test(vm, cloud-scan): single-project use-case (#18)

Author: iru

.github/workflows/ci-pull-request.yaml

@@ -40,6 +40,7 @@ jobs:
           - "secure_config_posture_identity_access/organization/main.tf"
           - "secure_threat_detection/single/main.tf"
           - "secure_threat_detection/organization/main.tf"
+          - "agentless-scan/single/main.tf"
           - "agentless-scan/organization/main.tf"
     steps:
     - name: Set up Go

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - '--args=--sort-by required'
+      - id: terraform_tflint
+        args:
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'
+      - id: terrascan

modules/services/agentless-scan/README.md

@@ -7,9 +7,9 @@ This module will deploy required resources for Sysdig to be able to scan hosts o
 
 
 The following resources will be created on each instrumented project:
-- For the **Resource Discovery**: Enable Sysdig to authenticate through a Workload Identity Pool (requires provider, 
+- For the **Resource Discovery**: Enable Sysdig to authenticate through a Workload Identity Pool (requires provider,
   service account, role, and related bindings)  in order to be able to discover the VPC/Instance/Volumes
-- For the **Host Data Extraction**: Enable Sysdig to create a disk copy on our SaaS platform, to be able to extract 
+- For the **Host Data Extraction**: Enable Sysdig to create a disk copy on our SaaS platform, to be able to extract
   the data required for security assessment.
 
 
@@ -103,4 +103,4 @@ Module is maintained by [Sysdig](https://sysdig.com).
 
 ## License
 
-Apache 2 Licensed. See LICENSE for full details.
+Apache 2 Licensed. See LICENSE for full details.

modules/services/agentless-scan/controller_org.tf

@@ -15,4 +15,4 @@ resource "google_organization_iam_binding" "controller_custom" {
   members = [
     "serviceAccount:${google_service_account.controller.email}",
   ]
-}
+}

modules/services/agentless-scan/controller_single.tf

@@ -15,4 +15,4 @@ resource "google_project_iam_binding" "controller_custom" {
   members = [
     "serviceAccount:${google_service_account.controller.email}",
   ]
-}
+}

modules/services/agentless-scan/data.tf

@@ -5,4 +5,4 @@ data "google_project" "project" {
 data "google_organization" "org" {
   count  = local.is_organizational ? 1 : 0
   domain = var.organization_domain
-}
+}

modules/services/agentless-scan/locals.tf

@@ -30,4 +30,4 @@ locals {
 resource "random_id" "suffix" {
   count       = var.suffix == null ? 1 : 0
   byte_length = 3
-}
+}

modules/services/agentless-scan/outputs.tf

@@ -1,13 +1,17 @@
 output "project_id" {
-  value = var.project_id
+  value       = var.project_id
+  description = "Target project_id"
 }
 
 output "project_number" {
-  value = data.google_project.project.number
+  value       = data.google_project.project.number
+  description = "Target project_number"
 }
 
 output "controller_service_account" {
   value = google_service_account.controller.email
+
+  description = "Service Account (email) for Sysdig host Discovery to use"
 }
 
 output "workload_identity_pool_provider" {
@@ -16,6 +20,8 @@ output "workload_identity_pool_provider" {
     condition     = (var.sysdig_backend != null && var.sysdig_account_id == null) || (var.sysdig_backend == null && var.sysdig_account_id != null)
     error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
   }
+
+  description = "Workload Identity Pool Provider URL for Sysdig host Discovery to use"
 }
 
 output "json_payload" {
@@ -29,4 +35,6 @@ output "json_payload" {
     condition     = (var.sysdig_backend != null && var.sysdig_account_id == null) || (var.sysdig_backend == null && var.sysdig_account_id != null)
     error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
   }
+
+  description = "Deprecated. JSON Payload to internally provision customer on Sysdig VM Host scan on Sysdig"
 }

modules/services/agentless-scan/provider.tf

@@ -11,4 +11,4 @@ terraform {
       version = ">= 3.1, < 4.0"
     }
   }
-}
+}

modules/services/agentless-scan/variables.tf

@@ -9,6 +9,7 @@ variable "worker_identity" {
   description = "Sysdig provided Identity for the Service Account in charge of performing the host disk analysis"
 }
 
+# mandatory; one of  `sysdig_backend` or `sysdig_account_id`
 variable "sysdig_backend" {
   type        = string
   description = "Sysdig provided AWS Account designated for the host scan.<br/>One of `sysdig_backend` or `sysdig_account_id`must be provided"
@@ -29,6 +30,7 @@ variable "role_name" {
 }
 
 
+
 variable "suffix" {
   type        = string
   description = "Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated."