feat(modular): address feedback for modular support for cdr/ciem, rebase and cleanup

jose-pablo-camacho · jose-pablo-camacho · commit 30d4786782a9 · 2024-09-17T09:27:24.000-06:00
diff --git a/modules/integrations/pub-sub/README.md b/modules/integrations/pub-sub/README.md
@@ -61,7 +61,7 @@ No modules.
 | [google_project_iam_member.identity_mgmt](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member)                               | resource    |
 | [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member)         | resource    |
 | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity)                            | data source |
-| [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component)             | resource    |
+| [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component)              | resource    |
 | [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id)                                                     | data source |
 | [sysdig_secure_cloud_ingestion_assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets)                                             | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project)                                                                                  | data source |
@@ -85,7 +85,6 @@ No modules.
 | <a name="input_minimum_backoff"></a> [minimum\_backoff](#input\_minimum\_backoff)                                    | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy                                        | `string`                                                                                                                                                                                       | `"10s"`                                                                                                                                                                                                                                                                         |    no    |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                        | Organization domain. e.g. sysdig.com                                                                                                 | `string`                                                                                                                                                                                       | `""`                                                                                                                                                                                                                                                                            |    no    |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                   | (Required) Target Project identifier provided by the customer                                                                        | `string`                                                                                                                                                                                       | n/a                                                                                                                                                                                                                                                                             |   yes    |
-| <a name="input_role_name"></a> [role\_name](#input\_role\_name)                                                      | (Optional) Role name for custom role binding to the service account, with read permissions for data ingestion resources              | `string`                                                                                                                                                                                       | `"SysdigIngestionAuthRole"`                                                                                                                                                                                                                                                     |    no    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                                 | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated            | `string`                                                                                                                                                                                       | `null`                                                                                                                                                                                                                                                                          |    no    |
 | <a name="input_audit_log_config"></a> [audit\_log\_config](#input\_audit\_log\_config)                               | List of services and their audit log configurations to be ingested. Default is to ingest all logs.                                   | <pre>list(object({<br>    service = string,<br>    log_config = list(object({<br>      log_type         = string,<br>      exempted_members = optional(list(string))<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "log_config": [<br>      {<br>        "log_type": "ADMIN_READ"<br>      },<br>      {<br>        "log_type": "DATA_READ"<br>      },<br>      {<br>        "log_type": "DATA_WRITE"<br>      }<br>    ],<br>    "service": "allServices"<br>  }<br>]</pre> |    no    |
 | <a name="ingestion_sink_filter"></a> [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter)                      | Filter the Sink is set up with. Ingests AuditLogs by default.                                                                        | `string`                                                                                                                                                                                       | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"`                                                                                                                                                                                                        |    no    |
@@ -94,9 +93,9 @@ No modules.
 
 ## Outputs
 
-| Name                                                                                                                            | Description                                                                                        |
-|---------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
-| <a name="output_webhook_datasource_component_id"></a> [webhook\_datasource\_component\_id](#webhook\_datasource\_component\_id) | Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion |
+| Name                                                                                                                         | Description                                                                             |
+|------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| <a name="output_pubsub_datasource_component_id"></a> [pubsub\_datasource\_component\_id](#pubsub\_datasource\_component\_id) | Component identifier of Pub Sub integration created in Sysdig Backend for Log Ingestion |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/modules/integrations/pub-sub/main.tf b/modules/integrations/pub-sub/main.tf
@@ -29,12 +29,13 @@ data "sysdig_secure_cloud_ingestion_assets" "assets" {}
 #-----------------------------------------------------------------------------------------
 locals {
   suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
+  role_name = "SysdigIngestionAuthRole"
 }
 
 
 #-----------------------------------------------------------------------------------------------------------------------
-# A random resource is used to generate unique Webhook Datasource name suffix for resources.
-# This prevents conflicts when recreating an Webhook Datasource resources with the same name.
+# A random resource is used to generate unique Pub Sub name suffix for resources.
+# This prevents conflicts when recreating a Pub Sub resources with the same name.
 #-----------------------------------------------------------------------------------------------------------------------
 resource "random_id" "suffix" {
   count       = var.suffix == null ? 1 : 0
@@ -201,7 +202,7 @@ resource "google_project_iam_custom_role" "custom_ingestion_auth_role" {
   count = var.is_organizational ? 0 : 1
 
