Merge pull request #5 from aquasecurity/muliple-dedicated-example

Adding `multiple-dedicated-project` example

Author: Noamstrauss

.github/workflows/pr-checks.yaml

@@ -21,6 +21,7 @@ jobs:
           TEST_CASES=(
             examples/dedicated-project
             examples/same-project
+            examples/multiple-dedicated-project
           )
 
           for tcase in ${TEST_CASES[@]}; do

README.md

@@ -19,8 +19,8 @@ to enable seamless integration with Aqua’s platform.
 - [Pre-requisites](#Pre-requisites)
 - [Usage](#usage)
 - [Examples](#examples)
-- [Using Existing Network](#using-existing-network-and-firewall)
 - [Using Dedicated Project](#using-an-existing-dedicated-project)
+- [Using Existing Network](#using-existing-network-and-firewall)
 
 ## Pre-requisites
 
@@ -103,6 +103,7 @@ module "aqua_gcp_onboarding" {
   type                   = local.type
   project_id             = module.aqua_gcp_dedicated_project.project_id # Dedicated project for Aqua resources
   region                 = local.region
+  dedicated_project      = local.dedicated
   org_name               = local.org_name
   aqua_tenant_id         = local.tenant_id
   aqua_aws_account_id    = local.aqua_aws_account_id
@@ -142,47 +143,63 @@ module "aqua_gcp_project_attachment" {
 
 For more examples and use cases, please refer to the examples folder in the repository.
 
+## Using an Existing Dedicated Project
 
-## Using Existing Network and Firewall
+If you have an existing dedicated project that you want to use to host Aqua Security resources, you can import it into the Terraform configuration.
 
+To do so, use the following Terraform import command:
 
-If you prefer to use an existing network and firewall instead of creating new ones,
-you can do so by setting `create_network = false` in the module's input variables.
-In this case, you will need to create,
-prior to onboarding, network and firewall resources with the following naming convention:
+`terraform import module.aqua_gcp_dedicated_project.google_project.project <dedicated_project_id>`
 
 
-* Firewall: `<project_id>-rules-aqua-aas`
-* Network: `<project_id>-network`
+Replace `<dedicated_project_id>` with the ID of your existing dedicated project.
 
-When using a dedicated project, the `<project_id>` should follow the format `"aqua-agentless-${local.tenant_id}-${local.org_hash}"`. 
+It's important to note that the dedicated project ID should follow the naming convention `"aqua-agentless-${local.tenant_id}-${local.org_hash}"`, where local.org_hash is calculated as:
 
+`org_hash = substr(sha1(<org_name>), 0, 6)`
 
-## Using an Existing Dedicated Project
+You can also check for the naming convention using the bash command:
 
-If you have an existing dedicated project that you want to use to host Aqua Security resources, you can import it into the Terraform configuration.
+```bash
+#!/bin/bash
 
-To do so, use the following Terraform import command:
+# Replace with your Aqua tenant ID
+TENANT_ID="<your_tenant_id>"
 
-`terraform import module.aqua_gcp_dedicated_project.google_project.project <dedicated_project_id>`
+# Replace with your organization name
+ORG_NAME="<your_org_name>"
 
+# Calculate the org_hash
+ORG_HASH=$(echo -n "${ORG_NAME}" | shasum -a 1 | awk '{ print $1 }' | cut -c1-6)
 
-Replace `<dedicated_project_id>` with the ID of your existing dedicated project. 
+# Print the dedicated project ID naming convention
+echo "aqua-agentless-${TENANT_ID}-${ORG_HASH}"                                    
+```
 
-It's important to note that the dedicated project ID should follow the naming convention `"aqua-agentless-${local.tenant_id}-${local.org_hash}"`, where local.org_hash is calculated as:
+For example, if your Aqua tenant ID is `12345` and the first six characters of the SHA1 hash of your organization name are `12a456`, the dedicated project ID should be `aqua-agentless-12345-12a456`.
 
-`org_hash = substr(sha1(<org_name>), 0, 6)`
 
+## Using Existing Network and Firewall
 
-For example, if your Aqua tenant ID is `12345` and the first six characters of the SHA1 hash of your organization name are `12a456`, the dedicated project ID should be `aqua-agentless-12345-12a456`.
+
+If you prefer to use an existing network and firewall instead of creating new ones,
+you can do so by setting `create_network = false` in the module's input variables.
+In this case, you will need to create,
+prior to onboarding, network and firewall resources with the following naming convention:
+
+
+* Firewall: `<project_id>-rules-aqua-aas`
+* Network: `<project_id>-network`
+
+When using a dedicated project, the `<project_id>` should follow the format `"aqua-agentless-${local.tenant_id}-${local.org_hash}"` as mentioned above.
 
