switch to svc principal key for onboarding

Author: haresh-suresh

modules/config-posture/main.tf

@@ -104,5 +104,12 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
       email = google_service_account.posture_auth.email
     }
   })
-  depends_on = [google_service_account_iam_member.custom_posture_auth]
+  depends_on = [
+    google_service_account.posture_auth,
+    google_service_account_iam_binding.posture_auth_binding,
+    google_iam_workload_identity_pool.posture_auth_pool,
+    google_iam_workload_identity_pool_provider.posture_auth_pool_provider,
+    google_project_iam_member.cspm,
+    google_service_account_iam_member.custom_posture_auth
+  ]
 }

modules/onboarding/README.md

@@ -7,12 +7,12 @@ The Foundational Onboarding module serves the following functions:
 
 If instrumenting a project, the following resources will be created:
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level
-- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
 - A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the foundational functions.
 
 If instrumenting an Organziation, the following resources will be created:
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level
-- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
 - A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve the foundational functions.
 - A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on.
 

modules/onboarding/main.tf

@@ -1,18 +1,12 @@
 #------------------------------------------------------------------#
-# Fetch and compute required data for Workload Identity Federation #
+# Fetch and compute required data for Service Account Key #
 #------------------------------------------------------------------#
 
-data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-  cloud_provider = "gcp"
-}
-
-data "sysdig_secure_tenant_external_id" "external_id" {}
-
 data "google_project" "project" {
   project_id = var.project_id
 }
 
-// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value.
+// suffix to uniquely identify onboarding service account during multiple installs. If suffix value is not provided, this will generate a random value.
 resource "random_id" "suffix" {
   count       = var.suffix == null ? 1 : 0
   byte_length = 3
@@ -29,45 +23,6 @@ resource "google_service_account" "onboarding_auth" {
   project      = var.project_id
 }
 
-resource "google_service_account_iam_binding" "onboarding_auth_binding" {
-  service_account_id = google_service_account.onboarding_auth.name
-  role               = "roles/iam.workloadIdentityUser"
-
-  members = [
-    "serviceAccount:${google_service_account.onboarding_auth.email}",
-  ]
-}
-
-#------------------------------------------------------------#
-# Configure Workload Identity Federation for auth            #
-# See https://cloud.google.com/iam/docs/access-resources-aws #
-#------------------------------------------------------------#
-
-resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
-  project                   = var.project_id
-  workload_identity_pool_id = "sysdig-onboarding-${local.suffix}"
-}
-
-resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
-  project                            = var.project_id
-  workload_identity_pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
-  display_name                       = "Sysdigcloud onboarding auth"
-  description                        = "AWS identity pool provider for Sysdig Secure Data Onboarding resources"
-  disabled                           = false
-
-  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
-
-  attribute_mapping = {
-    "google.subject"     = "assertion.arn",
-    "attribute.aws_role" = "assertion.arn"
-  }
-
-  aws {
-    account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
-  }
-}
-
 #---------------------------------
 # role permissions for onboarding
 #---------------------------------
@@ -79,11 +34,12 @@ resource "google_project_iam_member" "browser" {
   member  = "serviceAccount:${google_service_account.onboarding_auth.email}"
 }
 
-# attaching WIF as a member to the service account for auth
-resource "google_service_account_iam_member" "custom_onboarding_auth" {
+#--------------------------------
+# service account private key
+
+#--------------------------------
+resource "google_service_account_key" "onboarding_service_account_key" {
   service_account_id = google_service_account.onboarding_auth.name
-  role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
 }
 
 #---------------------------------------------------------------------------------------------
@@ -104,23 +60,15 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
     version  = "v0.1.0"
     service_principal_metadata = jsonencode({
       gcp = {
-        workload_identity_federation = {
-          pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-          pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
-          project_number   = data.google_project.project.number
-        }
-        email = google_service_account.onboarding_auth.email
+        key = google_service_account_key.onboarding_service_account_key.private_key
       }
     })
   }
 
   depends_on = [
     google_service_account.onboarding_auth,
-    google_service_account_iam_binding.onboarding_auth_binding,
-    google_iam_workload_identity_pool.onboarding_auth_pool,
-    google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
     google_project_iam_member.browser,
-    google_service_account_iam_member.custom_onboarding_auth
+    google_service_account_key.onboarding_service_account_key
   ]
 
   lifecycle {