adding config posture module for modular onboarding

Author: haresh-suresh

modules/config-posture/README.md

@@ -0,0 +1,109 @@
+#------------------------------------------------------------------#
+# Fetch and compute required data for Workload Identity Federation #
+#------------------------------------------------------------------#
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "gcp"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value.
+resource "random_id" "suffix" {
+  count       = var.suffix == null ? 1 : 0
+  byte_length = 3
+}
+
+locals {
+  suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
+}
+
+resource "google_service_account" "posture_auth" {
+  account_id   = "sysdig-posture-${local.suffix}"
+  display_name = "Sysdig Config Posture Auth Service Account"
+  project      = var.project_id
+}
+
+resource "google_service_account_iam_binding" "posture_auth_binding" {
+  service_account_id = google_service_account.posture_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.posture_auth.email}",
+  ]
+}
+
+#------------------------------------------------------------#
+# Configure Workload Identity Federation for auth            #
+# See https://cloud.google.com/iam/docs/access-resources-aws #
+#------------------------------------------------------------#
+
+resource "google_iam_workload_identity_pool" "posture_auth_pool" {
+  project                   = var.project_id
+  workload_identity_pool_id = "sysdig-posture-${local.suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "posture_auth_pool_provider" {
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-posture-${local.suffix}"
+  display_name                       = "Sysdigcloud config posture auth"
+  description                        = "AWS identity pool provider for Sysdig Secure Data Config Posture resources"
+  disabled                           = false
+
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\""
+
+  attribute_mapping = {
+    "google.subject"     = "assertion.arn",
+    "attribute.aws_role" = "assertion.arn"
+  }
+
+  aws {
+    account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
+  }
+}
+
+#---------------------------------------------------------------------------------------------
+# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
+#---------------------------------------------------------------------------------------------
+resource "google_project_iam_member" "cspm" {
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"])
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.posture_auth.email}"
+}
+
+# attaching WIF as a member to the service account for auth
+resource "google_service_account_iam_member" "custom_auth" {
+  service_account_id = google_service_account.posture_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}"
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
+#
+# Note (optional): To ensure this gets called after all cloud resources are created, add
+# explicit dependency using depends_on
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" {
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_SERVICE_PRINCIPAL"
+  instance   = "secure-posture"
+  verion     = "v0.1.0"
+  service_principal_metadata = jsonencode({
+    gcp = {
+      service_principal = {
+        workload_identity_federation = {
+          pool_id          = google_iam_workload_identity_pool.posture_auth_pool.workload_identity_pool_id
+          pool_provider_id = google_iam_workload_identity_pool_provider.posture_auth_pool_provider.workload_identity_pool_provider_id
+          project_number   = data.google_project.project.number
+        }
+        email = google_service_account.posture_auth.email
+      }
+    }
+  })
+}

modules/config-posture/main.tf

@@ -0,0 +1,23 @@
+#--------------#
+# Organization #
+#--------------#
+
+data "google_organization" "org" {
+  count  = var.is_organizational ? 1 : 0
+  domain = var.organization_domain
+}
+
+###################################################
+# Setup Service Account permissions
+###################################################
+
+#---------------------------------------------------------------------------------------------
+# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
+#---------------------------------------------------------------------------------------------
+resource "google_organization_iam_member" "cspm" {
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : []
+
+  org_id = data.google_organization.org[0].org_id
+  role   = each.key
+  member = "serviceAccount:${google_service_account.posture_auth.email}"
+}

modules/config-posture/organizational.tf

@@ -0,0 +1,5 @@
+output "service_principal_component_id" {
+  value       = "${sysdig_secure_cloud_auth_account_component.google_service_principal.type}/${sysdig_secure_cloud_auth_account_component.google_service_principal.instance}"
+  description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture"
+  depends_on  = [sysdig_secure_cloud_auth_account_component.google_service_principal]
+}

modules/config-posture/outputs.tf

@@ -0,0 +1,38 @@
+variable "project_id" {
+  type        = string
+  description = "(Required) Target Project identifier provided by the customer"
+}
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization."
+  type        = bool
+  default     = false
+}
+
+variable "organization_domain" {
+  type        = string
+  description = "(Optional) Organization domain. e.g. sysdig.com"
+  default     = ""
+}
+
+variable "management_group_ids" {
+  type        = set(string)
+  description = "(Optional) Management group id to onboard. e.g. [organizations/123456789012], [folders/123456789012]"
+  default     = []
+}
+
+variable "external_id" {
+  type        = string
+  description = "(Required) Random string generated unique to a customer"
+}
+
+variable "suffix" {
+  type        = string
+  description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
+  default     = null
+}
+
+variable "sysdig_secure_account_id" {
+  type        = string
+  description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
+}

modules/config-posture/variables.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.21.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 1.29.2"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+  }
+}

modules/config-posture/versions.tf

@@ -3,14 +3,6 @@ variable "project_id" {
   description = "(Required) Target Project identifier provided by the customer"
 }
 
-variable "labels" {
-  type        = map(string)
-  description = "(Optional) Labels to be associated with Sysdig-originated resources"
-  default = {
-    originator = "sysdig"
-  }
-}
-
 variable "is_organizational" {
   description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization."
   type        = bool

modules/onboarding/variables.tf

@@ -12,7 +12,7 @@ terraform {
     }
     random = {
       source  = "hashicorp/random"
-      version = ">= 3.1, < 4.0"
+      version = ">= 3.1"
     }
   }
 }