adding modular onboarding module

Author: haresh-suresh

modules/onboarding/README.md

@@ -0,0 +1,88 @@
+# GCP Onboarding Module
+
+This module will deploy Foundational Onboarding resources in GCP for a single project, or for a GCP Organization.
+The Foundational Onboarding module serves the following functions:
+- retrieving inventory for single project, or for all projects within an Organization.
+- running organization scraping in the case of organizational onboarding within GCP Organization.
+
+If instrumenting a project, the following resources will be created:
+- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the foundational functions.
+
+If instrumenting an Organziation, the following resources will be created:
+- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
+- A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve the foundational functions.
+- A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure to install Sysdig Secure for Cloud on.
+
+Note:
+- The outputs from the foundational module, such as `sysdig_secure_project_id` are needed as inputs to the other features/integrations modules for subsequent modular installs.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 1.23.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 5.0.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| [google_service_account.onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.onboarding_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
+| [google_project_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role) | resource |
+| [google_project_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) | resource |
+| [google_service_account_iam_member.custom_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
+| [google_organization_iam_custom_role.custom_onboarding_auth_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam_custom_role) | resource |
+| [google_organization_iam_member.custom](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | <pre>{<br>  "originator": "sysdig"<br>}</pre> | no |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Optional) Role name for custom role binding to the service account, with read permissions for data onboarding resources | `string` | `"SysdigOnboardingAuthRole-{random_id}"` | no |
+| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes |
+| <a name="input_suffix"></a> [suffix](#input\_suffix) | (Optional) Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_workload_identity_pool_id"></a> [workload\_identity\_pool\_id](#output\_workload\_identity\_pool\_id) | Id of Workload Identity Pool for authenticating to GCP to access data ingestion resources |
+| <a name="output_workload_identity_pool_provider_id"></a> [workload\_identity\_pool\_provider\_id](#output\_workload\_identity\_pool\_provider\_id) | Id of Workload Identity Pool Provider for authenticating to GCP to access data ingestion resources |
+| <a name="output_workload_identity_project_number"></a> [workload\_identity\_project\_number](#output\_workload\_identity\_project\_number) | GCP project number |
+| <a name="output_service_account_email"></a> [service\_account\_email](#output\_service\_account\_email) | email of the Service Account created |
+| <a name="output_sysdig_secure_project_id"></a> [sysdig\_secure\_project\_id](#output\_sysdig\_secure\_project\_id) | ID of the Sysdig Cloud Account created |
+| <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/onboarding/main.tf

@@ -0,0 +1,100 @@
+#------------------------------------------------------------------#
+# Fetch and compute required data for Workload Identity Federation #
+#------------------------------------------------------------------#
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "gcp"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+// suffix to uniquely identify WIF pool and provider during multiple installs. If suffix value is not provided, this will generate a random value.
+resource "random_id" "suffix" {
+  count       = var.suffix == null ? 1 : 0
+  byte_length = 3
+}
+
+locals {
+  suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
+}
+
+resource "google_service_account" "onboarding_auth" {
+  account_id   = "sysdig-onboarding-${local.suffix}"
+  display_name = "Sysdig Onboarding Auth Service Account"
+  project      = var.project_id
+}
+
+resource "google_service_account_iam_binding" "onboarding_auth_binding" {
+  service_account_id = google_service_account.push_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.onboarding_auth.email}",
+  ]
+}
+
+#------------------------------------------------------------#
+# Configure Workload Identity Federation for auth            #
+# See https://cloud.google.com/iam/docs/access-resources-aws #
+#------------------------------------------------------------#
+
+resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
+  project                   = var.project_id
+  workload_identity_pool_id = "sysdig-onboarding-${local.suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
+  display_name                       = "Sysdigcloud onboarding auth"
+  description                        = "AWS identity pool provider for Sysdig Secure Data Onboarding resources"
+  disabled                           = false
+
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}\""
+
+  attribute_mapping = {
+    "google.subject"     = "assertion.arn",
+    "attribute.aws_role" = "assertion.arn"
+  }
+
+  aws {
+    account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
+  }
+}
+
+# creating custom role with project-level permissions to access onboarding resources
+resource "google_project_iam_custom_role" "custom_onboarding_auth_role" {
+  count = var.is_organizational ? 0 : 1
+
+  project     = var.project_id
+  role_id     = var.role_name
+  title       = "Sysdigcloud Onboarding Auth Role"
+  description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding"
+  permissions = [
+    "pubsub.topics.get",
+    "pubsub.topics.list",
+    "pubsub.subscriptions.get",
+    "pubsub.subscriptions.list",
+    "logging.sinks.get",
+    "logging.sinks.list",
+  ]
+}
+
+# adding custom role with project-level permissions to the service account for auth
+resource "google_project_iam_member" "custom" {
+  count = var.is_organizational ? 0 : 1
+
+  project = var.project_id
+  role    = google_project_iam_custom_role.custom_onboarding_auth_role[0].id
+  member  = "serviceAccount:${google_service_account.onboarding_auth.email}"
+}
+
+# attaching WIF as a member to the service account for auth
+resource "google_service_account_iam_member" "custom_auth" {
+  service_account_id = google_service_account.onboarding_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${var.external_id}"
+}

