fix role naming & version metadata

haresh-suresh · jose-pablo-camacho · commit 4abc7b2ccc3f · 2024-09-10T17:51:33.000-06:00
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -21,7 +21,8 @@ locals {
 }
 
 resource "google_service_account" "posture_auth" {
-  account_id   = "sysdig-secure-posture-${local.suffix}"
+  # service account name cannot be longer than 30 characters
+  account_id   = "sysdig-posture-${local.suffix}"
   display_name = "Sysdig Config Posture Auth Service Account"
   project      = var.project_id
 }
@@ -48,7 +49,7 @@ resource "google_iam_workload_identity_pool" "posture_auth_pool" {
 resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" {
   project                            = var.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "sysdig-secure-posture-${local.suffix}"
+  workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}"
   display_name                       = "Sysdigcloud config posture auth"
   description                        = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
   disabled                           = false
@@ -77,33 +78,29 @@ resource "google_project_iam_member" "cspm" {
 }
 
 # attaching WIF as a member to the service account for auth
-resource "google_service_account_iam_member" "custom_auth" {
+resource "google_service_account_iam_member" "custom_posture_auth" {
   service_account_id = google_service_account.posture_auth.name
   role               = "roles/iam.workloadIdentityUser"
   member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}"
 }
 
 #--------------------------------------------------------------------------------------------------------------
 # Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
-#
-# Note (optional): To ensure this gets called after all cloud resources are created, add
-# explicit dependency using depends_on
 #--------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" {
   account_id = var.sysdig_secure_account_id
   type       = "COMPONENT_SERVICE_PRINCIPAL"
   instance   = "secure-posture"
-  verion     = "v0.1.0"
+  version    = "v0.1.0"
   service_principal_metadata = jsonencode({
     gcp = {
-      service_principal = {
-        workload_identity_federation = {
-          pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
-          pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id
-          project_number   = data.google_project.project.number
-        }
-        email = google_service_account.posture_auth.email
+      workload_identity_federation = {
+        pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
+        pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id
+        project_number   = data.google_project.project.number
       }
+      email = google_service_account.posture_auth.email
     }
   })
+  depends_on = [google_service_account_iam_member.custom_posture_auth]
 }
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
@@ -21,7 +21,8 @@ locals {
 }
 
 resource "google_service_account" "onboarding_auth" {
-  account_id   = "sysdig-secure-onboarding-${local.suffix}"
+  # service account name cannot be longer than 30 characters
+  account_id   = "sysdig-onboarding-${local.suffix}"
   display_name = "Sysdig Onboarding Auth Service Account"
   project      = var.project_id
 }
@@ -42,13 +43,13 @@ resource "google_service_account_iam_binding" "onboarding_auth_binding" {
 
 resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
   project                   = var.project_id
-  workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}"
+  workload_identity_pool_id = "sysdig-onboarding-${local.suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
   project                            = var.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "sysdig-secure-onboarding-${local.suffix}"
+  workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
   display_name                       = "Sysdigcloud onboarding auth"
   description                        = "AWS identity pool provider for Sysdig Secure Data Onboarding resources"
   disabled                           = false
@@ -77,7 +78,7 @@ resource "google_project_iam_member" "browser" {
 }
 
 # attaching WIF as a member to the service account for auth
-resource "google_service_account_iam_member" "custom_auth" {
+resource "google_service_account_iam_member" "custom_onboarding_auth" {
   service_account_id = google_service_account.onboarding_auth.name
   role               = "roles/iam.workloadIdentityUser"
   member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}"
@@ -101,19 +102,17 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
     version  = "v0.1.0"
     service_principal_metadata = jsonencode({
       gcp = {
-        service_principal = {
-          workload_identity_federation = {
-            pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-            pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
-            project_number   = data.google_project.project.number
-          }
-          email = google_service_account.onboarding_auth.email
+        workload_identity_federation = {
+          pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+          pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+          project_number   = data.google_project.project.number
         }
+        email = google_service_account.onboarding_auth.email
       }
     })
   }
 
-  depends_on = [google_service_account_iam_member.custom_auth]
+  depends_on = [google_service_account_iam_member.custom_onboarding_auth]
 
   lifecycle {
     ignore_changes = [
diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf
@@ -1,29 +1,9 @@
-output "workload_identity_pool_id" {
-  value       = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-  description = "Id of Workload Identity Pool for authenticating to GCP to access data onboarding resources"
-}
-
-output "workload_identity_pool_provider_id" {
-  value       = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
-  description = "Id of Workload Identity Pool Provider for authenticating to GCP to access data onboarding resources"
-}
-
-output "workload_identity_project_number" {
-  value       = data.google_project.project.number
-  description = "GCP project number"
-}
-
-output "service_account_email" {
-  value       = google_service_account.onboarding_auth.email
-  description = "email of the Service Account created"
-}
-
 output "project_id" {
   value       = var.project_id
   description = "Project ID in which secure-for-cloud onboarding resources are created. For organizational installs it is the Management Project ID selected during install"
 }
 
-output "sysdig_secure_project_id" {
+output "sysdig_secure_account_id" {
   value       = sysdig_secure_cloud_auth_account.google_account.id
   description = "ID of the Sysdig Cloud Account created"
 }
