fix(cdr) - support empty audit logs block

legobrick · legobrick · commit c3682418a9dc · 2024-12-18T10:54:30.000+01:00
diff --git a/modules/integrations/pub-sub/main.tf b/modules/integrations/pub-sub/main.tf
@@ -54,10 +54,12 @@ resource "random_uuid" "routing_key" {}
 #-----------------------------------------------------------------------------------------
 locals {
   # Data structure will be a map for each service, that can have multiple audit_log_config
-  audit_log_config = { for audit in var.audit_log_config :
+  audit_log_config = {
+    for audit in var.audit_log_config :
     audit["service"] => {
       log_config = audit["log_config"]
     }
+    if length(audit["log_config"]) > 0 # Include only if log_config is not empty
   }
 }
 
@@ -266,4 +268,4 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" {
       }
     }
   })
-}
+}
diff --git a/test/examples/modular_organization/pub-sub-admin-write-only1.tf b/test/examples/modular_organization/pub-sub-admin-write-only1.tf
@@ -0,0 +1,36 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source              = "../../../modules/integrations/pub-sub"
+  project_id          = module.onboarding.project_id
+  is_organizational   = module.onboarding.is_organizational
+  organization_domain = module.onboarding.organization_domain
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = [
+    {
+      service = "allServices"
+      log_config = []
+    }
+  ]
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_organization/pub-sub-admin-write-only2.tf b/test/examples/modular_organization/pub-sub-admin-write-only2.tf
@@ -0,0 +1,31 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source              = "../../../modules/integrations/pub-sub"
+  project_id          = module.onboarding.project_id
+  is_organizational   = module.onboarding.is_organizational
+  organization_domain = module.onboarding.organization_domain
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = []
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf
@@ -9,6 +9,40 @@ module "pub-sub" {
   is_organizational   = module.onboarding.is_organizational
   organization_domain = module.onboarding.organization_domain
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
+  audit_log_config = [
+    {
+      service = "cloudsql.googleapis.com"
+      log_config = [{ log_type = "DATA_READ",
+        exempted_members = [
+          "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+        ]
+        },
+        { log_type = "DATA_WRITE" }
+      ]
+    },
+    {
+      service = "storage.googleapis.com"
+      log_config = [{ log_type = "DATA_WRITE"
+      }]
+    },
+    {
+      service    = "container.googleapis.com"
+      log_config = [{ log_type = "DATA_READ" }]
+    }
+  ]
+  exclude_logs_filter = [
+    {
+      name        = "nsexcllusion2"
+      description = "Exclude logs from namespace-2 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
+    },
+    {
+      name        = "nsexcllusion1"
+      description = "Exclude logs from namespace-1 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
+    }
+  ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
@@ -25,4 +59,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   enabled    = true
   components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
-}
+}
diff --git a/test/examples/modular_single_project/pub-sub-admin-write-only1.tf b/test/examples/modular_single_project/pub-sub-admin-write-only1.tf
@@ -0,0 +1,34 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source        = "../../../modules/integrations/pub-sub"
+  project_id    = module.onboarding.project_id
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = [
+    {
+      service = "allServices"
+      log_config = []
+    }
+  ]
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_single_project/pub-sub-admin-write-only2.tf b/test/examples/modular_single_project/pub-sub-admin-write-only2.tf
@@ -0,0 +1,29 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source        = "../../../modules/integrations/pub-sub"
+  project_id    = module.onboarding.project_id
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = []
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf
@@ -7,6 +7,40 @@ module "pub-sub" {
   source        = "../../../modules/integrations/pub-sub"
   project_id    = module.onboarding.project_id
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
+  audit_log_config = [
+    {
+      service = "cloudsql.googleapis.com"
+      log_config = [{ log_type = "DATA_READ",
+        exempted_members = [
+          "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+        ]
+        },
+        { log_type = "DATA_WRITE" }
+      ]
+    },
+    {
+      service = "storage.googleapis.com"
+      log_config = [{ log_type = "DATA_WRITE"
+      }]
+    },
+    {
+      service    = "container.googleapis.com"
+      log_config = [{ log_type = "DATA_READ" }]
+    }
+  ]
+  exclude_logs_filter = [
+    {
+      name        = "nsexcllusion2"
+      description = "Exclude logs from namespace-2 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
+    },
+    {
+      name        = "nsexcllusion1"
+      description = "Exclude logs from namespace-1 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
+    }
+  ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
@@ -23,4 +57,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   enabled    = true
   components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -54,10 +54,12 @@ resource "random_uuid" "routing_key" {}`
`54`	`54`	`#-----------------------------------------------------------------------------------------`
`55`	`55`	`locals {`
`56`	`56`	`# Data structure will be a map for each service, that can have multiple audit_log_config`
`57`		`- audit_log_config = { for audit in var.audit_log_config :`
	`57`	`+ audit_log_config = {`
	`58`	`+ for audit in var.audit_log_config :`
`58`	`59`	`audit["service"] => {`
`59`	`60`	`log_config = audit["log_config"]`
`60`	`61`	`}`
	`62`	`+ if length(audit["log_config"]) > 0 # Include only if log_config is not empty`
`61`	`63`	`}`
`62`	`64`	`}`
`63`	`65`
`@@ -266,4 +268,4 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" {`
`266`	`268`	`}`
`267`	`269`	`}`
`268`	`270`	`})`
`269`		`-}`
	`271`	`+}`