   project     = var.project_id
-  role_id     = "${var.role_name}${local.suffix}"
+  role_id     = "${local.role_name}${local.suffix}"
   title       = "Sysdigcloud Ingestion Auth Role"
   description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion"
   permissions = [
@@ -246,7 +247,7 @@ resource "google_project_iam_member" "identity_mgmt" {
 # explicit dependency using depends_on
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
-resource "sysdig_secure_cloud_auth_account_component" "gcp_webhook_datasource" {
+resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" {
   account_id = var.sysdig_secure_account_id
   type       = "COMPONENT_WEBHOOK_DATASOURCE"
   instance   = "secure-runtime"
@@ -258,7 +259,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_webhook_datasource" {
         sink_name              = var.is_organizational ? google_logging_organization_sink.ingestion_sink[0].name : google_logging_project_sink.ingestion_sink[0].name
         push_subscription_name = google_pubsub_subscription.ingestion_topic_push_subscription.name
         push_endpoint          = google_pubsub_subscription.ingestion_topic_push_subscription.push_config[0].push_endpoint
-        routing_key            = "1f6d4677-84ec-4356-bd73-c79c8a96f96a"
+        routing_key            = data.sysdig_secure_cloud_ingestion_assets.assets.gcp_routing_key
       }
       service_principal = {
         workload_identity_federation = {
diff --git a/modules/integrations/pub-sub/organizational.tf b/modules/integrations/pub-sub/organizational.tf
@@ -63,8 +63,8 @@ resource "google_organization_iam_custom_role" "custom_ingestion_auth_role" {
   count = var.is_organizational ? 1 : 0
 
   org_id      = data.google_organization.org[0].org_id
-  role_id     = "${var.role_name}Org${local.suffix}"
-  title       = "Sysdigcloud Ingestion Auth Role"
+  role_id     = "${local.role_name}Org${local.suffix}"
+  title       = "Sysdigcloud Ingestion Org Auth Role"
   description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for data ingestion"
   permissions = [
     "pubsub.topics.get",
diff --git a/modules/integrations/pub-sub/outputs.tf b/modules/integrations/pub-sub/outputs.tf
@@ -1,5 +1,5 @@
-output "webhook_datasource_component_id" {
-  value       = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}"
+output "pubsub_datasource_component_id" {
+  value       = "${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.instance}"
   description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion"
-  depends_on  = [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource]
 }
diff --git a/modules/integrations/pub-sub/variables.tf b/modules/integrations/pub-sub/variables.tf
@@ -53,12 +53,6 @@ variable "organization_domain" {
   default     = ""
 }
 
-variable "role_name" {
-  type        = string
-  description = "Name for the Ingestion auth Role on the Customer infrastructure"
-  default     = "SysdigIngestionAuthRole"
-}
-
 variable "suffix" {
   type        = string
   description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
@@ -105,5 +99,5 @@ variable "ingestion_sink_filter" {
 
 variable "sysdig_secure_account_id" {
   type        = string
-  description = "ID of the Sysdig Cloud Account to enable to enable Webhook Datasource integration for (incase of organization, ID of the Sysdig management account)"
+  description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)"
 }
diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf
@@ -15,14 +15,14 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
   account_id = module.onboarding.sysdig_secure_account_id
   type       = "FEATURE_SECURE_THREAT_DETECTION"
   enabled    = true
-  components = [ module.pub-sub.webhook_datasource_component_id ]
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
   depends_on = [ module.pub-sub ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   account_id = module.onboarding.sysdig_secure_account_id
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
-  components = [module.pub-sub.webhook_datasource_component_id]
+  components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
 }
diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf
@@ -13,14 +13,14 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
   account_id = module.onboarding.sysdig_secure_account_id
   type       = "FEATURE_SECURE_THREAT_DETECTION"
   enabled    = true
-  components = [ module.pub-sub.webhook_datasource_component_id ]
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
   depends_on = [ module.pub-sub ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   account_id = module.onboarding.sysdig_secure_account_id
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
-  components = [module.pub-sub.webhook_datasource_component_id]
+  components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`		`-output "webhook_datasource_component_id" {`
`2`		`- value = "${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource.instance}"`
	`1`	`+output "pubsub_datasource_component_id" {`
	`2`	`+ value = "${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.instance}"`
`3`	`3`	`description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion"`
`4`		`- depends_on = [sysdig_secure_cloud_auth_account_component.gcp_webhook_datasource]`
	`4`	`+ depends_on = [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource]`
`5`	`5`	`}`