Merge pull request #1 from aquasecurity/SAAS-23305

[SAAS-23305]: Onboarding | Terraform for GCP Account

Author: semyonmor

.github/workflows/terraform-docs.yaml

@@ -0,0 +1,20 @@
+name: Generate terraform docs
+on:
+  - pull_request
+jobs:
+  docs:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Render terraform docs and push changes back to PR
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: .
+          output-file: README.md
+          scan-ref: '.'
+          scan-type: 'repo'
+          output-method: inject
+          git-push: "true"

.github/workflows/trivy-scan.yaml

@@ -0,0 +1,19 @@
+name: Trivy
+on: pull_request
+jobs:
+  aqua:
+    name: Aqua scanner
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run Aqua scanner
+        uses: docker://aquasec/aqua-scanner
+        with:
+          args: trivy fs --scanners misconfig,secret .
+        env:
+          AQUA_KEY: ${{ secrets.AQUA_KEY }}
+          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
+          GITHUB_TOKEN: ${{ github.token }}
+          TRIVY_RUN_AS_PLUGIN: 'aqua'

.gitignore

@@ -1,20 +1,22 @@
 # Local .terraform directories
-**/.terraform/*
+**/.terraform*
+
+# generated via "make ci"
+examples/**/.terraform.lock.hcl
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
 
 # Crash log files
 crash.log
-crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
 *.tfvars
-*.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -24,11 +26,20 @@ override.tf.json
 *_override.tf.json
 
 # Include override files you do wish to add to version control using negated pattern
+#
 # !example_override.tf
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
-# Ignore CLI configuration files
-.terraformrc
-terraform.rc
+# Credentials Files
+**/credentials.json
+**/*.json
+
+# Local testing variables
+
+# vim
+*.swp
+
+/.idea/
+.DS_Store

README.md

@@ -0,0 +1,13 @@
+# data.tf
+
+# Retrieve information about the Google Cloud organization
+data "google_organization" "organization" {
+  domain = var.org_name
+}
+
+# Retrieve information about the root Google Cloud project
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+

data.tf

@@ -0,0 +1,37 @@
+# GCP Dedicated Project Onboarding Example
+
+---
+
+## Overview
+
+This example demonstrates how to onboard a GCP project by creating a dedicated project to provision all of Aqua’s resources into and apply the required labels for Aqua Security integration.
+
+## Pre-requisites
+
+Before running this example, ensure that you have the following:
+
+1. Terraform installed (version 1.6.4 or later).
+2. `Gcloud` CLI installed and configured.
+3. Aqua Security account API credentials.
+
+## Usage
+
+1. Obtain the Terraform configuration file generated by the Aqua Security UI.
+2. Important: Replace `<aqua_api_key>` and `<aqua_api_secret>` with your generated API credentials.
+3. Run `terraform init` to initialize the Terraform working directory.
+4. Run `terraform apply` to create the dedicated project.
+
+## What's Happening
+
+1. The `aqua_gcp_dedicated_project` module is called to create a dedicated GCP project with the name `aqua-agentless-<tenant_id>-<org_hash>`, where `org_hash` is the first six characters of the SHA1 hash of your organization name.
+2. The `aqua_gcp_onboarding` module is called to provision the necessary resources (service accounts, roles, networking, etc.) in the dedicated GCP project.
+3. The `aqua_gcp_project_attachment` module is called to create the required IAM resources in the existing project and trigger the Aqua API to onboard the project.
+
+
+## Outputs
+
+- `onboarding_status`: The output from the `aqua_gcp_project_attachment` module, displaying the result of the onboarding process.
+
+## Cleanup
+
+To remove the dedicated project created by this example, run `terraform destroy`.

