aquasecurity
diff --git a/‎.github/workflows/pr-checks.yaml‎
Lines changed: 6 additions & 3 deletions b/‎.github/workflows/pr-checks.yaml‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 200 additions & 29 deletions b/‎README.md‎
Lines changed: 200 additions & 29 deletions
diff --git a/‎examples/organization-dedicated-project/README.md‎
Lines changed: 52 additions & 0 deletions b/‎examples/organization-dedicated-project/README.md‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎examples/organization-dedicated-project/main.tf‎
Lines changed: 129 additions & 0 deletions b/‎examples/organization-dedicated-project/main.tf‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎examples/organization-same-project-list/README.md‎
Lines changed: 37 additions & 0 deletions b/‎examples/organization-same-project-list/README.md‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎examples/organization-same-project-list/main.tf‎
Lines changed: 106 additions & 0 deletions b/‎examples/organization-same-project-list/main.tf‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎examples/organization-same-project/README.md‎
Lines changed: 36 additions & 0 deletions b/‎examples/organization-same-project/README.md‎
Lines changed: 36 additions & 0 deletions
@@ -19,9 +19,12 @@ jobs:
       - name: Run tests for each example folder
         run: |
           TEST_CASES=(
-            examples/dedicated-project
-            examples/same-project
-            examples/multiple-dedicated-project
+            examples/single-dedicated-project
+            examples/single-same-project
+            examples/single-dedicated-project-addition
+            examples/organization-same-project
+            examples/organization-same-project-list
+            examples/organization-dedicated-project
           )
 
           for tcase in ${TEST_CASES[@]}; do
 
@@ -0,0 +1,52 @@
+# Onboarding an Organization with Infrastructure on a Dedicated Project Example
+
+---
+
+## Overview
+
+This example demonstrates how to onboard a Google Cloud Platform (GCP) organization for Aqua Security integration by creating a dedicated project and provisioning all Aqua's resources within it.
+
+## Pre-requisites
+
+Before running this example, ensure that you have the following:
+
+1. Terraform installed (version 1.6.4 or later).
+2. `gcloud` CLI installed and configured.
+3. Aqua Security account API credentials.
+4. Appropriate permissions to manage resources at the organization level and within the specified projects.
+
+## Usage
+
+1. Obtain the Terraform configuration file generated by the Aqua platform.
+2. Important: Replace `<aqua_api_key>` and `<aqua_api_secret>` with your generated API credentials.
+3. Run `terraform init` to initialize the Terraform working directory.
+4. Run `terraform apply` to create the resources.
+
+## Providing Project ID List
+
+You can provide your own list of project IDs by populating the `projects_list` local. To accommodate this, ensure to remove the `data "google_projects"` and then replace the local `projects_list` with your list.
+
+```hcl
+locals {
+  projects_list = [
+    "my-project-id-1",
+    "my-project-id-2",
+    // Add more project IDs as needed
+  ]
+}
+```
+
+## What's Happening
+
+1. The `aqua_gcp_dedicated_project` module is called to create a dedicated GCP project with the name `aqua-agentless-<tenant_id>-<org_hash>`, where `org_hash` is the first six characters of the SHA1 hash of your organization name.
+2. The `aqua_gcp_onboarding` module is called to provision the necessary resources (service accounts, roles, networking, etc.) in the dedicated GCP project.
+3. The `aqua_gcp_project_attachment` module is called for each GCP project in the organization to create the required IAM resources and trigger the Aqua API to onboard the project.
+
+## Outputs
+
+- `onboarding_status`: This output displays the result of the onboarding process for each project, indicating whether it was successful or encountered any errors.
+
+## Cleanup
+
+To remove the resources created by this example, including the organization-level resources, dedicated project, and attached projects, run `terraform destroy`.
