iam_binding" "onboarding_auth_binding" { + service_account_id = google_service_account.push_auth.name + role = "roles/iam.workloadIdentityUser" + + members = [ + "serviceAccount:${google_service_account.onboarding_auth.email}", + ] +} + +#------------------------------------------------------------# +# Configure Workload Identity Federation for auth # +# See https://cloud.google.com/iam/docs/access-resources-aws # +#------------------------------------------------------------# + +resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { + project = var.project_id + workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { + project = var.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" + display_name = "Sysdigcloud onboarding auth" + description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" + disabled = false + + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +# creating custom role with project-level permissions to access onboarding resources +resource "google_project_iam_custom_role" "custom_onboarding_auth_role" { + count = var.is_organizational ? 0 : 1 + + project = var.project_id + role_id = var.role_name + title = "Sysdigcloud Onboarding Auth Role" + description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" + permissions = [ + "pubsub.topics.get", + "pubsub.topics.list", + "pubsub.subscriptions.get", + "pubsub.subscriptions.list", + "logging.sinks.get", + "logging.sinks.list", + ] +} + +# adding custom role with project-level permissions to the service account for auth +resource "google_project_iam_member" "custom" { + count = var.is_organizational ? 0 : 1 + + project = var.project_id + role = google_project_iam_custom_role.custom_onboarding_auth_role[0].id + member = "serviceAccount:${google_service_account.onboarding_auth.email}" +} + +# attaching WIF as a member to the service account for auth +resource "google_service_account_iam_member" "custom_auth" { + service_account_id = google_service_account.onboarding_auth.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" +} \ No newline at end of file diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf new file mode 100644 index 0000000..a83553b --- /dev/null +++ b/modules/onboarding/organizational.tf @@ -0,0 +1,35 @@ +#--------------# +# Organization # +#--------------# + +data "google_organization" "org" { + count = var.is_organizational ? 1 : 0 + domain = var.organization_domain +} + +# creating custom role with organization-level permissions to access onboarding resources +resource "google_organization_iam_custom_role" "custom_onboarding_auth_role" { + count = var.is_organizational ? 1 : 0 + + org_id = data.google_organization.org[0].org_id + role_id = var.role_name + title = "Sysdigcloud Onboarding Auth Role" + description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" + permissions = [ + "pubsub.topics.get", + "pubsub.topics.list", + "pubsub.subscriptions.get", + "pubsub.subscriptions.list", + "logging.sinks.get", + "logging.sinks.list", + ] +} + +# adding custom role with organization-level permissions to the service account for auth +resource "google_organization_iam_member" "custom" { + count = var.is_organizational ? 1 : 0 + + org_id = data.google_organization.org[0].org_id + role = google_organization_iam_custom_role.custom_onboarding_auth_role[0].id + member = "serviceAccount:${google_service_account.onboarding_auth.email}" +} \ No newline at end of file diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf new file mode 100644 index 0000000..75ec94c --- /dev/null +++ b/modules/onboarding/outputs.tf @@ -0,0 +1,34 @@ +output "workload_identity_pool_id" { + value = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + description = "Id of Workload Identity Pool for authenticating to GCP to access data onboarding resources" +} + +output "workload_identity_pool_provider_id" { + value = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + description = "Id of Workload Identity Pool Provider for authenticating to GCP to access data onboarding resources" +} + +output "workload_identity_project_number" { + value = data.google_project.project.number + description = "GCP project number" +} + +output "service_account_email" { + value = google_service_account.onboarding_auth.email + description = "email of the Service Account created" +} + +output "project_id" { + value = var.project_id + description = "Project ID in which secure-for-cloud onboarding resources are created. For organizational installs it is the Management Project ID selected during install" +} + +output "sysdig_secure_project_id" { + value = sysdig_secure_cloud_auth_account.google_account.id + description = "ID of the Sysdig Cloud Account created" +} + +output "is_organizational" { + value = var.is_organizational + description = "Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not" +} diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf new file mode 100644 index 0000000..3da88f8 --- /dev/null +++ b/modules/onboarding/variables.tf @@ -0,0 +1,35 @@ +variable "project_id" { + type = string + description = "(Required) Target Project identifier provided by the customer" +} + +variable "labels" { + type = map(string) + description = "(Optional) Labels to be associated with Sysdig-originated resources" + default = { + originator = "sysdig" + } +} + +variable "is_organizational" { + description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." + type = bool + default = false +} + +variable "organization_domain" { + type = string + description = "(Optional) Organization domain. e.g. sysdig.com" + default = "" +} + +variable "external_id" { + type = string + description = "(Required) Random string generated unique to a customer" +} + +variable "suffix" { + type = string + description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" + default = null +} \ No newline at end of file diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf new file mode 100644 index 0000000..b6453f7 --- /dev/null +++ b/modules/onboarding/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.21.0" + } + sysdig = { + source = "sysdiglabs/sysdig" + version = ">= 1.23.1" + } + random = { + source = "hashicorp/random" + version = ">= 3.1, < 4.0" + } + } +} \ No newline at end of file From 86f73ffcaff47aa4434a6b74eac7d2ecd7afc8e4 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 21:03:36 -0700 Subject: [PATCH 02/20] fix var refns --- modules/onboarding/main.tf | 68 +++++++++++++++++++--------- modules/onboarding/organizational.tf | 38 ++++++++-------- modules/onboarding/variables.tf | 6 +++ modules/onboarding/versions.tf | 2 +- 4 files changed, 72 insertions(+), 42 deletions(-) diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index bf2431e..bc01928 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -27,7 +27,7 @@ resource "google_service_account" "onboarding_auth" { } resource "google_service_account_iam_binding" "onboarding_auth_binding" { - service_account_id = google_service_account.push_auth.name + service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" members = [ @@ -65,30 +65,14 @@ resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_prov } } -# creating custom role with project-level permissions to access onboarding resources -resource "google_project_iam_custom_role" "custom_onboarding_auth_role" { - count = var.is_organizational ? 0 : 1 - - project = var.project_id - role_id = var.role_name - title = "Sysdigcloud Onboarding Auth Role" - description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" - permissions = [ - "pubsub.topics.get", - "pubsub.topics.list", - "pubsub.subscriptions.get", - "pubsub.subscriptions.list", - "logging.sinks.get", - "logging.sinks.list", - ] -} - -# adding custom role with project-level permissions to the service account for auth -resource "google_project_iam_member" "custom" { +#--------------------------------- +# role permissions for onboarding +#--------------------------------- +resource "google_project_iam_member" "browser" { count = var.is_organizational ? 