updating README

haresh-suresh · jose-pablo-camacho · commit 5581c6a39807 · 2024-09-10T17:51:33.000-06:00
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
@@ -0,0 +1,87 @@
+# GCP Config Posture Module
+
+This module will deploy Config Posture resources in GCP for a single project, or for a GCP Organization.
+The Config Posture module serves the following functions:
+- retrieving inventory for single project, or for all projects within an Organization.
+- retrieving organization metadata in the case of organizational onboarding within GCP Organization.
+
+If instrumenting a project, the following resources will be created:
+- All the necessary `Service Accounts` and `Policies` to enable the Config posture operation at the project level
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions.
+
+If instrumenting an Organziation, the following resources will be created:
+- All the necessary `Service Accounts` and `Policies` to enable the Config Posture operation at the organization level
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A cloud account component in the Sysdig Backend, associated with the GCP project and with the required component to serve the config posture functions.
+
+Note:
+- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.23.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 5.0.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| [google_service_account.posture_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.posture_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [google_iam_workload_identity_pool.posture_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.posture_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
+| [google_project_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
+| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
+| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
+| [google_organization_iam_custom_role.custom_posture_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
+| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+
+## Inputs
+
+| Name | Description                                                                                                               | Type | Default                                       | Required |
+|------|---------------------------------------------------------------------------------------------------------------------------|------|-----------------------------------------------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization.                                     | `bool` | `false`                                       | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources                                                       | `map(string)` | <pre>{<br>  "originator": "sysdig"<br>}</pre> | no |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com                                                                                      | `string` | `""`                                          | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer                                                             | `string` | n/a                                           | yes |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for posture resources          | `string` | `"SysdigPostureAuthRole-{random_id}"`         | no |
+| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer                                                                   | `string` | n/a                                           | yes |
+| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null`                                        | no |
+
+## Outputs
+
+| Name | Description                                                                                        |
+|------|----------------------------------------------------------------------------------------------------|
+| <a name="output_workload_identity_pool_id"></a> [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access config posture resources          |
+| <a name="output_workload_identity_pool_provider_id"></a> [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access config posture resources |
+| <a name="output_workload_identity_project_number"></a> [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number                                                                                 |
+| <a name="output_service_account_email"></a> [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created                                                               |
+| <a name="output_sysdig_secure_project_id"></a> [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created                                                             |
+| <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not     |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -21,7 +21,7 @@ locals {
 }
 
 resource "google_service_account" "posture_auth" {
-  account_id   = "sysdig-posture-${local.suffix}"
+  account_id   = "sysdig-secure-posture-${local.suffix}"
   display_name = "Sysdig Config Posture Auth Service Account"
   project      = var.project_id
 }
@@ -42,13 +42,13 @@ resource "google_service_account_iam_binding" "posture_auth_binding" {
 
 resource "google_iam_workload_identity_pool" "posture_auth_pool" {
   project                   = var.project_id
-  workload_identity_pool_id = "sysdig-posture-${local.suffix}"
+  workload_identity_pool_id = "sysdig-secure-posture-${local.suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" {
   project                            = var.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}"
+  workload_identity_pool_provider_id = "sysdig-secure-posture-${local.suffix}"
   display_name                       = "Sysdigcloud config posture auth"
   description                        = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
   disabled                           = false
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
@@ -63,19 +63,18 @@ No modules.
 | <a name="input_labels"></a> [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | <pre>{<br>  "originator": "sysdig"<br>}</pre> | no |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
-| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data onboarding resources | `string` | `"SysdigOnboardingAuthRole-{random_id}"` | no |
 | <a name="input_external_id"></a> [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes |
 | <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_workload_identity_pool_id"></a> [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access data ingestion resources |
-| <a name="output_workload_identity_pool_provider_id"></a> [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access data ingestion resources |
-| <a name="output_workload_identity_project_number"></a> [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number |
-| <a name="output_service_account_email"></a> [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created |
-| <a name="output_sysdig_secure_project_id"></a> [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created |
+| Name | Description                                                                                    |
+|------|------------------------------------------------------------------------------------------------|
+| <a name="output_workload_identity_pool_id"></a> [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access onboarding resources          |
+| <a name="output_workload_identity_pool_provider_id"></a> [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access onboarding resources |
+| <a name="output_workload_identity_project_number"></a> [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number                                                                             |
+| <a name="output_service_account_email"></a> [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created                                                           |
+| <a name="output_sysdig_secure_project_id"></a> [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created                                                         |
 | <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
@@ -21,7 +21,7 @@ locals {
 }
 
 resource "google_service_account" "onboarding_auth" {
-  account_id   = "sysdig-onboarding-${local.suffix}"
+  account_id   = "sysdig-secure-onboarding-${local.suffix}"
   display_name = "Sysdig Onboarding Auth Service Account"
   project      = var.project_id
 }
@@ -42,13 +42,13 @@ resource "google_service_account_iam_binding" "onboarding_auth_binding" {
 
 resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
   project                   = var.project_id
-  workload_identity_pool_id = "sysdig-onboarding-${local.suffix}"
+  workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
   project                            = var.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
+  workload_identity_pool_provider_id = "sysdig-secure-onboarding-${local.suffix}"
   display_name                       = "Sysdigcloud onboarding auth"
   description                        = "AWS identity pool provider for Sysdig Secure Data Onboarding resources"
   disabled                           = false
