Work in progress

Noamstrauss · Noamstrauss · commit 4f4d12422ead · 2024-04-08T19:06:25.000+03:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+@Noamstrauss
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -0,0 +1,61 @@
+name: PR Checks
+
+on:
+  pull_request:
+
+jobs:
+  pr-checks:
+    name: Terraform Validation
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ vars.TERRAFORM_VERSION }}
+
+      - name: Run tests for each example folder
+        run: |
+          TEST_CASES=(
+            examples/dedicated-project
+            examples/same-project
+          )
+
+          for tcase in ${TEST_CASES[@]}; do
+            echo "--> Running tests at $tcase"
+            (
+              cd $tcase || exit 1
+              echo "Terraform Format Check"
+              terraform fmt -check
+              echo "Terraform Init"
+              terraform init
+              echo "Terraform Validate"
+              terraform validate
+            ) || exit 1
+          done
+
+      - name: Comment PR with Terraform status
+        uses: actions/github-script@v7
+        env:
+          FORMAT_CHECK: "Terraform Format Check"
+          INIT_CHECK: "Terraform Init"
+          VALIDATE_CHECK: "Terraform Validate"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Validation Results:
+
+            ${{ env.FORMAT_CHECK }} ✅
+            ${{ env.INIT_CHECK }} ✅
+            ${{ env.VALIDATE_CHECK }} ✅
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml
@@ -5,7 +5,7 @@ jobs:
   docs:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -6,7 +6,14 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
 
       - name: Run Aqua scanner
         uses: docker://aquasec/aqua-scanner
diff --git a/README.md b/README.md
@@ -2,7 +2,8 @@
 
 # Terraform-gcp-onboarding
 
-[![Version](https://img.shields.io/badge/version-1.0.0-blue)](https://github.com/aquasecurity/terraform-gcp-onboarding)
+![Trivy](https://github.com/aquasecurity/terraform-gcp-onboarding/actions/workflows/trivy-scan.yaml/badge.svg)
+[![Release](https://img.shields.io/github/v/release/aquasecurity/terraform-gcp-onboarding)](https://github.com/aquasecurity/terraform-gcp-onboarding/releases)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
 This Terraform module provides an easy way
@@ -175,8 +176,6 @@ It's important to note that the dedicated project ID should follow the naming co
 
 For example, if your Aqua tenant ID is `12345` and the first six characters of the SHA1 hash of your organization name are `12a456`, the dedicated project ID should be `aqua-agentless-12345-12a456`.
 
-You will also need to ensure that the existing dedicated project has the label `"aqua-agentless-scanner" = "true"` applied.
-
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -220,6 +219,7 @@ You will also need to ensure that the existing dedicated project has the label `
 | <a name="input_aqua_volscan_api_url"></a> [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua volume scanning API URL | `string` | n/a | yes |
 | <a name="input_create_network"></a> [create\_network](#input\_create\_network) | Toggle to create network resources | `bool` | `true` | no |
 | <a name="input_create_role_name"></a> [create\_role\_name](#input\_create\_role\_name) | The name of the role to be created for Aqua | `string` | `"AquaAutoConnectAgentlessRole"` | no |
+| <a name="input_dedicated_project"></a> [dedicated\_project](#input\_dedicated\_project) | Indicates whether dedicated project is enabled | `bool` | `true` | no |
 | <a name="input_delete_role_name"></a> [delete\_role\_name](#input\_delete\_role\_name) | The name of the role used for deleting Aqua resources | `string` | `"AutoConnectDeleteRole"` | no |
 | <a name="input_identity_pool_name"></a> [identity\_pool\_name](#input\_identity\_pool\_name) | Name of the identity pool. If not provided, the default value is set to 'aqua-agentless-pool-<aqua\_tenant\_id>' in the 'identity\_pool\_name' local | `string` | `null` | no |
 | <a name="input_identity_pool_provider_name"></a> [identity\_pool\_provider\_name](#input\_identity\_pool\_provider\_name) | Name of the identity pool provider. If not provided, the default value is set to 'agentless-provider-<aqua\_tenant\_id>' in the 'identity\_pool\_provider\_name' local | `string` | `null` | no |
diff --git a/data.tf b/data.tf
@@ -2,6 +2,7 @@
 
