Skip to content

Commit 5061fe4

Browse files
jose-pablo-camachojose-pablo-camacho
authored
Merge branch 'master' into feat/modular/vm
2 parents 332370f + e35f083 commit 5061fe4

File tree

16 files changed

+131
-151
lines changed

16 files changed

+131
-151
lines changed

modules/config-posture/README.md

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,11 @@ Note:
2121
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
2222
## Requirements
2323

24-
| Name | Version |
25-
|------|---------|
26-
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
24+
| Name | Version |
25+
|------|-----------|
26+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
2727
| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
28-
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.23.1 |
28+
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.34.0 |
2929

3030
## Providers
3131

@@ -41,18 +41,17 @@ No modules.
4141
## Resources
4242

4343
| [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
44-
| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
4544
| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
4645
| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
4746
| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
47+
| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
4848
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
4949
| [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
5050
| [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
51-
| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
52-
| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
53-
| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
54-
| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
55-
| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
51+
| [google_project_iam_member.cspm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
52+
| [google_service_account_iam_member.custom_posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
53+
| [google_organization_iam_member.cspm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
54+
| [sysdig_secure_cloud_auth_account_component.google_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
5655

5756
## Inputs
5857

@@ -63,7 +62,6 @@ No modules.
6362
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
6463
| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
6564
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |
66-
| <a name="input_management_group_ids"></a> [management\_group\_ids](#input\_management\_group\_ids) | (Optional) Management group ids to onboard sub ogs or folders like 'organizations/sysdig.com' or 'folders/test-1' | `string` | n/a | no |
6765

6866
## Outputs
6967

modules/config-posture/main.tf

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -29,15 +29,6 @@ resource "google_service_account" "posture_auth" {
2929
project = var.project_id
3030
}
3131

32-
resource "google_service_account_iam_binding" "posture_auth_binding" {
33-
service_account_id = google_service_account.posture_auth.name
34-
role = "roles/iam.workloadIdentityUser"
35-
36-
members = [
37-
"serviceAccount:${google_service_account.posture_auth.email}",
38-
]
39-
}
40-
4132
#------------------------------------------------------------#
4233
# Configure Workload Identity Federation for auth #
4334
# See https://cloud.google.com/iam/docs/access-resources-aws #
@@ -53,7 +44,7 @@ resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provide
5344
workload_identity_pool_id = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
5445
workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}"
5546
display_name = "Sysdigcloud config posture auth"
56-
description = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
47+
description = "AWS based pool provider for Sysdig Secure Data Config Posture resources"
5748
disabled = false
5849

5950
attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
@@ -104,5 +95,11 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
10495
email = google_service_account.posture_auth.email
10596
}
10697
})
107-
depends_on = [google_service_account_iam_member.custom_posture_auth]
98+
depends_on = [
99+
google_service_account.posture_auth,
100+
google_iam_workload_identity_pool.posture_auth_pool,
101+
google_iam_workload_identity_pool_provider.posture_auth_pool_provider,
102+
google_project_iam_member.cspm,
103+
google_service_account_iam_member.custom_posture_auth
104+
]
108105
}

modules/integrations/pub-sub/README.md

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -58,9 +58,19 @@ No modules.
5858
| [google_iam_workload_identity_pool_provider.ingestion_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
5959
| [google_project_iam_custom_role.custom_ingestion_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
6060
| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member) | resource |
61+
| [google_project_iam_member.identity_mgmt](https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/google_project_iam#google_project_iam_member) | resource |
6162
| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
6263
| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
64+
| [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
65+
| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
66+
| [sysdig_secure_cloud_ingestion_assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets) | data source |
6367
| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
68+
| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
69+
| [google_organization_iam_audit_config.audit_config](https://registry.terraform.io/providers/hashicorp/google/3.24.0/docs/resources/google_organization_iam_audit_config) | resource |
70+
| [google_logging_organization_sink.ingestion_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink) | resoruce |
71+
| [google_organization_iam_custom_role.custom_ingestion_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
72+
| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
73+
| [google_organization_iam_member.identity_mgmt](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
6474

6575
## Inputs
6676

@@ -75,17 +85,17 @@ No modules.
7585
| <a name="input_minimum_backoff"></a> [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no |
7686
| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
7787
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
78-
| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data ingestion resources | `string` | `"SysdigIngestionAuthRole"` | no |
7988
| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
8089
| <a name="input_audit_log_config"></a> [audit\_log\_config](#input\_audit\_log\_config) | List of services and their audit log configurations to be ingested. Default is to ingest all logs. | <pre>list(object({<br> service = string,<br> log_config = list(object({<br> log_type = string,<br> exempted_members = optional(list(string))<br> }))<br> }))</pre> | <pre>[<br> {<br> "log_config": [<br> {<br> "log_type": "ADMIN_READ"<br> },<br> {<br> "log_type": "DATA_READ"<br> },<br> {<br> "log_type": "DATA_WRITE"<br> }<br> ],<br> "service": "allServices"<br> }<br>]</pre> | no |
8190
| <a name="ingestion_sink_filter"></a> [ingestion\_sink\_filter](#input\_ingestion\_sink\_filter) | Filter the Sink is set up with. Ingests AuditLogs by default. | `string` | `protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"` | no |
8291
| <a name="input_exclude_logs_filter"></a> [exclude\_logs\_filter](#input\_exclude\_logs\_filter) | Filter to exclude logs from ingestion. Default is to ingest all google.cloud.audit.AuditLog logs. with no exclusions. | <pre>list(object({<br> name = string,<br> description = optional(string),<br> filter = string,<br> disabled = optional(bool)<br> }))</pre> | `[]` | no |
92+
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | `""` | no |
8393

8494
## Outputs
8595

86-
| Name | Description |
87-
|---------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
88-
| <a name="output_webhook_datasource_component_id"></a> [webhook\_datasource\_component\_id](#webhook\_datasource\_component\_id) | Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion |
96+
| Name | Description |
97+
|------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
98+
| <a name="output_pubsub_datasource_component_id"></a> [pubsub\_datasource\_component\_id](#pubsub\_datasource\_component\_id) | Component identifier of Pub Sub integration created in Sysdig Backend for Log Ingestion |
8999

90100
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
91101

0 commit comments

Comments
 (0)