0 : 1 project = var.project_id - role = google_project_iam_custom_role.custom_onboarding_auth_role[0].id + role = "roles/browser" member = "serviceAccount:${google_service_account.onboarding_auth.email}" } @@ -97,4 +81,44 @@ resource "google_service_account_iam_member" "custom_auth" { service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" +} + +#--------------------------------------------------------------------------------------------- +# Call Sysdig Backend to create account with foundational onboarding +# (ensure it is called after all above cloud resources are created using explicit depends_on) +#--------------------------------------------------------------------------------------------- + +resource "sysdig_secure_cloud_auth_account" "google_account" { + enabled = true + provider_id = var.project_id + provider_type = "PROVIDER_GCP" + provider_alias = data.google_project.project.name + provider_tenant_id = var.organization_domain + + component { + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-onboarding" + version = "v0.1.0" + service_principal_metadata = jsonencode({ + gcp = { + service_principal = { + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.onboarding_auth.email + } + } + }) + } + + depends_on = [google_service_account_iam_member.custom_auth] + + lifecycle { + ignore_changes = [ + component, + feature + ] + } } \ No newline at end of file diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index a83553b..4ff434a 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -7,29 +7,29 @@ data "google_organization" "org" { domain = var.organization_domain } -# creating custom role with organization-level permissions to access onboarding resources -resource "google_organization_iam_custom_role" "custom_onboarding_auth_role" { +################################################### +# Setup Service Account permissions +################################################### + +#--------------------------------- +# role permissions for onboarding +#--------------------------------- +resource "google_organization_iam_member" "browser" { count = var.is_organizational ? 1 : 0 - org_id = data.google_organization.org[0].org_id - role_id = var.role_name - title = "Sysdigcloud Onboarding Auth Role" - description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding" - permissions = [ - "pubsub.topics.get", - "pubsub.topics.list", - "pubsub.subscriptions.get", - "pubsub.subscriptions.list", - "logging.sinks.get", - "logging.sinks.list", - ] + org_id = data.google_organization.org[0].org_id + role = "roles/browser" + member = "serviceAccount:${google_service_account.onboarding_auth.email}" } -# adding custom role with organization-level permissions to the service account for auth -resource "google_organization_iam_member" "custom" { +#--------------------------------------------------------------------------------------------- +# Call Sysdig Backend to create organization with foundational onboarding +# (ensure it is called after all above cloud resources are created) +#--------------------------------------------------------------------------------------------- +resource "sysdig_secure_organization" "azure_organization" { count = var.is_organizational ? 1 : 0 - org_id = data.google_organization.org[0].org_id - role = google_organization_iam_custom_role.custom_onboarding_auth_role[0].id - member = "serviceAccount:${google_service_account.onboarding_auth.email}" + management_account_id = sysdig_secure_cloud_auth_account.google_account.id + organizational_unit_ids = var.management_group_ids + depends_on = [google_organization_iam_member.browser] } \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index 3da88f8..a90da48 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -23,6 +23,12 @@ variable "organization_domain" { default = "" } +variable "management_group_ids" { + type = set(string) + description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" + default = [] +} + variable "external_id" { type = string description = "(Required) Random string generated unique to a customer" diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index b6453f7..0ef54f7 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -8,7 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.23.1" + version = ">= 1.29.2" } random = { source = "hashicorp/random" From 7321bbe38afcd7a061f2ab8f72e8fad3ccc687d8 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 22:24:18 -0700 Subject: [PATCH 03/20] adding modular onboarding example --- .../onboarding_with_posture.tf | 25 +++++++++++++++++++ .../onboarding_with_posture.tf | 24 ++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 test/examples/modular_organization/onboarding_with_posture.tf create mode 100644 test/examples/modular_single_project/onboarding_with_posture.tf diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf new file mode 100644 index 0000000..63b1c09 --- /dev/null +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -0,0 +1,25 @@ +provider "google" { + project = "org-child-project-3" + region = "us-west1" +} + +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.29.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "https://secure-staging.sysdig.com" + sysdig_secure_api_token = "API_TOKEN" +} + +module "onboarding" { + source = "../../../modules/onboarding" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" + is_organizational = true +} \ No newline at end of file diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf new file mode 100644 index 0000000..6372874 --- /dev/null +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -0,0 +1,24 @@ +provider "google" { + project = "org-child-project-3" + region = "us-west1" +} + +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.29.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "https://secure-staging.sysdig.com" + sysdig_secure_api_token = "API_TOKEN" +} + +module "onboarding" { + source = "../../../modules/onboarding" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" +} \ No newline at end of file From c40389c600781e66fd81fa55cd7d3950e3070e94 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Wed, 4 Sep 2024 23:37:57 -0700 Subject: [PATCH 04/20] adding config posture module for modular onboarding --- modules/config-posture/README.md | 0 modules/config-posture/main.tf | 109 +++++++++++++++++++++++ modules/config-posture/organizational.tf | 23 +++++ modules/config-posture/outputs.tf | 5 ++ modules/config-posture/variables.tf | 38 ++++++++ modules/config-posture/versions.tf | 18 ++++ modules/onboarding/variables.tf | 8 -- modules/onboarding/versions.tf | 2 +- 8 files changed, 194 insertions(+), 9 deletions(-) create mode 100644 modules/config-posture/README.md create mode 100644 modules/config-posture/main.tf create mode 100644 modules/config-posture/organizational.tf create mode 100644 modules/config-posture/outputs.tf create mode 100644 modules/config-posture/variables.tf create mode 100644 modules/config-posture/versions.tf diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md new file mode 100644 index 0000000..e69de29 diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf new file mode 100644 index 0000000..35e105e --- /dev/null +++ b/modules/config-posture/main.tf @@ -0,0 +1,109 @@ +#------------------------------------------------------------------# +# Fetch and compute required data for Workload Identity Federation # +#------------------------------------------------------------------# + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + +data "google_project" "project" { + project_id = var.project_id +} + +// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value. +resource "random_id" "suffix" { + count = var.suffix == null ? 1 : 0 + byte_length = 3 +} + +locals { + suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix +} + +resource "google_service_account" "posture_auth" { + account_id = "sysdig-posture-${local.suffix}" + display_name = "Sysdig Config Posture Auth Service Account" + project = var.project_id +} + +resource "google_service_account_iam_binding" "posture_auth_binding" { + service_account_id = google_service_account.posture_auth.name + role = "roles/iam.workloadIdentityUser" + + members = [ + "serviceAccount:${google_service_account.posture_auth.email}", + ] +} + +#------------------------------------------------------------# +# Configure Workload Identity Federation for auth # +# See https://cloud.google.com/iam/docs/access-resources-aws # +#------------------------------------------------------------# + +resource "google_iam_workload_identity_pool" "posture_auth_pool" { + project = var.project_id + workload_identity_pool_id = "sysdig-posture-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" { + project = var.