modules/onboarding/organizational.tf

@@ -0,0 +1,35 @@
+#--------------#
+# Organization #
+#--------------#
+
+data "google_organization" "org" {
+  count  = var.is_organizational ? 1 : 0
+  domain = var.organization_domain
+}
+
+# creating custom role with organization-level permissions to access onboarding resources
+resource "google_organization_iam_custom_role" "custom_onboarding_auth_role" {
+  count = var.is_organizational ? 1 : 0
+
+  org_id      = data.google_organization.org[0].org_id
+  role_id     = var.role_name
+  title       = "Sysdigcloud Onboarding Auth Role"
+  description = "A Role providing the required permissions for Sysdig Backend to read cloud resources created for onboarding"
+  permissions = [
+    "pubsub.topics.get",
+    "pubsub.topics.list",
+    "pubsub.subscriptions.get",
+    "pubsub.subscriptions.list",
+    "logging.sinks.get",
+    "logging.sinks.list",
+  ]
+}
+
+# adding custom role with organization-level permissions to the service account for auth
+resource "google_organization_iam_member" "custom" {
+  count = var.is_organizational ? 1 : 0
+
+  org_id = data.google_organization.org[0].org_id
+  role   = google_organization_iam_custom_role.custom_onboarding_auth_role[0].id
+  member = "serviceAccount:${google_service_account.onboarding_auth.email}"
+}

modules/onboarding/outputs.tf

@@ -0,0 +1,34 @@
+output "workload_identity_pool_id" {
+  value       = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+  description = "Id of Workload Identity Pool for authenticating to GCP to access data onboarding resources"
+}
+
+output "workload_identity_pool_provider_id" {
+  value       = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+  description = "Id of Workload Identity Pool Provider for authenticating to GCP to access data onboarding resources"
+}
+
+output "workload_identity_project_number" {
+  value       = data.google_project.project.number
+  description = "GCP project number"
+}
+
+output "service_account_email" {
+  value       = google_service_account.onboarding_auth.email
+  description = "email of the Service Account created"
+}
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project ID in which secure-for-cloud onboarding resources are created. For organizational installs it is the Management Project ID selected during install"
+}
+
+output "sysdig_secure_project_id" {
+  value       = sysdig_secure_cloud_auth_account.google_account.id
+  description = "ID of the Sysdig Cloud Account created"
+}
+
+output "is_organizational" {
+  value       = var.is_organizational
+  description = "Boolean value to indicate if secure-for-cloud is deployed to an entire GCP organization or not"
+}

modules/onboarding/variables.tf

@@ -0,0 +1,35 @@
+variable "project_id" {
+  type        = string
+  description = "(Required) Target Project identifier provided by the customer"
+}
+
+variable "labels" {
+  type        = map(string)
+  description = "(Optional) Labels to be associated with Sysdig-originated resources"
+  default = {
+    originator = "sysdig"
+  }
+}
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization."
+  type        = bool
+  default     = false
+}
+
+variable "organization_domain" {
+  type        = string
+  description = "(Optional) Organization domain. e.g. sysdig.com"
+  default     = ""
+}
+
+variable "external_id" {
+  type        = string
+  description = "(Required) Random string generated unique to a customer"
+}
+
+variable "suffix" {
+  type        = string
+  description = "Suffix to uniquely identify resources during multiple installs. If not provided, random value is autogenerated"
+  default     = null
+}

modules/onboarding/versions.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.21.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 1.23.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1, < 4.0"
+    }
+  }
+}