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.6.4 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.4 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | ~> 2.3.3 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | ~> 5.20.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.4.2 |

examples/dedicated-project/README.md

@@ -11,15 +11,15 @@ This example demonstrates how to onboard a GCP project by creating a dedicated p
 Before running this example, ensure that you have the following:
 
 1. Terraform installed (version 1.6.4 or later).
-2. `Gcloud` CLI installed and configured.
+2. `gcloud` CLI installed and configured.
 3. Aqua Security account API credentials.
 
 ## Usage
 
 1. Obtain the Terraform configuration file generated by the Aqua platform.
 2. Important: Replace `<aqua_api_key>` and `<aqua_api_secret>` with your generated API credentials.
 3. Run `terraform init` to initialize the Terraform working directory.
-4. Run `terraform apply` to create the dedicated project.
+4. Run `terraform apply` to create the resources.
 
 ## What's Happening
 

examples/dedicated-project/main.tf

@@ -4,19 +4,19 @@ locals {
   region                 = "us-central1"
   dedicated              = true
   type                   = "single"
-  org_name               = "<org_name>"
-  aqua_tenant_id         = "<tenant_id>"
-  project_id             = "<project_id>"
+  org_name               = "my-org-name"
+  aqua_tenant_id         = "12345"
+  project_id             = "my-project-id"
   aqua_aws_account_id    = "123456789101"
-  aqua_bucket_name       = "<aqua_bucket_name>"
-  aqua_configuration_id  = "<aqua_configuration_id>"
+  aqua_bucket_name       = "generic-bucket-name"
+  aqua_configuration_id  = "234e3cea-d84a-4b9e-bb36-92518e6a5772"
   aqua_cspm_group_id     = 123456
-  aqua_custom_labels     = {}
-  aqua_api_key           = "<aqua_api_key>"
-  aqua_api_secret        = "<aqua_api_secret>"
-  aqua_autoconnect_url   = "https://<aqua_autoconnect_url>.com"
-  aqua_volscan_api_token = "<aqua_volscan_api_token>"
-  aqua_volscan_api_url   = "https://<aqua_volscan_api_url>.com"
+  aqua_custom_labels     = { custom = "label" }
+  aqua_api_key           = "<REPLACE_ME>"
+  aqua_api_secret        = "<REPLACE_ME>"
+  aqua_autoconnect_url   = "https://example-aqua-autoconnect-url.com"
+  aqua_volscan_api_token = "<REPLACE_ME>"
+  aqua_volscan_api_url   = "https://example-aqua-volscan-api-url.com"
   dedicated_project_id   = "aqua-agentless-${local.aqua_tenant_id}-${local.org_hash}"
   labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
   org_hash               = substr(sha1(local.org_name), 0, 6)

examples/multiple-dedicated-project/README.md

@@ -0,0 +1,38 @@
+# GCP Multi-Project Onboarding Example
+
+---
+
+## Overview
+
+This example demonstrates how to onboard multiple existing Google Cloud Platform (GCP) projects to Aqua Security. It creates a dedicated project for provisioning Aqua resources and then attaches the existing projects to the dedicated project for Aqua Security integration.
+
+## Pre-requisites
+
+Before running this example, ensure that you have the following:
+
+1. Terraform installed (version 1.6.4 or later).
+2. `gcloud` CLI installed and configured.
+3. Aqua Security account API credentials.
+
+## Usage
+
+1. Obtain the Terraform configuration file generated by the Aqua Security UI. This file will have most of the required values pre-filled, except for the API key and secret.
+2. Important: Replace `<aqua_api_key>` and `<aqua_api_secret>` with your generated API credentials.
+3. Run `terraform init` to initialize the Terraform working directory.
+4. Run `terraform apply` to create the resources.
+
+## What's Happening
+
+1. The `aqua_gcp_dedicated_project` module is called to create a dedicated GCP project with the name `aqua-agentless-<tenant_id>-<org_hash>`, where `org_hash` is the first six characters of the SHA1 hash of your organization name.
+2. The `aqua_gcp_onboarding` module is called to provision the necessary resources (service accounts, roles, networking, etc.) in the dedicated GCP project.
+3. The `aqua_gcp_project_attachment` module is called to create the required IAM resources in the existing project and trigger the Aqua API to onboard the project.
+5. The `aqua_gcp_additional_project_attachment` module is called to create the required IAM resources in the additional project (`my-additional-project-id`) and trigger the Aqua API to onboard the project.
+
+## Outputs
+
+- `onboarding_status`: The output from the `aqua_gcp_project_attachment` module, displaying the result of the onboarding process for the project `<project_id>`.
+- `additional_project_onboarding_status`: The output from the `aqua_gcp_additional_project_attachment` module, displaying the result of the onboarding process for the project `my-additional-project-id`.
+
+## Cleanup
+
+To remove the dedicated project and all associated resources created by this example, run `terraform destroy`.