 # Retrieve information about the Google Cloud organization
 data "google_organization" "organization" {
+  count  = var.dedicated_project ? 1 : 0
   domain = var.org_name
 }
 
diff --git a/examples/dedicated-project/main.tf b/examples/dedicated-project/main.tf
@@ -58,6 +58,7 @@ module "aqua_gcp_onboarding" {
   }
   type                   = local.type
   project_id             = module.aqua_gcp_dedicated_project.project_id
+  dedicated_project      = local.dedicated
   region                 = local.region
   org_name               = local.org_name
   aqua_tenant_id         = local.aqua_tenant_id
diff --git a/examples/same-project/main.tf b/examples/same-project/main.tf
@@ -41,6 +41,7 @@ module "aqua_gcp_onboarding" {
   }
   type                   = local.type
   project_id             = local.project_id
+  dedicated_project      = local.dedicated
   region                 = local.region
   org_name               = local.org_name
   aqua_tenant_id         = local.aqua_tenant_id
diff --git a/locals.tf b/locals.tf
@@ -2,7 +2,7 @@
 
 locals {
   # Organization-related locals
-  org_id = data.google_organization.organization.org_id
+  org_id = var.dedicated_project ? data.google_organization.organization[0].org_id : null # Using null because same-project does not use org_id
 
   # Project-related locals
   project_number = data.google_project.project.number
diff --git a/main.tf b/main.tf
@@ -7,6 +7,7 @@ module "onboarding" {
     google.onboarding = google.onboarding
   }
   enabled                     = var.type == "single" ? true : false # Currently only single onboarding type is supported
+  dedicated_project           = var.dedicated_project
   aqua_volscan_api_url        = var.aqua_volscan_api_url
   aqua_aws_account_id         = var.aqua_aws_account_id
   org_id                      = local.org_id
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
@@ -26,6 +26,7 @@ module "iam" {
   delete_role_name            = var.delete_role_name
   aqua_aws_account_id         = var.aqua_aws_account_id
   aqua_bucket_name            = var.aqua_bucket_name
+  dedicated_project           = var.dedicated_project
   depends_on                  = [module.services]
 }
 
diff --git a/modules/onboarding/modules/iam/locals.tf b/modules/onboarding/modules/iam/locals.tf
@@ -4,4 +4,6 @@ locals {
   # Parsing Roles permissions
   create_role_permissions = yamldecode(data.http.autoconnect_create_role_yaml.response_body).includedPermissions
   delete_role_permissions = yamldecode(data.http.autoconnect_delete_role_yaml.response_body).includedPermissions
+  create_role_id          = var.dedicated_project ? google_organization_iam_custom_role.iam_role_create[0].name : google_project_iam_custom_role.iam_role_create[0].name
+  delete_role_id          = var.dedicated_project ? google_organization_iam_custom_role.iam_role_delete[0].name : google_project_iam_custom_role.iam_role_delete[0].name
 }
diff --git a/modules/onboarding/modules/iam/main.tf b/modules/onboarding/modules/iam/main.tf
@@ -24,8 +24,29 @@ resource "google_iam_workload_identity_pool_provider" "workload_identity_pool_pr
   workload_identity_pool_provider_id = var.identity_pool_provider_name
 }
 
-# Create a custom IAM role for creating resources
+# Create a custom IAM role for creating resources for same project onboarding
+resource "google_project_iam_custom_role" "iam_role_create" {
+  count       = var.dedicated_project ? 0 : 1
+  role_id     = var.create_role_name
+  title       = var.create_role_name
+  description = var.create_role_name
+  permissions = tolist(local.create_role_permissions)
+  depends_on  = [google_iam_workload_identity_pool_provider.workload_identity_pool_provider]
+}
+
+# Create a custom IAM role for deleting resources for same project onboarding
+resource "google_project_iam_custom_role" "iam_role_delete" {
+  count       = var.dedicated_project ? 0 : 1
+  role_id     = var.delete_role_name
+  title       = var.delete_role_name
+  description = var.delete_role_name
+  permissions = tolist(local.delete_role_permissions)
+  depends_on  = [google_organization_iam_custom_role.iam_role_create]
+}
+
+# Create a custom IAM role for creating resources for dedicated project onboarding
 resource "google_organization_iam_custom_role" "iam_role_create" {
+  count       = var.dedicated_project ? 1 : 0
   role_id     = var.create_role_name
   org_id      = var.org_id
   title       = var.create_role_name
@@ -34,8 +55,9 @@ resource "google_organization_iam_custom_role" "iam_role_create" {
   depends_on  = [google_iam_workload_identity_pool_provider.workload_identity_pool_provider]
 }
 
