update READMEs and var defns

haresh-suresh · haresh-suresh · commit 22a885a45573 · 2024-09-16T10:52:41.000-07:00
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
@@ -16,7 +16,7 @@ If instrumenting an Organziation, the following resources will be created:
 - A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions.
 
 Note:
-- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
+- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -41,18 +41,17 @@ No modules.
 ## Resources
 
 | [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
 | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
 | [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
-| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
-| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
-| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
-| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
-| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+| [google_project_iam_member.cspm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
+| [google_service_account_iam_member.custom_posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
+| [google_organization_iam_member.cspm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+| [sysdig_secure_cloud_auth_account_component.google_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
 
 ## Inputs
 
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -44,7 +44,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
   workload_identity_pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
   workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}"
   display_name                       = "Sysdigcloud config posture auth"
-  description                        = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
+  description                        = "AWS based pool provider for Sysdig Secure Data Config Posture resources"
   disabled                           = false
 
   attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
@@ -21,6 +21,12 @@ variable "suffix" {
   default     = null
 }
 
+variable "management_group_ids" {
+  type        = set(string)
+  description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]"
+  default     = []
+}
+
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
@@ -17,7 +17,7 @@ If instrumenting an Organziation, the following resources will be created:
 - A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on.
 
 Note:
-- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
+- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -42,33 +42,32 @@ No modules.
 ## Resources
 
 | [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_service_account_iam_binding.onboarding_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
-| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
-| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
-| [google_project_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
-| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
-| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
-| [google_organization_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
-| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+| [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
+| [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
+| [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) | resource |
+| [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) | resource |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
-| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
-| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
+| Name                                                                                          | Description                                                                                                               | Type | Default | Required |
+|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)       | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                     | `bool` | `false` | no |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com                                                                                      | `string` | `""` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id)                            | (Required) Target Project identifier provided by the customer                                                             | `string` | n/a | yes |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                                          | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
+| <a name="input_management_group_ids"></a> [suffix](#input\_management\_group\_ids)            | (Optional) List of management group ids w.r.t an org install. If not provided, set to empty by default                    | `string` | `null` | no |
+
+
 
 ## Outputs
 
 | Name                                                                                                               | Description                                                                                    |
 |--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
-| <a name="output_sysdig_secure_account_id"></a> [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created                                                         |
+| <a name="output_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created                                                         |
 | <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational)                          | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not |
 | <a name="output_organization_domain"></a> [organization\_domain](#output\_organization\_domain)                    | Organization domain of the GCP org being onboarded                                             |
 | <a name="output_project_id"></a> [project\_id](#output\_project\_id)                                               | The management project id chosen during install, where global resources are deployed           |
diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf
@@ -1,8 +1,3 @@
-provider "google" {
-  project = "org-child-project-3"
-  region  = "us-west1"
-}
-
 terraform {
   required_providers {
     sysdig = {
@@ -17,6 +12,11 @@ provider "sysdig" {
   sysdig_secure_api_token = "API_TOKEN"
 }
 
+provider "google" {
+  project = "org-child-project-3"
+  region  = "us-west1"
+}
+
 module "onboarding" {
   source              = "../../../modules/onboarding"
   project_id          = "org-child-project-3"
@@ -29,6 +29,7 @@ module "config-posture" {
   project_id               = module.onboarding.project_id
   is_organizational        = module.onboarding.is_organizational
   organization_domain      = module.onboarding.organization_domain
+  management_group_ids     = module.onboarding.management_group_ids
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
 }
 
diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf
@@ -1,8 +1,3 @@
-provider "google" {
-  project = "org-child-project-3"
-  region  = "us-west1"
-}
-
 terraform {
   required_providers {
     sysdig = {
@@ -17,6 +12,11 @@ provider "sysdig" {
   sysdig_secure_api_token = "API_TOKEN"
 }
 
+provider "google" {
+  project = "org-child-project-3"
+  region  = "us-west1"
+}
+
 module "onboarding" {
   source      = "../../../modules/onboarding"
   project_id  = "org-child-project-3"