examples/multiple-dedicated-project/main.tf

@@ -0,0 +1,140 @@
+
+# Defining local variables
+locals {
+  region                 = "us-central1"
+  dedicated              = true
+  type                   = "single"
+  org_name               = "my-org-name"
+  aqua_tenant_id         = "12345"
+  project_id             = "my-project-id"
+  aqua_aws_account_id    = "123456789101"
+  aqua_bucket_name       = "generic-bucket-name"
+  aqua_configuration_id  = "234e3cea-d84a-4b9e-bb36-92518e6a5772"
+  aqua_cspm_group_id     = 123456
+  aqua_custom_labels     = {}
+  aqua_api_key           = "<REPLACE_ME>"
+  aqua_api_secret        = "<REPLACE_ME>"
+  aqua_autoconnect_url   = "https://example-aqua-autoconnect-url.com"
+  aqua_volscan_api_token = "<REPLACE_ME>"
+  aqua_volscan_api_url   = "https://example-aqua-volscan-api-url.com"
+  dedicated_project_id   = "aqua-agentless-${local.aqua_tenant_id}-${local.org_hash}"
+  labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
+  org_hash               = substr(sha1(local.org_name), 0, 6)
+}
+
+################################
+
+# Defining the root google provider
+provider "google" {
+  project        = local.project_id
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Creating a dedicated project
+module "aqua_gcp_dedicated_project" {
+  source          = "../../modules/dedicated_project"
+  org_name        = local.org_name
+  project_id      = local.dedicated_project_id
+  root_project_id = local.project_id
+  labels          = local.labels
+}
+
+################################
+
+# Defining the dedicated google provider
+provider "google" {
+  alias          = "dedicated"
+  project        = module.aqua_gcp_dedicated_project.project_id
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Creating discovery and scanning resources on the project
+module "aqua_gcp_onboarding" {
+  source = "../../"
+  providers = {
+    google.onboarding = google.dedicated
+  }
+  type                   = local.type
+  project_id             = module.aqua_gcp_dedicated_project.project_id
+  dedicated_project      = local.dedicated
+  region                 = local.region
+  org_name               = local.org_name
+  aqua_tenant_id         = local.aqua_tenant_id
+  aqua_aws_account_id    = local.aqua_aws_account_id
+  aqua_bucket_name       = local.aqua_bucket_name
+  aqua_custom_labels     = local.aqua_custom_labels
+  aqua_volscan_api_token = local.aqua_volscan_api_token
+  aqua_volscan_api_url   = local.aqua_volscan_api_url
+  depends_on             = [module.aqua_gcp_dedicated_project]
+}
+
+################################
+
+# Onboarding a project and attaching it to the dedicated project
+module "aqua_gcp_project_attachment" {
+  source = "../../modules/project_attachment"
+  providers = {
+    google = google
+  }
+  aqua_api_key                                  = local.aqua_api_key
+  aqua_api_secret                               = local.aqua_api_secret
+  aqua_autoconnect_url                          = local.aqua_autoconnect_url
+  aqua_bucket_name                              = local.aqua_bucket_name
+  aqua_configuration_id                         = local.aqua_configuration_id
+  aqua_cspm_group_id                            = local.aqua_cspm_group_id
+  org_name                                      = local.org_name
+  project_id                                    = local.project_id
+  dedicated_project                             = local.dedicated
+  labels                                        = local.aqua_custom_labels
+  create_role_id                                = module.aqua_gcp_onboarding.create_role_id
+  onboarding_service_account_email              = module.aqua_gcp_onboarding.service_account_email
+  onboarding_workload_identity_pool_id          = module.aqua_gcp_onboarding.workload_identity_pool_id
+  onboarding_workload_identity_pool_provider_id = module.aqua_gcp_onboarding.workload_identity_pool_provider_id
+  onboarding_project_number                     = module.aqua_gcp_onboarding.project_number
+  depends_on                                    = [module.aqua_gcp_onboarding]
+}
+
+output "onboarding_status" {
+  value = module.aqua_gcp_project_attachment.onboarding_status
+}
+
+#################################
+
+# Defining the additional google provider
+provider "google" {
+  alias          = "additional"
+  project        = "my-additional-project-id"
+  region         = local.region
+  default_labels = local.labels
+}
+
+## Onboarding an additional project and attaching it to the dedicated project
+module "aqua_gcp_additional_project_attachment" {
+  source = "../../modules/project_attachment"
+  providers = {
+    google = google.additional # Referencing the additional Google provider
+  }
+  aqua_api_key                                  = local.aqua_api_key
+  aqua_api_secret                               = local.aqua_api_secret
+  aqua_autoconnect_url                          = local.aqua_autoconnect_url
+  aqua_bucket_name                              = local.aqua_bucket_name
+  aqua_configuration_id                         = local.aqua_configuration_id
+  aqua_cspm_group_id                            = local.aqua_cspm_group_id
+  org_name                                      = local.org_name
+  project_id                                    = local.project_id
+  dedicated_project                             = local.dedicated
+  labels                                        = local.aqua_custom_labels
+  create_role_id                                = module.aqua_gcp_onboarding.create_role_id
+  onboarding_service_account_email              = module.aqua_gcp_onboarding.service_account_email
+  onboarding_workload_identity_pool_id          = module.aqua_gcp_onboarding.workload_identity_pool_id
+  onboarding_workload_identity_pool_provider_id = module.aqua_gcp_onboarding.workload_identity_pool_provider_id
+  onboarding_project_number                     = module.aqua_gcp_onboarding.project_number
+  depends_on                                    = [module.aqua_gcp_onboarding]
+}
+
+output "additional_project_onboarding_status" {
+  value = module.aqua_gcp_additional_project_attachment.onboarding_status
+}
+