-# Create a custom IAM role for deleting resources
+# Create a custom IAM role for deleting resources for dedicated project onboarding
 resource "google_organization_iam_custom_role" "iam_role_delete" {
+  count       = var.dedicated_project ? 1 : 0
   role_id     = var.delete_role_name
   org_id      = var.org_id
   title       = var.delete_role_name
@@ -114,8 +136,7 @@ resource "google_service_account_iam_binding" "service_account_iam_binding_princ
 # Bind the service account to the custom create role
 resource "google_project_iam_binding" "project_iam_binding_create_role" {
   project = var.project_id
-  role    = "organizations/${var.org_id}/roles/${google_organization_iam_custom_role.iam_role_create.role_id}"
-
+  role    = local.create_role_id
   members = [
     "serviceAccount:${google_service_account.service_account.email}",
   ]
@@ -124,7 +145,7 @@ resource "google_project_iam_binding" "project_iam_binding_create_role" {
 # Bind the service account to the custom delete role with a condition
 resource "google_project_iam_binding" "project_iam_binding_delete_role" {
   project = var.project_id
-  role    = "organizations/${var.org_id}/roles/${google_organization_iam_custom_role.iam_role_delete.role_id}"
+  role    = local.delete_role_id
   members = [
     "serviceAccount:${google_service_account.service_account.email}",
   ]
diff --git a/modules/onboarding/modules/iam/outputs.tf b/modules/onboarding/modules/iam/outputs.tf
@@ -31,31 +31,31 @@ output "workload_identity_pool_provider_id_aws_account_id" {
 }
 
 output "create_role_name" {
-  value       = google_organization_iam_custom_role.iam_role_create.name
+  value       = var.dedicated_project ? google_organization_iam_custom_role.iam_role_create[0].name : google_project_iam_custom_role.iam_role_create[0].name
   description = "The name of the custom IAM role created for the 'create' operation"
 }
 
 output "create_role_id" {
-  value       = google_organization_iam_custom_role.iam_role_create.role_id
+  value       = var.dedicated_project ? google_organization_iam_custom_role.iam_role_create[0].role_id : google_project_iam_custom_role.iam_role_create[0].role_id
   description = "The ID of the custom IAM role created for the 'create' operation"
 }
 
 output "create_role_permissions" {
-  value       = google_organization_iam_custom_role.iam_role_create.permissions
+  value       = var.dedicated_project ? google_organization_iam_custom_role.iam_role_create[0].permissions : google_project_iam_custom_role.iam_role_create[0].permissions
   description = "The permissions associated with the custom IAM role created for the 'create' operation"
 }
 
 output "delete_role_name" {
-  value       = google_organization_iam_custom_role.iam_role_delete.name
+  value       = var.dedicated_project ? google_organization_iam_custom_role.iam_role_delete[0].name : google_project_iam_custom_role.iam_role_delete[0].name
   description = "The name of the custom IAM role created for the 'delete' operation"
 }
 
 output "delete_role_id" {
-  value       = google_organization_iam_custom_role.iam_role_delete.role_id
+  value       = var.dedicated_project ? google_organization_iam_custom_role.iam_role_delete[0].role_id : google_project_iam_custom_role.iam_role_delete[0].role_id
   description = "The ID of the custom IAM role created for the 'delete' operation"
 }
 
 output "delete_role_permissions" {
-  value       = google_organization_iam_custom_role.iam_role_delete.permissions
+  value       = var.dedicated_project ? google_organization_iam_custom_role.iam_role_delete[0].permissions : google_project_iam_custom_role.iam_role_delete[0].permissions
   description = "The permissions associated with the custom IAM role created for the 'delete' operation"
 }
diff --git a/modules/onboarding/modules/iam/variables.tf b/modules/onboarding/modules/iam/variables.tf
@@ -5,6 +5,11 @@ variable "service_account_name" {
   type        = string
 }
 
+variable "dedicated_project" {
+  description = "Indicates whether dedicated project is enabled"
+  type        = bool
+}
+
 variable "project_id" {
   description = "Google Cloud Project ID"
   type        = string
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
@@ -16,6 +16,11 @@ variable "project_number" {
   type        = number
 }
 
+variable "dedicated_project" {
+  description = "Indicates whether dedicated project is enabled"
+  type        = bool
+}
+
 variable "region" {
   description = "Google Cloud Region"
   type        = string
diff --git a/modules/project_attachment/README.md b/modules/project_attachment/README.md
@@ -3,7 +3,7 @@
 
 ---
 
-This Terraform module integrates an existing Google Cloud Platform (GCP) project with Aqua Security
+This Terraform module integrates an existing Google Cloud Platform (GCP) project with Aqua Security.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
diff --git a/modules/project_attachment/data.tf b/modules/project_attachment/data.tf
@@ -7,5 +7,6 @@ data "http" "autoconnect_cspm_role_yaml" {
 
 # Retrieve information about the Google Cloud organization
 data "google_organization" "organization" {
+  count  = var.dedicated_project ? 1 : 0
   domain = var.org_name
 }
diff --git a/modules/project_attachment/iam.tf b/modules/project_attachment/iam.tf
@@ -2,6 +2,7 @@
 
