Skip to content

Commit bcae630

Browse files
miguelpaismiguelpais
committed
Fixing to gcp workload onboarding
1 parent a7ab5bb commit bcae630

File tree

1 file changed

+7
-5
lines changed
  • modules/vm-workload-scanning

1 file changed

+7
-5
lines changed

modules/vm-workload-scanning/main.tf

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -63,11 +63,13 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
6363
description = "AWS identity pool provider for Sysdig Secure Agentless Workload Scanning"
6464
disabled = false
6565

66-
attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
66+
attribute_condition = "attribute.aws_account==\"${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}\""
6767

6868
attribute_mapping = {
69-
"google.subject" = "assertion.arn",
70-
"attribute.aws_role" = "assertion.arn"
69+
"google.subject" = "assertion.arn"
70+
"attribute.aws_account" = "assertion.account"
71+
"attribute.role" = "assertion.arn.extract(\"/assumed-role/{role}/\")"
72+
"attribute.session" = "assertion.arn.extract(\"/assumed-role/{role_and_session}/\").extract(\"/{session}\")"
7173
}
7274

7375
aws {
@@ -78,7 +80,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
7880
resource "google_service_account_iam_member" "controller_binding" {
7981
service_account_id = google_service_account.controller.name
8082
role = "roles/iam.workloadIdentityUser"
81-
member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.agentless.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
83+
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}"
8284
}
8385

8486

@@ -107,4 +109,4 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
107109
google_iam_workload_identity_pool.agentless,
108110
google_organization_iam_member.controller,
109111
]
110-
}
112+
}

0 commit comments

Comments
 (0)