use external_id datasource

haresh-suresh · jose-pablo-camacho · commit 2885cccf7c0c · 2024-09-10T17:51:33.000-06:00
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -6,6 +6,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
   cloud_provider = "gcp"
 }
 
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
 data "google_project" "project" {
   project_id = var.project_id
 }
@@ -54,7 +56,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
   description                        = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
   disabled                           = false
 
-  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\""
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
 
   attribute_mapping = {
     "google.subject"     = "assertion.arn",
@@ -81,7 +83,7 @@ resource "google_project_iam_member" "cspm" {
 resource "google_service_account_iam_member" "custom_posture_auth" {
   service_account_id = google_service_account.posture_auth.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
 }
 
 #--------------------------------------------------------------------------------------------------------------
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
@@ -6,6 +6,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
   cloud_provider = "gcp"
 }
 
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
 data "google_project" "project" {
   project_id = var.project_id
 }
@@ -54,7 +56,7 @@ resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_prov
   description                        = "AWS identity pool provider for Sysdig Secure Data Onboarding resources"
   disabled                           = false
 
-  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\""
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
 
   attribute_mapping = {
     "google.subject"     = "assertion.arn",
@@ -81,7 +83,7 @@ resource "google_project_iam_member" "browser" {
 resource "google_service_account_iam_member" "custom_onboarding_auth" {
   service_account_id = google_service_account.onboarding_auth.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
 }
 
 #---------------------------------------------------------------------------------------------
diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf
@@ -20,15 +20,13 @@ provider "sysdig" {
 module "onboarding" {
   source              = "../../../modules/onboarding"
   project_id          = "org-child-project-3"
-  external_id         = "25ef0d887bc7a2b30089a025618e1c62"
   is_organizational   = true
   organization_domain = "draios.com"
 }
 
 module "config-posture" {
   source                   = "../../../modules/config-posture"
   project_id               = module.onboarding.project_id
-  external_id              = "25ef0d887bc7a2b30089a025618e1c62"
   is_organizational        = module.onboarding.is_organizational
   organization_domain      = module.onboarding.organization_domain
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf
@@ -20,13 +20,11 @@ provider "sysdig" {
 module "onboarding" {
   source      = "../../../modules/onboarding"
   project_id  = "org-child-project-3"
-  external_id = "25ef0d887bc7a2b30089a025618e1c62"
 }
 
 module "config-posture" {
   source                   = "../../../modules/config-posture"
   project_id               = "org-child-project-3"
-  external_id              = "25ef0d887bc7a2b30089a025618e1c62"
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
 }
 

Original file line number	Diff line number	Diff line change
`@@ -20,13 +20,11 @@ provider "sysdig" {`
`20`	`20`	`module "onboarding" {`
`21`	`21`	`source = "../../../modules/onboarding"`
`22`	`22`	`project_id = "org-child-project-3"`
`23`		`- external_id = "25ef0d887bc7a2b30089a025618e1c62"`
`24`	`23`	`}`
`25`	`24`
`26`	`25`	`module "config-posture" {`
`27`	`26`	`source = "../../../modules/config-posture"`
`28`	`27`	`project_id = "org-child-project-3"`
`29`		`- external_id = "25ef0d887bc7a2b30089a025618e1c62"`
`30`	`28`	`sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id`
`31`	`29`	`}`
`32`	`30`