examples/same-project/main.tf

@@ -4,22 +4,20 @@ locals {
   region                 = "us-central1"
   dedicated              = false
   type                   = "single"
-  org_name               = "<org_name>"
-  aqua_tenant_id         = "<tenant_id>"
-  project_id             = "<project_id>"
+  org_name               = "" # Leave empty for same-project onboarding
+  aqua_tenant_id         = "12345"
+  project_id             = "my-project-id"
   aqua_aws_account_id    = "123456789101"
-  aqua_bucket_name       = "<aqua_bucket_name>"
-  aqua_configuration_id  = "<aqua_configuration_id>"
+  aqua_bucket_name       = "generic-bucket-name"
+  aqua_configuration_id  = "234e3cea-d84a-4b9e-bb36-92518e6a5772"
   aqua_cspm_group_id     = 123456
   aqua_custom_labels     = { label = "true" }
-  aqua_api_key           = "<aqua_api_key>"
-  aqua_api_secret        = "<aqua_api_secret>"
-  aqua_autoconnect_url   = "https://<aqua_autoconnect_url>.com"
-  aqua_volscan_api_token = "<aqua_volscan_api_token>"
-  aqua_volscan_api_url   = "https://<aqua_volscan_api_url>.com"
-  dedicated_project_id   = "aqua-agentless-${local.aqua_tenant_id}-${local.org_hash}"
+  aqua_api_key           = "<REPLACE_ME>"
+  aqua_api_secret        = "<REPLACE_ME>"
+  aqua_autoconnect_url   = "https://example-aqua-autoconnect-url.com"
+  aqua_volscan_api_token = "<REPLACE_ME>"
+  aqua_volscan_api_url   = "https://example-aqua-volscan-api-url.com"
   labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
-  org_hash               = substr(sha1(local.org_name), 0, 6)
 }
 
 ################################

modules/project_attachment/versions.tf

@@ -1,7 +1,7 @@
 # modules/project_attachment/versions.tf
 
 terraform {
-  required_version = "~> 1.6.4"
+  required_version = ">= 1.6.4"
   required_providers {
     google = {
       source                = "hashicorp/google"

versions.tf

@@ -1,7 +1,7 @@
 # versions.tf
 
 terraform {
-  required_version = "~> 1.6.4"
+  required_version = ">= 1.6.4"
   required_providers {
     google = {
       source                = "hashicorp/google"