+
@@ -0,0 +1,129 @@
+
+# Defining local variables
+locals {
+  region                 = "us-central1"
+  dedicated              = true
+  type                   = "organization"
+  org_name               = "my-org-name"
+  aqua_tenant_id         = "12345"
+  billing_account_id     = "012A3B-4567CD-8EFGH9"
+  aqua_aws_account_id    = "123456789101"
+  aqua_bucket_name       = "generic-bucket-name"
+  aqua_configuration_id  = "234e3cea-d84a-4b9e-bb36-92518e6a5772"
+  aqua_cspm_group_id     = 123456
+  aqua_custom_labels     = { label = "true" }
+  aqua_api_key           = "<REPLACE_ME>"
+  aqua_api_secret        = "<REPLACE_ME>"
+  aqua_autoconnect_url   = "https://example-aqua-autoconnect-url.com"
+  aqua_volscan_api_token = "<REPLACE_ME>"
+  aqua_volscan_api_url   = "https://example-aqua-volscan-api-url.com"
+  dedicated_project_id   = "aqua-agentless-${local.aqua_tenant_id}-${local.org_hash}"
+  labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
+  org_hash               = substr(sha1(local.org_name), 0, 6)
+}
+
+################################
+
+# Defining the root google provider
+provider "google" {
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Getting google organization ID
+data "google_organization" "org" {
+  domain = local.org_name
+}
+
+################################
+
+# Getting all projects ID's that are active under the organization ID
+data "google_projects" "projects" {
+  filter = "parent.id=${data.google_organization.org.org_id} AND parent.type=organization AND lifecycleState:ACTIVE"
+}
+
+# Filter out projects containing "aqua-agentless" in their names
+locals {
+  projects_list = [
+    for project in data.google_projects.projects.projects :
+    project.project_id
+    if !can(regex("^.*aqua-agentless.*$", project.project_id))
+  ]
+}
+
+################################
+
+# Creating a dedicated project
+module "aqua_gcp_dedicated_project" {
+  source             = "../../modules/dedicated_project"
+  org_name           = local.org_name
+  project_id         = local.dedicated_project_id
+  type               = local.type
+  billing_account_id = local.billing_account_id
+  labels             = local.labels
+}
+
+################################
+
+# Defining the dedicated google provider
+provider "google" {
+  alias          = "dedicated"
+  project        = module.aqua_gcp_dedicated_project.project_id
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Creating discovery and scanning resources on the dedicated project
+module "aqua_gcp_onboarding" {
+  source = "../../"
+  providers = {
+    google.onboarding = google.dedicated
+  }
+  type                   = local.type
+  project_id             = module.aqua_gcp_dedicated_project.project_id
+  dedicated_project      = local.dedicated
+  region                 = local.region
+  org_name               = local.org_name
+  aqua_tenant_id         = local.aqua_tenant_id
+  aqua_aws_account_id    = local.aqua_aws_account_id
+  aqua_bucket_name       = local.aqua_bucket_name
+  aqua_volscan_api_token = local.aqua_volscan_api_token
+  aqua_volscan_api_url   = local.aqua_volscan_api_url
+  depends_on             = [module.aqua_gcp_dedicated_project]
+}
+
+################################
+
+## Iterating over all project and attaching them to the dedicated project
+module "aqua_gcp_projects_attachment" {
+  source = "../../modules/project_attachment"
+  providers = {
+    google = google
+  }
+  for_each                                      = toset(local.projects_list)
+  aqua_api_key                                  = local.aqua_api_key
+  type                                          = local.type
+  aqua_api_secret                               = local.aqua_api_secret
+  aqua_autoconnect_url                          = local.aqua_autoconnect_url
+  aqua_bucket_name                              = local.aqua_bucket_name
+  aqua_configuration_id                         = local.aqua_configuration_id
+  aqua_cspm_group_id                            = local.aqua_cspm_group_id
+  org_name                                      = local.org_name
+  project_id                                    = each.value
+  dedicated_project                             = local.dedicated
+  labels                                        = local.aqua_custom_labels
+  onboarding_create_role_id                     = module.aqua_gcp_onboarding.create_role_id                     # Referencing outputs from the onboarding module
+  onboarding_cspm_service_account_key           = module.aqua_gcp_onboarding.cspm_service_account_key           # Referencing outputs from the onboarding module
+  onboarding_service_account_email              = module.aqua_gcp_onboarding.service_account_email              # Referencing outputs from the onboarding module
+  onboarding_workload_identity_pool_id          = module.aqua_gcp_onboarding.workload_identity_pool_id          # Referencing outputs from the onboarding module
+  onboarding_workload_identity_pool_provider_id = module.aqua_gcp_onboarding.workload_identity_pool_provider_id # Referencing outputs from the onboarding module
+  onboarding_project_number                     = module.aqua_gcp_onboarding.project_number                     # Referencing outputs from the onboarding module
+  depends_on                                    = [module.aqua_gcp_onboarding]
+}
+
+output "onboarding_status" {
+  value = {
+    for project_id, attachment_instance in module.aqua_gcp_projects_attachment :
+    project_id => attachment_instance.onboarding_status
+  }
+}
@@ -0,0 +1,37 @@
+# Onboarding an Organization with Infrastructure in Each Project Using a Project List Example
+
+---
+
+## Overview
+
+This example demonstrates how to onboard a Google Cloud Platform (GCP) organization for Aqua Security integration. It creates necessary infrastructure resources within each specified GCP project (`projects_list` local), and it creates the necessary infrastructure resources.
