Skip to content

Commit 76e9fe9

Browse files
miguelpaismiguelpais
authored
[SSPROD-48725] Fixing to gcp workload onboarding (#52)
* Fixing to gcp workload onboarding * Removing unused variable * Adding codeowners
1 parent 433ad7f commit 76e9fe9

File tree

2 files changed

+8
-7
lines changed

2 files changed

+8
-7
lines changed

CODEOWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
11
* @sysdiglabs/team-secure-onboarding
22
/modules/services/agentless-scan/* @sysdiglabs/team-agentless
33
/modules/services/workload-scan/* @sysdiglabs/team-agentless
4+
/modules/vm-workload-scanning/* @sysdiglabs/team-agentless

modules/vm-workload-scanning/main.tf

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,6 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
1414
cloud_provider = "gcp"
1515
}
1616

17-
data "sysdig_secure_tenant_external_id" "external_id" {}
18-
1917
resource "google_service_account" "controller" {
2018
project = var.project_id
2119
account_id = "sysdig-ws-${local.suffix}"
@@ -63,11 +61,13 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
6361
description = "AWS identity pool provider for Sysdig Secure Agentless Workload Scanning"
6462
disabled = false
6563

66-
attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
64+
attribute_condition = "attribute.aws_account==\"${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}\""
6765

6866
attribute_mapping = {
69-
"google.subject" = "assertion.arn",
70-
"attribute.aws_role" = "assertion.arn"
67+
"google.subject" = "assertion.arn"
68+
"attribute.aws_account" = "assertion.account"
69+
"attribute.role" = "assertion.arn.extract(\"/assumed-role/{role}/\")"
70+
"attribute.session" = "assertion.arn.extract(\"/assumed-role/{role_and_session}/\").extract(\"/{session}\")"
7171
}
7272

7373
aws {
@@ -78,7 +78,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
7878
resource "google_service_account_iam_member" "controller_binding" {
7979
service_account_id = google_service_account.controller.name
8080
role = "roles/iam.workloadIdentityUser"
81-
member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.agentless.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
81+
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}"
8282
}
8383

8484

@@ -107,4 +107,4 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
107107
google_iam_workload_identity_pool.agentless,
108108
google_organization_iam_member.controller,
109109
]
110-
}
110+
}

0 commit comments

Comments
 (0)