examples/dedicated-project/README.md

@@ -0,0 +1,100 @@
+
+# Defining local variables
+locals {
+  region                 = "us-central1"
+  dedicated              = true
+  type                   = "single"
+  org_name               = "<org_name>"
+  aqua_tenant_id         = "<tenant_id>"
+  project_id             = "<project_id>"
+  aqua_aws_account_id    = "123456789101"
+  aqua_bucket_name       = "<aqua_bucket_name>"
+  aqua_configuration_id  = "<aqua_configuration_id>"
+  aqua_cspm_group_id     = 123456
+  aqua_custom_labels     = {}
+  aqua_api_key           = "<aqua_api_key>"
+  aqua_api_secret        = "<aqua_api_secret>"
+  aqua_autoconnect_url   = "https://<aqua_autoconnect_url>.com"
+  aqua_volscan_api_token = "<aqua_volscan_api_token>"
+  aqua_volscan_api_url   = "https://<aqua_volscan_api_url>.com"
+  dedicated_project_id   = "aqua-agentless-${local.aqua_tenant_id}-${local.org_hash}"
+  labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
+  org_hash               = substr(sha1(local.org_name), 0, 6)
+}
+
+################################
+
+# Defining the root google provider
+provider "google" {
+  project        = local.project_id
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Creating a dedicated project
+module "aqua_gcp_dedicated_project" {
+  source          = "../../modules/dedicated_project"
+  org_name        = local.org_name
+  project_id      = local.dedicated_project_id
+  root_project_id = local.project_id
+  labels          = local.labels
+}
+
+################################
+
+# Defining the dedicated google provider
+provider "google" {
+  alias          = "dedicated"
+  project        = module.aqua_gcp_dedicated_project.project_id
+  region         = local.region
+  default_labels = local.labels
+}
+
+# Creating discovery and scanning resources on the project
+module "aqua_gcp_onboarding" {
+  source = "../../"
+  providers = {
+    google.onboarding = google.dedicated
+  }
+  type                   = local.type
+  project_id             = module.aqua_gcp_dedicated_project.project_id
+  region                 = local.region
+  org_name               = local.org_name
+  aqua_tenant_id         = local.aqua_tenant_id
+  aqua_aws_account_id    = local.aqua_aws_account_id
+  aqua_bucket_name       = local.aqua_bucket_name
+  aqua_custom_labels     = local.aqua_custom_labels
+  aqua_volscan_api_token = local.aqua_volscan_api_token
+  aqua_volscan_api_url   = local.aqua_volscan_api_url
+  depends_on             = [module.aqua_gcp_dedicated_project]
+}
+
+################################
+
+## Onboarding a project and attaching it to the dedicated project
+module "aqua_gcp_project_attachment" {
+  source = "../../modules/project_attachment"
+  providers = {
+    google = google
+  }
+  aqua_api_key                                  = local.aqua_api_key
+  aqua_api_secret                               = local.aqua_api_secret
+  aqua_autoconnect_url                          = local.aqua_autoconnect_url
+  aqua_bucket_name                              = local.aqua_bucket_name
+  aqua_configuration_id                         = local.aqua_configuration_id
+  aqua_cspm_group_id                            = local.aqua_cspm_group_id
+  org_name                                      = local.org_name
+  project_id                                    = local.project_id
+  dedicated_project                             = local.dedicated
+  labels                                        = local.aqua_custom_labels
+  create_role_id                                = module.aqua_gcp_onboarding.create_role_id
+  onboarding_service_account_email              = module.aqua_gcp_onboarding.service_account_email
+  onboarding_workload_identity_pool_id          = module.aqua_gcp_onboarding.workload_identity_pool_id
+  onboarding_workload_identity_pool_provider_id = module.aqua_gcp_onboarding.workload_identity_pool_provider_id
+  onboarding_project_number                     = module.aqua_gcp_onboarding.project_number
+  depends_on                                    = [module.aqua_gcp_onboarding]
+}
+
+output "onboarding_status" {
+  value = module.aqua_gcp_project_attachment.onboarding_status
+}

examples/dedicated-project/main.tf

@@ -0,0 +1,35 @@
+# GCP Same Project Onboarding Example
+
+---
+
+## Overview
+
+This example demonstrates how to onboard an existing Google Cloud Platform (GCP) project to Aqua Security by provisioning all the necessary resources directly into the existing project, without creating a dedicated project.
+
+## Prerequisites
+
+Before running this example, ensure that you have the following:
+
+1. Terraform installed (version 1.6.4 or later).
+2. `gcloud` CLI installed and configured.
+3. Aqua Security account and API credentials.
+
+## Usage
+
+1. Obtain the Terraform configuration file generated by the Aqua Security UI.
+2. Replace the placeholders `<aqua_api_key>` and `<aqua_api_secret>` with your actual Aqua Security API key and secret.
+3. Run `terraform init` to initialize the Terraform working directory.
+4. Run `terraform apply` to create the resources.
+
+## What's Happening
+
+1. The `aqua_gcp_onboarding` module is called to provision the necessary resources (service accounts, roles, networking, etc.) directly in the existing GCP project.
+2. The `aqua_gcp_project_attachment` module is called to create the required IAM resources in the existing project and trigger the Aqua API to onboard the project.
+
+## Outputs
+
+- `onboarding_status`: The output from the `aqua_gcp_project_attachment` module, displaying the result of the onboarding process.
+
+## Cleanup
+
+To remove the resources created by this example, run `terraform destroy`.