+
+## Pre-requisites
+
+Before running this example, ensure that you have the following:
+
+1. Terraform installed (version 1.6.4 or later).
+2. `gcloud` CLI installed and configured.
+3. Aqua Security account API credentials.
+4. Appropriate permissions to manage resources at the organization level and within the specified projects.
+
+## Usage
+
+1. Obtain the Terraform configuration file generated by the Aqua platform.
+2. Important: Replace `<aqua_api_key>` and `<aqua_api_secret>` with your generated API credentials.
+3. Modify the `projects_list` local in the Terraform configuration to include the list of GCP project IDs you want to onboard, e.g.: `projects_list = ["my-project-id-1", "my-project-id-2"]`.
+4. Run `terraform init` to initialize the Terraform working directory.
+5. Run `terraform apply` to create the resources.
+
+## What's Happening
+
+1. The `aqua_gcp_onboarding` module is called for each GCP project specified in the `projects_list` variable to provision the necessary resources (service accounts, roles, networking, etc.).
+2. The `aqua_gcp_project_attachment` module is called for each specified GCP project to create the required IAM resources and trigger the Aqua API to onboard the project.
+
+## Outputs
+
+- `onboarding_status`: The output from the `aqua_gcp_project_attachment` module, displaying the result of the onboarding process for each project.
+
+## Cleanup
+
+To remove the resources created by this example, including the organization-level resources and project-specific resources, run `terraform destroy`.
@@ -0,0 +1,106 @@
+
+# Defining local variables
+locals {
+  region                 = "us-central1"
+  dedicated              = false
+  type                   = "organization"
+  org_name               = "my-org-name"
+  aqua_tenant_id         = "12345"
+  aqua_aws_account_id    = "123456789101"
+  aqua_bucket_name       = "generic-bucket-name"
+  aqua_configuration_id  = "234e3cea-d84a-4b9e-bb36-92518e6a5772"
+  aqua_cspm_group_id     = 123456
+  aqua_custom_labels     = { label = "true" }
+  aqua_api_key           = "<REPLACE_ME>"
+  aqua_api_secret        = "<REPLACE_ME>"
+  aqua_autoconnect_url   = "https://example-aqua-autoconnect-url.com"
+  aqua_volscan_api_token = "<REPLACE_ME>"
+  aqua_volscan_api_url   = "https://example-aqua-volscan-api-url.com"
+  cspm_project_id        = "" # project id where CSPM iam resources will be provisioned. If not set, it will be set by default to the first project in the organization
+  labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
+  projects_list          = ["my-project-id-1", "my-project-id-2"]
+}
+
+################################
+
+# Defining the root google provider
+provider "google" {
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Getting google organization ID
+data "google_organization" "org" {
+  domain = local.org_name
+}
+
+################################
+
+# Creating CSPM IAM resources
+module "aqua_gcp_cspm_iam" {
+  source = "../../modules/cspm_iam"
+  providers = {
+    google = google
+  }
+  project_id       = local.cspm_project_id == "" ? local.projects_list[0] : local.cspm_project_id
+  aqua_bucket_name = local.aqua_bucket_name
+  aqua_tenant_id   = local.aqua_tenant_id
+  org_id           = data.google_organization.org.org_id
+}
+
+################################
+
+# Iterating over all project and creating discovery and scanning resources each project
+module "aqua_gcp_onboarding" {
+  source = "../../"
+  providers = {
+    google.onboarding = google
+  }
+  for_each               = toset(local.projects_list)
+  type                   = local.type
+  project_id             = each.value
+  dedicated_project      = local.dedicated
+  region                 = local.region
+  org_name               = local.org_name
+  aqua_tenant_id         = local.aqua_tenant_id
+  aqua_aws_account_id    = local.aqua_aws_account_id
+  aqua_bucket_name       = local.aqua_bucket_name
+  aqua_volscan_api_token = local.aqua_volscan_api_token
+  aqua_volscan_api_url   = local.aqua_volscan_api_url