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" + display_name = "Sysdigcloud config posture auth" + description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" + disabled = false + + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +#--------------------------------------------------------------------------------------------- +# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management) +#--------------------------------------------------------------------------------------------- +resource "google_project_iam_member" "cspm" { + for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) + + project = var.project_id + role = each.key + member = "serviceAccount:${google_service_account.posture_auth.email}" +} + +# attaching WIF as a member to the service account for auth +resource "google_service_account_iam_member" "custom_auth" { + service_account_id = google_service_account.posture_auth.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" +} + +#-------------------------------------------------------------------------------------------------------------- +# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account +# +# Note (optional): To ensure this gets called after all cloud resources are created, add +# explicit dependency using depends_on +#-------------------------------------------------------------------------------------------------------------- +resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { + account_id = var.sysdig_secure_account_id + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-posture" + verion = "v0.1.0" + service_principal_metadata = jsonencode({ + gcp = { + service_principal = { + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.posture_auth.email + } + } + }) +} diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf new file mode 100644 index 0000000..77d85b0 --- /dev/null +++ b/modules/config-posture/organizational.tf @@ -0,0 +1,23 @@ +#--------------# +# Organization # +#--------------# + +data "google_organization" "org" { + count = var.is_organizational ? 1 : 0 + domain = var.organization_domain +} + +################################################### +# Setup Service Account permissions +################################################### + +#--------------------------------------------------------------------------------------------- +# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management) +#--------------------------------------------------------------------------------------------- +resource "google_organization_iam_member" "cspm" { + for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : [] + + org_id = data.google_organization.org[0].org_id + role = each.key + member = "serviceAccount:${google_service_account.posture_auth.email}" +} \ No newline at end of file diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf new file mode 100644 index 0000000..20c9f5d --- /dev/null +++ b/modules/config-posture/outputs.tf @@ -0,0 +1,5 @@ +output "service_principal_component_id" { + value = "${sysdig_secure_cloud_auth_account_component.google_service_principal.type}/${sysdig_secure_cloud_auth_account_component.google_service_principal.instance}" + description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture" + depends_on = [sysdig_secure_cloud_auth_account_component.google_service_principal] +} \ No newline at end of file diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf new file mode 100644 index 0000000..b1d3d9e --- /dev/null +++ b/modules/config-posture/variables.tf @@ -0,0 +1,38 @@ +variable "project_id" { + type = string + description = "(Required) Target Project identifier provided by the customer" +} + +variable "is_organizational" { + description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." + type = bool + default = false +} + +variable "organization_domain" { + type = string + description = "(Optional) Organization domain. e.g. sysdig.com" + default = "" +} + +variable "management_group_ids" { + type = set(string) + description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" + default = [] +} + +variable "external_id" { + type = string + description = "(Required) Random string generated unique to a customer" +} + +variable "suffix" { + type = string + description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" + default = null +} + +variable "sysdig_secure_account_id" { + type = string + description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)" +} \ No newline at end of file diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf new file mode 100644 index 0000000..7f82c5f --- /dev/null +++ b/modules/config-posture/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.21.0" + } + sysdig = { + source = "sysdiglabs/sysdig" + version = ">= 1.29.2" + } + random = { + source = "hashicorp/random" + version = ">= 3.1" + } + } +} \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index a90da48..7564fc6 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -3,14 +3,6 @@ variable "project_id" { description = "(Required) Target Project identifier provided by the customer" } -variable "labels" { - type = map(string) - description = "(Optional) Labels to be associated with Sysdig-originated resources" - default = { - originator = "sysdig" - } -} - variable "is_organizational" { description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization." type = bool diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 0ef54f7..7f82c5f 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -12,7 +12,7 @@ terraform { } random = { source = "hashicorp/random" - version = ">= 3.1, < 4.0" + version = ">= 3.1" } } } \ No newline at end of file From 4e8d930c4976a3bf656c222c06e6e4b9b727b131 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 13:35:04 -0700 Subject: [PATCH 05/20] updating README --- modules/config-posture/README.md | 87 ++++++++++++++++++++++++++++++++ modules/config-posture/main.tf | 6 +-- modules/onboarding/README.md | 15 +++--- modules/onboarding/main.tf | 6 +-- 4 files changed, 100 insertions(+), 14 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index e69de29..9557b9a 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -0,0 +1,87 @@ +# GCP Config Posture Module + +This module will deploy Config Posture resources in GCP for a single project, or for a GCP Organization. +The Config Posture module serves the following functions: +- retrieving inventory for single project, or for all projects within an Organization. +- retrieving organization metadata in the case of organizational onboarding within GCP Organization. + +If instrumenting a project, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Config posture operation at the project level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions. + +If instrumenting an Organziation, the following resources will be created: +- All the necessary `Service Accounts` and `Policies` to enable the Config Posture operation at the organization level +- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions. + +Note: +- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [google](#requirement\_google) | >= 4.21.0 | +| [sysdig](#requirement\_sysdig) | >= 1.23.1 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.0.0 | +| [random](#provider\_random) | >= 3.1 | + +## Modules + +No modules. + +## Resources + +| [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | +| [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | +| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | +| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | +| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | +| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for