examples/same-project/README.md

@@ -0,0 +1,83 @@
+
+# Defining local variables
+locals {
+  region                 = "us-central1"
+  dedicated              = false
+  type                   = "single"
+  org_name               = "<org_name>"
+  aqua_tenant_id         = "<tenant_id>"
+  project_id             = "<project_id>"
+  aqua_aws_account_id    = "123456789101"
+  aqua_bucket_name       = "<aqua_bucket_name>"
+  aqua_configuration_id  = "<aqua_configuration_id>"
+  aqua_cspm_group_id     = 123456
+  aqua_custom_labels     = { label = "true" }
+  aqua_api_key           = "<aqua_api_key>"
+  aqua_api_secret        = "<aqua_api_secret>"
+  aqua_autoconnect_url   = "https://<aqua_autoconnect_url>.com"
+  aqua_volscan_api_token = "<aqua_volscan_api_token>"
+  aqua_volscan_api_url   = "https://<aqua_volscan_api_url>.com"
+  dedicated_project_id   = "aqua-agentless-${local.aqua_tenant_id}-${local.org_hash}"
+  labels                 = merge(local.aqua_custom_labels, { "aqua-agentless-scanner" = "true" })
+  org_hash               = substr(sha1(local.org_name), 0, 6)
+}
+
+################################
+
+# Defining the root google provider
+provider "google" {
+  project        = local.project_id # Existing project to be onboarded
+  region         = local.region
+  default_labels = local.labels
+}
+
+################################
+
+# Creating discovery and scanning resources on the project
+module "aqua_gcp_onboarding" {
+  source = "../.."
+  providers = {
+    google.onboarding = google # Using the root project provider
+  }
+  type                   = local.type
+  project_id             = local.project_id
+  region                 = local.region
+  org_name               = local.org_name
+  aqua_tenant_id         = local.aqua_tenant_id
+  aqua_aws_account_id    = local.aqua_aws_account_id
+  aqua_bucket_name       = local.aqua_bucket_name
+  aqua_custom_labels     = local.aqua_custom_labels
+  aqua_volscan_api_token = local.aqua_volscan_api_token
+  aqua_volscan_api_url   = local.aqua_volscan_api_url
+}
+
+################################
+
+## Attaching the existing project to the onboarding resources
+module "aqua_gcp_project_attachment" {
+  source = "../../modules/project_attachment"
+  providers = {
+    google = google # Using the root project provider
+  }
+  aqua_api_key                                  = local.aqua_api_key
+  aqua_api_secret                               = local.aqua_api_secret
+  aqua_autoconnect_url                          = local.aqua_autoconnect_url
+  aqua_bucket_name                              = local.aqua_bucket_name
+  aqua_configuration_id                         = local.aqua_configuration_id
+  aqua_cspm_group_id                            = local.aqua_cspm_group_id
+  org_name                                      = local.org_name
+  project_id                                    = local.project_id
+  dedicated_project                             = local.dedicated
+  labels                                        = local.aqua_custom_labels
+  create_role_id                                = module.aqua_gcp_onboarding.create_role_id                     # Referencing outputs from the onboarding module
+  onboarding_service_account_email              = module.aqua_gcp_onboarding.service_account_email              # Referencing outputs from the onboarding module
+  onboarding_workload_identity_pool_id          = module.aqua_gcp_onboarding.workload_identity_pool_id          # Referencing outputs from the onboarding module
+  onboarding_workload_identity_pool_provider_id = module.aqua_gcp_onboarding.workload_identity_pool_provider_id # Referencing outputs from the onboarding module
+  onboarding_project_number                     = module.aqua_gcp_onboarding.project_number                     # Referencing outputs from the onboarding module
+  depends_on                                    = [module.aqua_gcp_onboarding]
+}
+
+
+output "onboarding_status" {
+  value = module.aqua_gcp_project_attachment.onboarding_status
+}