+}
+
+################################
+
+## Iterating over all project and creating attachment resources
+module "aqua_gcp_projects_attachment" {
+  source = "../../modules/project_attachment"
+  providers = {
+    google = google
+  }
+  for_each                                      = toset(local.projects_list)
+  aqua_api_key                                  = local.aqua_api_key
+  type                                          = local.type
+  aqua_api_secret                               = local.aqua_api_secret
+  aqua_autoconnect_url                          = local.aqua_autoconnect_url
+  aqua_bucket_name                              = local.aqua_bucket_name
+  aqua_configuration_id                         = local.aqua_configuration_id
+  aqua_cspm_group_id                            = local.aqua_cspm_group_id
+  org_name                                      = local.org_name
+  project_id                                    = each.value
+  dedicated_project                             = local.dedicated
+  labels                                        = local.aqua_custom_labels
+  onboarding_create_role_id                     = module.aqua_gcp_onboarding[each.value].create_role_id                     # Referencing outputs from the onboarding module
+  onboarding_service_account_email              = module.aqua_gcp_onboarding[each.value].service_account_email              # Referencing outputs from the onboarding module
+  onboarding_cspm_service_account_key           = module.aqua_gcp_cspm_iam.cspm_service_account_key                         # Referencing outputs from the cspm_iam module
+  onboarding_workload_identity_pool_id          = module.aqua_gcp_onboarding[each.value].workload_identity_pool_id          # Referencing outputs from the onboarding module
+  onboarding_workload_identity_pool_provider_id = module.aqua_gcp_onboarding[each.value].workload_identity_pool_provider_id # Referencing outputs from the onboarding module
+  onboarding_project_number                     = module.aqua_gcp_onboarding[each.value].project_number                     # Referencing outputs from the onboarding module
+  depends_on                                    = [module.aqua_gcp_onboarding]
+}
+
+output "onboarding_status" {
+  value = {
+    for project_id, attachment_instance in module.aqua_gcp_projects_attachment :
+    project_id => attachment_instance.onboarding_status
+  }
+}
@@ -0,0 +1,36 @@
+# Onboarding an Organization with Infrastructure on Each Project Example
+
+---
+
+## Overview
+
+This example demonstrates how to onboard a Google Cloud Platform (GCP) organization for Aqua Security integration. It creates necessary infrastructure resources within each GCP project.
+
+## Pre-requisites
+
+Before running this example, ensure that you have the following:
+
+1. Terraform installed (version 1.6.4 or later).
+2. `gcloud` CLI installed and configured.
+3. Aqua Security account API credentials.
+4. Appropriate permissions to manage resources at the organization level and within the specified projects.
+
+## Usage
+
+1. Obtain the Terraform configuration file generated by the Aqua platform.
+2. Important: Replace `<aqua_api_key>` and `<aqua_api_secret>` with your generated API credentials.
+3. Run `terraform init` to initialize the Terraform working directory.
+4. Run `terraform apply` to create the resources.
+
+## What's Happening
+
+1. The `aqua_gcp_onboarding` module is called for each GCP project to provision the necessary resources (service accounts, roles, networking, etc.).
+2. The `aqua_gcp_project_attachment` module is called for each GCP project to create the required IAM resources and trigger the Aqua API to onboard the project.
+
+## Outputs
+
+- `onboarding_status`: The output from the `aqua_gcp_project_attachment` module, displaying the result of the onboarding process for each project.
+
+## Cleanup
+
+To remove the resources created by this example, including the organization-level resources and project-specific resources, run `terraform destroy`.