feat(vm): modular vm feedback

jose-pablo-camacho · jose-pablo-camacho · commit 332370f9120e · 2024-09-17T14:16:55.000-06:00
diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
@@ -76,7 +76,6 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                   | GCP Project ID                                                                                                                                                                                                                                            | `string`       | n/a                         |   yes    |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                              | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped                                                                                                                                                | `bool`         | `false`                     |    no    |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                        | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com                                                                                                                      | `string`       | `null`                      |    no    |
-| <a name="input_role_name"></a> [role\_name](#input\_role\_name)                                                      | Optional. Name for the Worker Role on the Customer infrastructure                                                                                                                                                                                         | `string`       | `"SysdigAgentlessHostRole"` |    no    |
 | <a name="input_sysdig_account_id"></a> [sysdig\_account\_id](#input\_sysdig\_account\_id)                            | Sysdig provided GCP Account designated for the host scan.<br/>One of `sysdig_backend` or `sysdig_account_id`must be provided                                                                                                                              | `string`       | `null`                      |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)     | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)                                                                                                                | `string`       | `null`                      |    no    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                                 | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string`       | `null`                      |    no    |
diff --git a/modules/agentless-scan/main.tf b/modules/agentless-scan/main.tf
@@ -147,20 +147,20 @@ resource "google_service_account_iam_member" "controller_custom_gcp" {
 # Custom IAM roles and bindings
 #-----------------------------------------------------------------------------------------
 
-resource "google_project_iam_custom_role" "controller" {
+resource "google_project_iam_custom_role" "controller_role" {
   count = var.is_organizational ? 0 : 1
 
   project     = var.project_id
-  role_id     = "${var.role_name}Discovery${local.suffix}"
-  title       = "${var.role_name}, for Host Discovery"
+  role_id     = "SysdigCloudVMDiscovery${local.suffix}"
+  title       = "SysdigCloudVM, for Host Discovery"
   permissions = local.host_discovery_permissions
 }
 
-resource "google_project_iam_binding" "controller_custom" {
+resource "google_project_iam_binding" "controller_binding" {
   count = var.is_organizational ? 0 : 1
 
   project = var.project_id
-  role    = google_project_iam_custom_role.controller[0].id
+  role    = google_project_iam_custom_role.controller_role[0].id
   members = [
     "serviceAccount:${google_service_account.controller.email}",
   ]
@@ -170,8 +170,8 @@ resource "google_project_iam_custom_role" "worker_role" {
   count = var.is_organizational ? 0 : 1
 
   project     = var.project_id
-  role_id     = "${var.role_name}Scan${local.suffix}"
-  title       = "${var.role_name}, for Host Scan"
+  role_id     = "SysdigCloudVMScan${local.suffix}"
+  title       = "SysdigCloudVM, for Host Scan"
   permissions = local.host_scan_permissions
 }
 
diff --git a/modules/agentless-scan/organizational.tf b/modules/agentless-scan/organizational.tf
@@ -11,20 +11,20 @@ data "google_organization" "org" {
 # Custom IAM roles and bindings
 #-----------------------------------------------------------------------------------------
 
-resource "google_organization_iam_custom_role" "controller" {
+resource "google_organization_iam_custom_role" "controller_role" {
   count = var.is_organizational ? 1 : 0
 
   org_id      = data.google_organization.org[0].org_id
-  role_id     = "${var.role_name}Discovery${title(local.suffix)}"
-  title       = "${var.role_name}, for Host Discovery"
+  role_id     = "SysdigCloudVMDiscovery${local.suffix}"
+  title       = "SysdigCloudVM, for Host Discovery"
   permissions = local.host_discovery_permissions
 }
 
 resource "google_organization_iam_binding" "controller_custom" {
   count = var.is_organizational ? 1 : 0
 
   org_id = data.google_organization.org[0].org_id
-  role   = google_organization_iam_custom_role.controller[0].id
+  role   = google_organization_iam_custom_role.controller_role[0].id
   members = [
     "serviceAccount:${google_service_account.controller.email}",
   ]
@@ -34,8 +34,8 @@ resource "google_organization_iam_custom_role" "worker_role" {
   count = var.is_organizational ? 1 : 0
 
   org_id      = data.google_organization.org[0].org_id
-  role_id     = "${var.role_name}Scan${title(local.suffix)}"
-  title       = "${var.role_name}, for Host Scan"
+  role_id     = "SysdigCloudVMScan${local.suffix}"
+  title       = "SysdigCloudVM, for Host Scan"
   permissions = local.host_scan_permissions
 }
 
diff --git a/modules/agentless-scan/variables.tf b/modules/agentless-scan/variables.tf
@@ -15,12 +15,6 @@ variable "organization_domain" {
   default     = ""
 }
 
-variable "role_name" {
-  type        = string
-  description = "Name for Sysdig operations on discovery and scan role"
-  default     = "SysdigCloudVM"
-}
-
 variable "sysdig_account_id" {
   type        = string
   description = "Sysdig provided GCP Account designated for the host scan. One of sysdig_backend or sysdig_account_id must be provided"
