fix(vm-scanning): Fix conditionals for modular

ravinadhruve10 · ravinadhruve10 · commit 1b1836ac6f05 · 2024-11-05T12:22:48.000-08:00
diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
@@ -76,7 +76,6 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                   | GCP Project ID                                                                                                                                                                                                                                            | `string`       | n/a                         |   yes    |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                              | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped                                                                                                                                                | `bool`         | `false`                     |    no    |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                        | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com                                                                                                                      | `string`       | `null`                      |    no    |
-| <a name="input_sysdig_account_id"></a> [sysdig\_account\_id](#input\_sysdig\_account\_id)                            | Sysdig provided GCP Account designated for the host scan.<br/>One of `sysdig_backend` or `sysdig_account_id`must be provided                                                                                                                              | `string`       | `null`                      |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)     | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)                                                                                                                | `string`       | `null`                      |    no    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                                 | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string`       | `null`                      |    no    |
 
diff --git a/modules/agentless-scan/main.tf b/modules/agentless-scan/main.tf
@@ -56,12 +56,12 @@ resource "google_iam_workload_identity_pool" "agentless" {
 }
 
 resource "google_iam_workload_identity_pool_provider" "agentless" {
-  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "aws" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
@@ -86,12 +86,12 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
 }
 
 resource "google_service_account_iam_member" "controller_custom" {
-  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "aws" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
@@ -101,12 +101,12 @@ resource "google_service_account_iam_member" "controller_custom" {
 }
 
 resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
-  count = var.sysdig_account_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "gcp" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
@@ -116,7 +116,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
   description                        = "GCP identity pool provider for Sysdig Secure Agentless Host Scanning"
   disabled                           = false
 
-  attribute_condition = "google.subject == \"${var.sysdig_account_id}\""
+  attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\""
 
   attribute_mapping = {
     "google.subject"  = "assertion.sub"
@@ -129,18 +129,18 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
 }
 
 resource "google_service_account_iam_member" "controller_custom_gcp" {
-  count = var.sysdig_account_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "gcp" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
   service_account_id = google_service_account.controller.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${var.sysdig_account_id}"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}"
 }
 
 #-----------------------------------------------------------------------------------------
@@ -200,7 +200,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_agentless_scan" {
   service_principal_metadata = jsonencode({
     gcp = {
       workload_identity_federation = {
-        pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.gcp.worker_identity != null ? google_iam_workload_identity_pool_provider.agentless[0].name : var.sysdig_account_id != null ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
+        pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].name : data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "gcp" ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
       }
       email = google_service_account.controller.email
     }
diff --git a/modules/agentless-scan/variables.tf b/modules/agentless-scan/variables.tf
@@ -15,12 +15,6 @@ variable "organization_domain" {
   default     = ""
 }
 
-variable "sysdig_account_id" {
-  type        = string
-  description = "Sysdig provided GCP Account designated for the host scan. One of sysdig_backend or sysdig_account_id must be provided"
-  default     = null
-}
-
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)"

Original file line number	Diff line number	Diff line change
`@@ -56,12 +56,12 @@ resource "google_iam_workload_identity_pool" "agentless" {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`resource "google_iam_workload_identity_pool_provider" "agentless" {`
`59`		`- count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0`
	`59`	`+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "aws" ? 1 : 0`
`60`	`60`
`61`	`61`	`lifecycle {`
`62`	`62`	`precondition {`
`63`		`- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)`
`64`		`- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"`
	`63`	`+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)`
	`64`	`+ error_message = "Cannot provide empty sysdig backend cloud_id"`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`
`@@ -86,12 +86,12 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`resource "google_service_account_iam_member" "controller_custom" {`
`89`		`- count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0`
	`89`	`+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "aws" ? 1 : 0`
`90`	`90`
`91`	`91`	`lifecycle {`
`92`	`92`	`precondition {`
`93`		`- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)`
`94`		`- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"`
	`93`	`+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)`
	`94`	`+ error_message = "Cannot provide empty sysdig backend cloud_id"`
`95`	`95`	`}`
`96`	`96`	`}`
`97`	`97`
`@@ -101,12 +101,12 @@ resource "google_service_account_iam_member" "controller_custom" {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {`
`104`		`- count = var.sysdig_account_id != null ? 1 : 0`
	`104`	`+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "gcp" ? 1 : 0`
`105`	`105`
`106`	`106`	`lifecycle {`
`107`	`107`	`precondition {`
`108`		`- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)`
`109`		`- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"`
	`108`	`+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)`
	`109`	`+ error_message = "Cannot provide empty sysdig backend cloud_id"`
`110`	`110`	`}`
`111`	`111`	`}`
`112`	`112`
`@@ -116,7 +116,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {`
`116`	`116`	`description = "GCP identity pool provider for Sysdig Secure Agentless Host Scanning"`
`117`	`117`	`disabled = false`
`118`	`118`
`119`		`- attribute_condition = "google.subject == \"${var.sysdig_account_id}\""`
	`119`	`+ attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\""`
`120`	`120`
`121`	`121`	`attribute_mapping = {`
`122`	`122`	`"google.subject" = "assertion.sub"`
`@@ -129,18 +129,18 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`resource "google_service_account_iam_member" "controller_custom_gcp" {`
`132`		`- count = var.sysdig_account_id != null ? 1 : 0`
	`132`	`+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "gcp" ? 1 : 0`
`133`	`133`
`134`	`134`	`lifecycle {`
`135`	`135`	`precondition {`
`136`		`- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)`
`137`		`- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"`
	`136`	`+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)`
	`137`	`+ error_message = "Cannot provide empty sysdig backend cloud_id"`
`138`	`138`	`}`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`service_account_id = google_service_account.controller.name`
`142`	`142`	`role = "roles/iam.workloadIdentityUser"`
`143`		`- member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${var.sysdig_account_id}"`
	`143`	`+ member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}"`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`#-----------------------------------------------------------------------------------------`
`@@ -200,7 +200,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_agentless_scan" {`
`200`	`200`	`service_principal_metadata = jsonencode({`
`201`	`201`	`gcp = {`
`202`	`202`	`workload_identity_federation = {`
`203`		`- pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.gcp.worker_identity != null ? google_iam_workload_identity_pool_provider.agentless[0].name : var.sysdig_account_id != null ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null`
	`203`	`+ pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].name : data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_type == "gcp" ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null`
`204`	`204`	`}`
`205`	`205`	`email = google_service_account.controller.email`
`206`	`206`	`}`