posture resources | `string` | `"SysdigPostureAuthRole-{random_id}"` | no | +| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|----------------------------------------------------------------------------------------------------| +| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access config posture resources | +| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access config posture resources | +| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | +| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. \ No newline at end of file diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index 35e105e..a14dc39 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -21,7 +21,7 @@ locals { } resource "google_service_account" "posture_auth" { - account_id = "sysdig-posture-${local.suffix}" + account_id = "sysdig-secure-posture-${local.suffix}" display_name = "Sysdig Config Posture Auth Service Account" project = var.project_id } @@ -42,13 +42,13 @@ resource "google_service_account_iam_binding" "posture_auth_binding" { resource "google_iam_workload_identity_pool" "posture_auth_pool" { project = var.project_id - workload_identity_pool_id = "sysdig-posture-${local.suffix}" + workload_identity_pool_id = "sysdig-secure-posture-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-secure-posture-${local.suffix}" display_name = "Sysdigcloud config posture auth" description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" disabled = false diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index c59db6d..135f4c0 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -63,19 +63,18 @@ No modules. | [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data onboarding resources | `string` | `"SysdigOnboardingAuthRole-{random_id}"` | no | | [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access data ingestion resources | -| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access data ingestion resources | -| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | -| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | +| Name | Description | +|------|------------------------------------------------------------------------------------------------| +| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access onboarding resources | +| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access onboarding resources | +| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | +| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | | [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index bc01928..f14db18 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -21,7 +21,7 @@ locals { } resource "google_service_account" "onboarding_auth" { - account_id = "sysdig-onboarding-${local.suffix}" + account_id = "sysdig-secure-onboarding-${local.suffix}" display_name = "Sysdig Onboarding Auth Service Account" project = var.project_id } @@ -42,13 +42,13 @@ resource "google_service_account_iam_binding" "onboarding_auth_binding" { resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { project = var.project_id - workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" + workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-secure-onboarding-${local.suffix}" display_name = "Sysdigcloud onboarding auth" description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" disabled = false From d217b534d7004e63660d77e999742b44fb9555da Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 14:30:24 -0700 Subject: [PATCH 06/20] fix role naming & version metadata --- modules/config-posture/main.tf | 25 +++++++++++-------------- modules/onboarding/main.tf | 23 +++++++++++------------ modules/onboarding/outputs.tf | 22 +--------------------- 3 files changed, 23 insertions(+), 47 deletions(-) diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index a14dc39..bbb8e80 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -21,7 +21,8 @@ locals { } resource "google_service_account" "posture_auth" { - account_id = "sysdig-secure-posture-${local.suffix}" + # service account name cannot be longer than 30 characters + account_id = "sysdig-posture-${local.suffix}" display_name = "Sysdig Config Posture Auth Service Account" project = var.project_id } @@ -48,7 +49,7 @@ resource "google_iam_workload_identity_pool" "posture_auth_pool" { resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-secure-posture-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" display_name = "Sysdigcloud config posture auth" description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" disabled = false @@ -77,7 +78,7 @@ resource "google_project_iam_member" "cspm" { } # attaching WIF as a member to the service account for auth -resource "google_service_account_iam_member" "custom_auth" { +resource "google_service_account_iam_member" "custom_posture_auth" { service_account_id = google_service_account.posture_auth.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" @@ -85,25 +86,21 @@ resource "google_service_account_iam_member" "custom_auth" { #-------------------------------------------------------------------------------------------------------------- # Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account -# -# Note (optional): To ensure this gets called after all cloud resources are created, add -# explicit dependency using depends_on #-------------------------------------------------------------------------------------------------------------- resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { account_id = var.sysdig_secure_account_id type = "COMPONENT_SERVICE_PRINCIPAL" instance = "secure-posture" - verion = "v0.1.0" + version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { - service_principal = { - workload_identity_federation = { - pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id - pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id - project_number = data.google_project.project.number - } - email = google_service_account.posture_auth.email + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number } + email = google_service_account.posture_auth.email } }) + depends_on = [google_service_account_iam_member.custom_posture_auth] } diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index f14db18..0cc8518 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -21,7 +21,8 @@ locals { } resource "google_service_account" "onboarding_auth" { - account_id = "sysdig-secure-onboarding-${local.suffix}" + # service account name cannot be longer than 30 characters + account_id = "sysdig-onboarding-${local.suffix}" display_name = "Sysdig Onboarding Auth Service Account" project = var.project_id } @@ -42,13 +43,13 @@ resource "google_service_account_iam_binding" "onboarding_auth_binding" { resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { project = var.project_id - workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}" + workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-secure-onboarding-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" display_name = "Sysdigcloud onboarding auth" description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" disabled = false @@ -77,7 +78,7 @@ resource "google_project_iam_member" "browser" { } # attaching WIF as a member to the service account for auth -resource "google_service_account_iam_member" "custom_auth" { +resource "google_service_account_iam_member" "custom_onboarding_auth" { service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" @@ -101,19 +102,17 @@ resource "sysdig_secure_cloud_auth_account" "google_account" { version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { - service_principal = { - workload_identity_federation = { - pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id - project_number = data.google_project.project.number - } - email = google_service_account.onboarding_auth.email + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number } + email = google_service_account.onboarding_auth.email } }) } - depends_on = [google_service_account_iam_member.custom_auth] + depends_on = [google_service_account_iam_member.custom_onboarding_auth] lifecycle { ignore_changes = [ diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index 75ec94c..6edda10 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -1,29 +1,9 @@ -output "workload_identity_pool_id" { - value = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - description = "Id of Workload Identity Pool for authenticating to GCP to access data onboarding resources" -} - -output "workload_identity_pool_provider_id" { - value = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id - description = "Id of Workload Identity Pool Provider for authenticating to GCP to access data onboarding resources" -} - -output "workload_identity_project_number" { - value = data.google_project.project.number - description = "GCP project number" -} - -output "service_account_email" { - value = google_service_account.onboarding_auth.email - description = "email of the Service Account created" -} - output "project_id" { value = var.project_id description = "Project ID in which secure-for-cloud onboarding resources are created. For organizational installs it is the Management Project ID selected during install" } -output "sysdig_secure_project_id" { +output "sysdig_secure_account_id" { value = sysdig_secure_cloud_auth_account.google_account.id description = "ID of the Sysdig Cloud Account created" } From 9ddecae46d5341795dd0ed1cf72b597c4f5f9778 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 15:08:44 -0700 Subject: [PATCH 07/20] updating examples for onboarding & cspm org --- modules/onboarding/organizational.tf | 2 +- modules/onboarding/outputs.tf | 5 ++++ .../onboarding_with_posture.tf | 26 ++++++++++++++++--- .../onboarding_with_posture.tf | 15 +++++++++++ 4 files changed, 43 insertions(+), 5 deletions(-) diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index 4ff434a..09554ea 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -26,7 +26,7 @@ resource "google_organization_iam_member" "browser" { # Call Sysdig Backend to create organization with foundational onboarding # (ensure it is called after all above cloud resources are created) #--------------------------------------------------------------------------------------------- -resource "sysdig_secure_organization" "azure_organization" { +resource "sysdig_secure_organization" "google_organization" { count = var.is_organizational ? 1 : 0 management_account_id = sysdig_secure_cloud_auth_account.google_account.id diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index 6edda10..7db7f22 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -12,3 +12,8 @@ output "is_organizational" { value = var.is_organizational description = "Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not" } + +output "organization_domain" { + value = var.organization_domain + description = "Organization domain. e.g. sysdig.com" +} diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 63b1c09..ca933bd 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -18,8 +18,26 @@ provider "sysdig" { } module "onboarding" { - source = "../../../modules/onboarding" - project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" - is_organizational = true + source = "../../../modules/onboarding" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" + is_organizational = true + organization_domain = "draios.com" +} + +module "config-posture" { + source = "../../../modules/config-posture" + project_id = module.onboarding.project_id + external_id = "25ef0d887bc7a2b30089a025618e1c62" + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_CONFIG_POSTURE" + enabled = true + components = [module.config-posture.service_principal_component_id] + depends_on = [module.config-posture] } \ No newline at end of file diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 6372874..c2db178 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -21,4 +21,19 @@ module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" external_id = "25ef0d887bc7a2b30089a025618e1c62" +} + +module "config-posture" { + source = "../../../modules/config-posture" + project_id = "org-child-project-3" + external_id = "25ef0d887bc7a2b30089a025618e1c62" + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + +resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_CONFIG_POSTURE" + enabled = true + components = [module.config-posture.service_principal_component_id] + depends_on = [module.config-posture] } \ No newline at end of file From 3f53ac9883168c44ce97deb017530a9bbd2b8136 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 5 Sep 2024 15:24:07 -0700 Subject: [PATCH 08/20] cleanup foundational READMEs --- modules/config-posture/README.md | 29 ++++++++++++----------------- modules/onboarding/README.md | 15 ++++++--------- 2 files changed, 18 insertions(+), 26 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 9557b9a..42ba8d6 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -56,26 +56,21 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for posture resources | `string` | `"SysdigPostureAuthRole-{random_id}"` | no | -| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | +| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | yes | ## Outputs -| Name | Description | -|------|----------------------------------------------------------------------------------------------------| -| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access config posture resources | -| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access config posture resources | -| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | -| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | -| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | +| Name | Description | +|--------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------| +| [service\_principal\_component\_id](#output\_service\_principal\_component\_id) | The component id of the config posture service principal with its WIF metadata | ## Authors diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 135f4c0..de459c5 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -60,7 +60,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | 
{
  "originator": "sysdig"
}
| no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | | [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | @@ -68,14 +67,12 @@ No modules. ## Outputs -| Name | Description | -|------|------------------------------------------------------------------------------------------------| -| [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access onboarding resources | -| [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access onboarding resources | -| [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number | -| [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created | -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created | -| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | +| Name | Description | +|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------| +| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | +| [organization\_domain](#output\_organization\_domain) | Organization domain of the GCP org being onboarded | +| [project\_id](#output\_project\_id) | The management project id chosen during install, where global resources are deployed | ## Authors From c9106640a4115357f085ba7da6c51583a09773b8 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Fri, 6 Sep 2024 10:01:12 -0700 Subject: [PATCH 09/20] use external_id datasource --- modules/config-posture/main.tf | 6 ++++-- modules/onboarding/main.tf | 6 ++++-- .../modular_organization/onboarding_with_posture.tf | 2 -- .../modular_single_project/onboarding_with_posture.tf | 2 -- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index bbb8e80..6b27a79 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -6,6 +6,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "gcp" } +data "sysdig_secure_tenant_external_id" "external_id" {} + data "google_project" "project" { project_id = var.project_id } @@ -54,7 +56,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" disabled = false - attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" attribute_mapping = { "google.subject" = "assertion.arn", @@ -81,7 +83,7 @@ resource "google_project_iam_member" "cspm" { resource "google_service_account_iam_member" "custom_posture_auth" { service_account_id = google_service_account.posture_auth.name role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } #-------------------------------------------------------------------------------------------------------------- diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 0cc8518..5ed3c49 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -6,6 +6,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "gcp" } +data "sysdig_secure_tenant_external_id" "external_id" {} + data "google_project" "project" { project_id = var.project_id } @@ -54,7 +56,7 @@ resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_prov description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" disabled = false - attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\"" + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" attribute_mapping = { "google.subject" = "assertion.arn", @@ -81,7 +83,7 @@ resource "google_project_iam_member" "browser" { resource "google_service_account_iam_member" "custom_onboarding_auth" { service_account_id = google_service_account.onboarding_auth.name role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } #--------------------------------------------------------------------------------------------- diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index ca933bd..29c2e38 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -20,7 +20,6 @@ provider "sysdig" { module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" is_organizational = true organization_domain = "draios.com" } @@ -28,7 +27,6 @@ module "onboarding" { module "config-posture" { source = "../../../modules/config-posture" project_id = module.onboarding.project_id - external_id = "25ef0d887bc7a2b30089a025618e1c62" is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index c2db178..7325f9d 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -20,13 +20,11 @@ provider "sysdig" { module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" } module "config-posture" { source = "../../../modules/config-posture" project_id = "org-child-project-3" - external_id = "25ef0d887bc7a2b30089a025618e1c62" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } From a0cb3121f1e41bf0b86ee4745a8070bcd880b22f Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Fri, 6 Sep 2024 10:06:19 -0700 Subject: [PATCH 10/20] update README --- modules/config-posture/README.md | 13 ++++++------- modules/config-posture/variables.tf | 5 ----- modules/onboarding/README.md | 1 - modules/onboarding/variables.tf | 5 ----- 4 files changed, 6 insertions(+), 18 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 42ba8d6..7e6c42b 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -58,13 +58,12 @@ No modules. | Name | Description | Type | Default | Required | |------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:| -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | -| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | -| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | yes | +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | +| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | no | ## Outputs diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index b1d3d9e..c6630bd 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -21,11 +21,6 @@ variable "management_group_ids" { default = [] } -variable "external_id" { - type = string - description = "(Required) Random string generated unique to a customer" -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index de459c5..1fbd585 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -62,7 +62,6 @@ No modules. | [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | | [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | ## Outputs diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index 7564fc6..9571e7e 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -21,11 +21,6 @@ variable "management_group_ids" { default = [] } -variable "external_id" { - type = string - description = "(Required) Random string generated unique to a customer" -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" From 8a0eea2c81b6b752f805bb012b6ea0885e4a4c0a Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Fri, 6 Sep 2024 10:40:38 -0700 Subject: [PATCH 11/20] remove mgmt_group_ids in cspm module --- modules/config-posture/variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index c6630bd..b975bc2 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -15,12 +15,6 @@ variable "organization_domain" { default = "" } -variable "management_group_ids" { - type = set(string) - description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" - default = [] -} - variable "suffix" { type = string description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated" From 7d9e1d7b46e63b502afaad252f1c2dc9c1738d56 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 9 Sep 2024 20:47:46 -0700 Subject: [PATCH 12/20] bump sysdig provider version to be consistent & have latest datasources --- modules/config-posture/versions.tf | 2 +- modules/onboarding/versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf index 7f82c5f..adb6e1a 100644 --- a/modules/config-posture/versions.tf +++ b/modules/config-posture/versions.tf @@ -8,7 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.29.2" + version = ">= 1.34.0" } random = { source = "hashicorp/random" diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 7f82c5f..adb6e1a 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -8,7 +8,7 @@ terraform { } sysdig = { source = "sysdiglabs/sysdig" - version = ">= 1.29.2" + version = ">= 1.34.0" } random = { source = "hashicorp/random" From d18b821225996366969ee70d4fa34442f27ba343 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 9 Sep 2024 20:49:56 -0700 Subject: [PATCH 13/20] updating examples --- test/examples/modular_organization/onboarding_with_posture.tf | 2 +- test/examples/modular_single_project/onboarding_with_posture.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 29c2e38..c902e5e 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -7,7 +7,7 @@ terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" - version = "~> 1.29.2" + version = "~> 1.34.0" } } } diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 7325f9d..7222a68 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -7,7 +7,7 @@ terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" - version = "~> 1.29.2" + version = "~> 1.34.0" } } } From 299dacf06f8f6d31324774cdaca212e2c080a6bf Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Tue, 10 Sep 2024 13:42:10 -0700 Subject: [PATCH 14/20] update example --- test/examples/modular_single_project/onboarding_with_posture.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 7222a68..01c0705 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -24,7 +24,7 @@ module "onboarding" { module "config-posture" { source = "../../../modules/config-posture" - project_id = "org-child-project-3" + project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } From 657ad414fe81e29d5e93cc66217c7bf3916d5de8 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Tue, 10 Sep 2024 21:28:15 -0700 Subject: [PATCH 15/20] add explicit dependency --- modules/onboarding/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 5ed3c49..499712d 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -114,7 +114,14 @@ resource "sysdig_secure_cloud_auth_account" "google_account" { }) } - depends_on = [google_service_account_iam_member.custom_onboarding_auth] + depends_on = [ + google_service_account.onboarding_auth, + google_service_account_iam_binding.onboarding_auth_binding, + google_iam_workload_identity_pool.onboarding_auth_pool, + google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider, + google_project_iam_member.browser, + google_service_account_iam_member.custom_onboarding_auth + ] lifecycle { ignore_changes = [ From 1189524d792cb12fe5543f0130beba39c343261e Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Thu, 12 Sep 2024 22:09:32 -0700 Subject: [PATCH 16/20] switch to