Skip to content

Commit 5d45861

Browse files
miguelpaismiguelpais
committed
Corrections
1 parent e91b2d8 commit 5d45861

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

modules/vm-workload-scanning/controller.tf

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
22
cloud_provider = "gcp"
33
}
44

5+
data "sysdig_secure_tenant_external_id" "external_id" {}
56

67
resource "google_service_account" "controller" {
78
project = var.project_id
@@ -43,13 +44,14 @@ resource "google_iam_workload_identity_pool" "agentless" {
4344
}
4445

4546
resource "google_iam_workload_identity_pool_provider" "agentless" {
47+
project = var.project_id
4648
workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id
4749
workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}"
4850
display_name = "Sysdig Workload Controller"
4951
description = "AWS identity pool provider for Sysdig Secure Agentless Workload Scanning"
5052
disabled = false
5153

52-
attribute_condition = "attribute.aws_account==\"${data.sysdig_secure_trusted_cloud_identity.trusted_identity}\""
54+
attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
5355

5456
attribute_mapping = {
5557
"google.subject" = "assertion.arn"
@@ -66,7 +68,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
6668
resource "google_service_account_iam_member" "controller_custom" {
6769
service_account_id = google_service_account.controller.name
6870
role = "roles/iam.workloadIdentityUser"
69-
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity}"
71+
member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.agentless.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
7072
}
7173

7274

0 commit comments

Comments
 (0)