 # Bind the Aqua service account to the custom create role
 resource "google_project_iam_binding" "project_iam_binding_create_role" {
+  count   = var.dedicated_project ? 1 : 0
   project = var.project_id
   role    = "organizations/${local.org_id}/roles/${var.create_role_id}"
   members = [
diff --git a/modules/project_attachment/locals.tf b/modules/project_attachment/locals.tf
@@ -2,7 +2,7 @@
 
 locals {
   cspm_role_permissions  = yamldecode(data.http.autoconnect_cspm_role_yaml.response_body).includedPermissions
-  org_id                 = data.google_organization.organization.org_id
+  org_id                 = var.dedicated_project ? data.google_organization.organization[0].org_id : null # Using null because same-project does not use org_id
   service_account_key    = base64decode(google_service_account_key.aqua_service_account_key.private_key)
   client_config_rendered = replace(jsonencode(local.client_config), "/\\\\u0026/", "&")
   api_services           = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "compute.googleapis.com"]
diff --git a/modules/project_attachment/services.tf b/modules/project_attachment/services.tf
@@ -2,7 +2,7 @@
 
 # Enable Google Cloud Services
 resource "google_project_service" "project_api_services" {
-  for_each                   = { for service in local.api_services : service => service }
+  for_each                   = var.dedicated_project ? { for service in local.api_services : service => service } : {}
   service                    = each.value
   project                    = var.project_id
   disable_on_destroy         = false
diff --git a/modules/project_attachment/variables.tf b/modules/project_attachment/variables.tf
@@ -70,7 +70,7 @@ variable "aqua_configuration_id" {
 }
 
 variable "dedicated_project" {
-  description = "Whether to create a dedicated project for Aqua resources"
+  description = "Indicates whether dedicated project is enabled"
   type        = bool
   default     = true
   validation {
@@ -82,10 +82,6 @@ variable "dedicated_project" {
 variable "org_name" {
   description = "Google Cloud Organization name"
   type        = string
-  validation {
-    condition     = length(var.org_name) > 0
-    error_message = "Org name must not be empty"
-  }
 }
 
 variable "labels" {
diff --git a/variables.tf b/variables.tf
@@ -18,6 +18,16 @@ variable "region" {
   }
 }
 
+variable "dedicated_project" {
+  description = "Indicates whether dedicated project is enabled"
+  type        = bool
+  default     = true
+  validation {
+    condition     = can(regex("^([t][r][u][e]|[f][a][l][s][e])$", var.dedicated_project))
+    error_message = "Dedicated project toggle must be either true or false."
+  }
+}
+
 variable "aqua_custom_labels" {
   description = "Additional labels to be applied to resources"
   type        = map(string)
@@ -27,10 +37,6 @@ variable "aqua_custom_labels" {
 variable "org_name" {
   description = "Google Cloud Organization name"
   type        = string
-  validation {
-    condition     = length(var.org_name) > 0
-    error_message = "Org name must not be empty"
-  }
 }
 
 variable "type" {

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`# Retrieve information about the Google Cloud organization`
`4`	`4`	`data "google_organization" "organization" {`
	`5`	`+ count = var.dedicated_project ? 1 : 0`
`5`	`6`	`domain = var.org_name`
`6`	`7`	`}`
`7`	`8`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ module "aqua_gcp_onboarding" {`
`58`	`58`	`}`
`59`	`59`	`type = local.type`
`60`	`60`	`project_id = module.aqua_gcp_dedicated_project.project_id`
	`61`	`+ dedicated_project = local.dedicated`
`61`	`62`	`region = local.region`
`62`	`63`	`org_name = local.org_name`
`63`	`64`	`aqua_tenant_id = local.aqua_tenant_id`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ module "aqua_gcp_onboarding" {`
`41`	`41`	`}`
`42`	`42`	`type = local.type`
`43`	`43`	`project_id = local.project_id`
	`44`	`+ dedicated_project = local.dedicated`
`44`	`45`	`region = local.region`
`45`	`46`	`org_name = local.org_name`
`46`	`47`	`aqua_tenant_id = local.aqua_tenant_id`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ module "onboarding" {`
`7`	`7`	`google.onboarding = google.onboarding`
`8`	`8`	`}`
`9`	`9`	`enabled = var.type == "single" ? true : false # Currently only single onboarding type is supported`
	`10`	`+ dedicated_project = var.dedicated_project`
`10`	`11`	`aqua_volscan_api_url = var.aqua_volscan_api_url`
`11`	`12`	`aqua_aws_account_id = var.aqua_aws_account_id`
`12`	`13`	`org_id = local.org_id`