svc principal key for onboarding --- modules/config-posture/main.tf | 9 ++++- modules/onboarding/README.md | 4 +- modules/onboarding/main.tf | 70 +++++----------------------------- 3 files changed, 19 insertions(+), 64 deletions(-) diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index 6b27a79..c4ac937 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -104,5 +104,12 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" email = google_service_account.posture_auth.email } }) - depends_on = [google_service_account_iam_member.custom_posture_auth] + depends_on = [ + google_service_account.posture_auth, + google_service_account_iam_binding.posture_auth_binding, + google_iam_workload_identity_pool.posture_auth_pool, + google_iam_workload_identity_pool_provider.posture_auth_pool_provider, + google_project_iam_member.cspm, + google_service_account_iam_member.custom_posture_auth + ] } diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 1fbd585..59c293e 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -7,12 +7,12 @@ The Foundational Onboarding module serves the following functions: If instrumenting a project, the following resources will be created: - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level -- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. - A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the foundational functions. If instrumenting an Organziation, the following resources will be created: - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level -- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. +- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources. - A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve the foundational functions. - A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on. diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 499712d..50b2e15 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -1,18 +1,12 @@ #------------------------------------------------------------------# -# Fetch and compute required data for Workload Identity Federation # +# Fetch and compute required data for Service Account Key # #------------------------------------------------------------------# -data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { - cloud_provider = "gcp" -} - -data "sysdig_secure_tenant_external_id" "external_id" {} - data "google_project" "project" { project_id = var.project_id } -// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value. +// suffix to uniquely identify onboarding service account during multiple installs. If suffix value is not provided, this will generate a random value. resource "random_id" "suffix" { count = var.suffix == null ? 1 : 0 byte_length = 3 @@ -29,45 +23,6 @@ resource "google_service_account" "onboarding_auth" { project = var.project_id } -resource "google_service_account_iam_binding" "onboarding_auth_binding" { - service_account_id = google_service_account.onboarding_auth.name - role = "roles/iam.workloadIdentityUser" - - members = [ - "serviceAccount:${google_service_account.onboarding_auth.email}", - ] -} - -#------------------------------------------------------------# -# Configure Workload Identity Federation for auth # -# See https://cloud.google.com/iam/docs/access-resources-aws # -#------------------------------------------------------------# - -resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { - project = var.project_id - workload_identity_pool_id = "sysdig-onboarding-${local.suffix}" -} - -resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { - project = var.project_id - workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" - display_name = "Sysdigcloud onboarding auth" - description = "AWS identity pool provider for Sysdig Secure Data Onboarding resources" - disabled = false - - attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" - - attribute_mapping = { - "google.subject" = "assertion.arn", - "attribute.aws_role" = "assertion.arn" - } - - aws { - account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id - } -} - #--------------------------------- # role permissions for onboarding #--------------------------------- @@ -79,11 +34,12 @@ resource "google_project_iam_member" "browser" { member = "serviceAccount:${google_service_account.onboarding_auth.email}" } -# attaching WIF as a member to the service account for auth -resource "google_service_account_iam_member" "custom_onboarding_auth" { +#-------------------------------- +# service account private key + +#-------------------------------- +resource "google_service_account_key" "onboarding_service_account_key" { service_account_id = google_service_account.onboarding_auth.name - role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } #--------------------------------------------------------------------------------------------- @@ -104,23 +60,15 @@ resource "sysdig_secure_cloud_auth_account" "google_account" { version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { - workload_identity_federation = { - pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id - pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id - project_number = data.google_project.project.number - } - email = google_service_account.onboarding_auth.email + key = google_service_account_key.onboarding_service_account_key.private_key } }) } depends_on = [ google_service_account.onboarding_auth, - google_service_account_iam_binding.onboarding_auth_binding, - google_iam_workload_identity_pool.onboarding_auth_pool, - google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider, google_project_iam_member.browser, - google_service_account_iam_member.custom_onboarding_auth + google_service_account_key.onboarding_service_account_key ] lifecycle { From 420bf8b9c4c5012fcdabde2ecc83062c57e0d024 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Sun, 15 Sep 2024 20:55:04 -0700 Subject: [PATCH 17/20] rm unnecessary binding in config posture --- modules/config-posture/main.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index c4ac937..75302fa 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -29,15 +29,6 @@ resource "google_service_account" "posture_auth" { project = var.project_id } -resource "google_service_account_iam_binding" "posture_auth_binding" { - service_account_id = google_service_account.posture_auth.name - role = "roles/iam.workloadIdentityUser" - - members = [ - "serviceAccount:${google_service_account.posture_auth.email}", - ] -} - #------------------------------------------------------------# # Configure Workload Identity Federation for auth # # See https://cloud.google.com/iam/docs/access-resources-aws # @@ -106,7 +97,6 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" }) depends_on = [ google_service_account.posture_auth, - google_service_account_iam_binding.posture_auth_binding, google_iam_workload_identity_pool.posture_auth_pool, google_iam_workload_identity_pool_provider.posture_auth_pool_provider, google_project_iam_member.cspm, From 22a885a45573c3617445e0c6da8768d7b8d9ab0c Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 16 Sep 2024 10:52:41 -0700 Subject: [PATCH 18/20] update READMEs and var defns --- modules/config-posture/README.md | 13 ++++---- modules/config-posture/main.tf | 2 +- modules/config-posture/variables.tf | 6 ++++ modules/onboarding/README.md | 33 +++++++++---------- .../onboarding_with_posture.tf | 11 ++++--- .../onboarding_with_posture.tf | 10 +++--- 6 files changed, 40 insertions(+), 35 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 7e6c42b..e87c8cd 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -16,7 +16,7 @@ If instrumenting an Organziation, the following resources will be created: - A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions. Note: -- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. +- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. ## Requirements @@ -41,18 +41,17 @@ No modules. ## Resources | [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | +| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source | | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | | [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | -| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | -| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | -| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | -| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | -| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | +| [google_project_iam_member.cspm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_service_account_iam_member.custom_posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | +| [google_organization_iam_member.cspm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | +| [sysdig_secure_cloud_auth_account_component.google_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource | ## Inputs diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index 75302fa..87e5a90 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -44,7 +44,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}" display_name = "Sysdigcloud config posture auth" - description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources" + description = "AWS based pool provider for Sysdig Secure Data Config Posture resources" disabled = false attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index b975bc2..9c071fa 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -21,6 +21,12 @@ variable "suffix" { default = null } +variable "management_group_ids" { + type = set(string) + description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" + default = [] +} + variable "sysdig_secure_account_id" { type = string description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)" diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 59c293e..0177242 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -17,7 +17,7 @@ If instrumenting an Organziation, the following resources will be created: - A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on. Note: -- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. +- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other features/integrations modules for subsequent modular installs. ## Requirements @@ -42,33 +42,32 @@ No modules. ## Resources | [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [google_service_account_iam_binding.onboarding_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source | -| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | -| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | -| [google_project_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource | -| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | -| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource | -| [google_organization_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource | -| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | +| [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource | +| [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource | +| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource | +| [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) | resource | +| [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | -| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | -| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | -| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:| +| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no | +| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no | +| [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | +| [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | +| [suffix](#input\_management\_group\_ids) | (Optional) List of management group ids w.r.t an org install. If not provided, set to empty by default | `string` | `null` | no | + + ## Outputs | Name | Description | |--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------| -| [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created | +| [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created | | [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not | | [organization\_domain](#output\_organization\_domain) | Organization domain of the GCP org being onboarded | | [project\_id](#output\_project\_id) | The management project id chosen during install, where global resources are deployed | diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index c902e5e..1319305 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -1,8 +1,3 @@ -provider "google" { - project = "org-child-project-3" - region = "us-west1" -} - terraform { required_providers { sysdig = { @@ -17,6 +12,11 @@ provider "sysdig" { sysdig_secure_api_token = "API_TOKEN" } +provider "google" { + project = "org-child-project-3" + region = "us-west1" +} + module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" @@ -29,6 +29,7 @@ module "config-posture" { project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain + management_group_ids = module.onboarding.management_group_ids sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 01c0705..b46b41d 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -1,8 +1,3 @@ -provider "google" { - project = "org-child-project-3" - region = "us-west1" -} - terraform { required_providers { sysdig = { @@ -17,6 +12,11 @@ provider "sysdig" { sysdig_secure_api_token = "API_TOKEN" } +provider "google" { + project = "org-child-project-3" + region = "us-west1" +} + module "onboarding" { source = "../../../modules/onboarding" project_id = "org-child-project-3" From 59e13be782f9b24fae079bbdc6f5471990daa8d3 Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 16 Sep 2024 11:05:15 -0700 Subject: [PATCH 19/20] rm management group ids in config posture --- modules/config-posture/README.md | 1 - modules/config-posture/variables.tf | 6 ------ .../modular_organization/onboarding_with_posture.tf | 1 - 3 files changed, 8 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index e87c8cd..6f9d26f 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -62,7 +62,6 @@ No modules. | [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes | | [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no | | [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | -| [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | no | ## Outputs diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index 9c071fa..b975bc2 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -21,12 +21,6 @@ variable "suffix" { default = null } -variable "management_group_ids" { - type = set(string) - description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]" - default = [] -} - variable "sysdig_secure_account_id" { type = string description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)" diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index 1319305..214c779 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -29,7 +29,6 @@ module "config-posture" { project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational organization_domain = module.onboarding.organization_domain - management_group_ids = module.onboarding.management_group_ids sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } From 16ed16318f27cb5f3bd7331184df5e620a8ae5ca Mon Sep 17 00:00:00 2001 From: Haresh Suresh Date: Mon, 16 Sep 2024 16:14:32 -0700 Subject: [PATCH 20/20] set right sysdig versions --- modules/config-posture/README.md | 8 ++++---- modules/onboarding/README.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 6f9d26f..8ad48fc 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -21,11 +21,11 @@ Note: ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | +| Name | Version | +|------|-----------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [google](#requirement\_google) | >= 4.21.0 | -| [sysdig](#requirement\_sysdig) | >= 1.23.1 | +| [sysdig](#requirement\_sysdig) | >= 1.34.0 | ## Providers diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 0177242..d865008 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -22,11 +22,11 @@ Note: ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | +| Name | Version | +|------|-----------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [google](#requirement\_google) | >= 4.21.0 | -| [sysdig](#requirement\_sysdig) | >= 1.23.1 | +| [sysdig](#requirement\_sysdig) | >= 1.34.0 | ## Providers