[SSPROD-48725] Fixing gcp onboarding on gcp regions (#53)

miguelpais · web-flow · commit 981ea224b464 · 2024-12-17T17:40:35.000+01:00
* Fixing gcp onboarding on gcp regions

* Fixing bugs

* Keeping names as were
diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf
@@ -1,3 +1,8 @@
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+data "sysdig_secure_agentless_scanning_assets" "assets" {}
+
 locals {
   suffix = random_id.suffix.hex
 }
@@ -54,6 +59,8 @@ resource "google_iam_workload_identity_pool" "agentless" {
 }
 
 resource "google_iam_workload_identity_pool_provider" "agentless" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0
+
   project                            = var.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.agentless.workload_identity_pool_id
   workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}"
@@ -76,11 +83,41 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
 }
 
 resource "google_service_account_iam_member" "controller_binding" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0
+
   service_account_id = google_service_account.controller.name
   role               = "roles/iam.workloadIdentityUser"
   member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}"
 }
 
+resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0
+
+  workload_identity_pool_id          = google_iam_workload_identity_pool.agentless.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}"
+  display_name                       = "Sysdig Agentless Workload"
+  description                        = "GCP identity pool provider for Sysdig Secure Agentless Workload Scanning"
+  disabled                           = false
+
+  attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\""
+
+  attribute_mapping = {
+    "google.subject"  = "assertion.sub"
+    "attribute.sa_id" = "assertion.sub"
+  }
+
+  oidc {
+    issuer_uri = "https://accounts.google.com"
+  }
+}
+
+resource "google_service_account_iam_member" "controller_binding_gcp" {
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0
+
+  service_account_id = google_service_account.controller.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}"
+}
 
 #--------------------------------------------------------------------------------------------------------------
 # Call Sysdig Backend to add the service-principal integration for VM Workload Scanning to the Sysdig Cloud Account
@@ -94,7 +131,7 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
     gcp = {
       workload_identity_federation = {
         pool_id          = google_iam_workload_identity_pool.agentless.workload_identity_pool_id
-        pool_provider_id = google_iam_workload_identity_pool_provider.agentless.workload_identity_pool_provider_id
+        pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].workload_identity_pool_provider_id : google_iam_workload_identity_pool_provider.agentless_gcp[0].workload_identity_pool_provider_id
         project_number   = data.google_project.project.number
       }
       email = google_service_account.controller.email
@@ -105,6 +142,10 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
     google_project_iam_custom_role.controller,
     google_project_iam_binding.controller_binding,
     google_iam_workload_identity_pool.agentless,
+    google_iam_workload_identity_pool_provider.agentless,
+    google_iam_workload_identity_pool_provider.agentless_gcp,
+    google_service_account_iam_member.controller_binding,
+    google_service_account_iam_member.controller_binding_gcp,
     google_organization_iam_member.controller,
   ]
 }
