SSPROD-26919: Add TF module for GCP CSPM only (single and org) (#1)

* SSPROD-26919: Add TF module for GCP CSPM only (single and org)

- Adding CSPM (trust-relationship) TF module for GCP
- Adding the module for both single-project and org (following same structure as terraform aws repo for consistency)
- The module exports sa_email and sa_key as outputs

Note:
- Using and adding sysdig provider will be a separate PR (phase-2)

Testing done:
- Validated using terraform plan so far, with the following sample TF snippets

* SSPROD-26919: Fix role permissions and default sa name variable

* SSPROD-26919: Make service_account_key output sensitive

* Bump up go version and go deps in ci-pull-request actions

* Fix ginkgo version in go install

* Remove ci-master.yaml and comment go build step in github action

Change summary:
-----------------
1. Removing ci-master.yaml as it is not required.
2. Commenting out go build step since we don't have any *.go files
   in the terraform repo to build.
Note: Both above can be added back after getting details on whether
      they are needed. For now they don't seem to be required.

* Add Makefile and misc fixes to linting and formatting

* Fix role_id used in testing

* SSPROD-26919: Adding only required predefined GCP roles

Change summary:
-----------------
- Updated the CSPM roles to include latest set of roles required.
- Updated the CIEM roles to be only required predefined GCP roles for now.
  Removing the custom role since all those permissions are already available
  in the predefined/built-in roles in GCP. After confirming with the CIEM
  team, if we do require custom roles with custom narrowed-down permissions,
  will push a subsequent PR.

* SSPROD-26919: Update service account roles

Change summary:
---------------
1. Updated the roles and removed the redundant ones since some of
   the roles have a subset of permissions already present in other
   roles.
2. Updated both single-project and org case.
Note: Confirmed with CIEM team. No custom roles required.

Author: ravinadhruve10

.github/workflows/ci-master.yaml

@@ -4,49 +4,54 @@ on:
   pull_request:
     branches:
     - master
+env:
+  GO_VERSION: "^1.20"
 
 jobs:
-  build-and-test:
-    name: Build and Test
+  format:
+    name: Format
     runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: hashicorp/setup-terraform@v2
+      - run: make fmt
 
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
     steps:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: ^1.14
-
+        go-version: ${{ env.GO_VERSION }}
     - name: Check out code
       uses: actions/checkout@v2
+    - name: Lint
+      run: make lint
 
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Check out code
+      uses: actions/checkout@v2
     - name: Cache modules
       uses: actions/cache@v1
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
-
     - name: Get dependencies
       run: |
-        go get github.com/onsi/ginkgo/ginkgo
-
-    - name: Build
-      run: go build ./...
-
+        go install github.com/onsi/ginkgo/ginkgo@latest
+    # Check if we need to build any go packages in this repo. If not, remove below.
+    # - name: Build
+    #   run: go build ./...
     - name: Test
       run: make test
-
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v2
-
-    - name: Lint
-      continue-on-error: true
-      uses: golangci/golangci-lint-action@v1
-      with:
-        version: v1.27

.github/workflows/ci-pull-request.yaml

@@ -0,0 +1,30 @@
+PROJECT := terraform-google-secure
+GO_BIN := $(shell go env GOPATH)/bin
+TFLINT := $(GO_BIN)/tflint
+DOCKER ?= docker
+
+SHELL := /bin/bash
+
+$(TFLINT): export TMPDIR = $(shell mktemp -d)
+$(TFLINT):
+	curl -sL https://github.com/terraform-linters/tflint/releases/latest/download/tflint_$(shell go env GOHOSTOS)_$(shell go env GOHOSTARCH).zip -o $${TMPDIR}/tflint.zip
+	unzip $${TMPDIR}/tflint.zip -d $(GO_BIN) tflint
+	rm -rf $${TMPDIR}
+
+deps: $(TFLINT)
+	go install github.com/terraform-docs/[email protected]
+	go install github.com/hashicorp/terraform-config-inspect@latest
+
+lint: $(TFLINT)
+	$(MAKE) -C modules lint
+
+fmt:
+	terraform fmt -check -recursive modules
+
+clean:
+	find -name ".terraform" -type d | xargs rm -rf
+	find -name ".terraform.lock.hcl" -type f | xargs rm -f
+
+.PHONY: test
+test:
+	$(MAKE) -C test test

Makefile

@@ -0,0 +1,2 @@
+lint:
+	tflint --recursive --module

modules/Makefile

@@ -0,0 +1,49 @@
+###################################################
+# Create Service Account and setup permissions
+###################################################
+
+resource "google_service_account" "sa" {
+  project      = var.project_id
+  account_id   = var.service_account_name
+  display_name = "Service account for trust-relationship"
+}
+
+#---------------------------------
+# role permissions for onboarding
+#---------------------------------
+resource "google_project_iam_member" "onboarding_role" {
+  count = var.is_organizational ? 0 : 1
+
+  project = var.project_id
+  role    = "roles/browser"
+  member  = "serviceAccount:${google_service_account.sa.email}"
+}
+
+#--------------------------------------------------------------------------------------
+# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Trust Relationship)
+#--------------------------------------------------------------------------------------
+resource "google_project_iam_member" "trust_relationship_role" {
+  for_each = var.is_organizational ? [] : toset(["roles/cloudasset.viewer"])
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.sa.email}"
+}
+
+#---------------------------------------------------------------------------------------
+# role permissions for CIEM (GCP Predefined Roles for Sysdig Cloud Identity Management)
+#---------------------------------------------------------------------------------------
+resource "google_project_iam_member" "identity_mgmt_role" {
+  for_each = var.is_organizational ? [] : toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer"])
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.sa.email}"
+}
+
+#--------------------------------
+# service account private key
+#--------------------------------
+resource "google_service_account_key" "secure_service_account_key" {
+  service_account_id = google_service_account.sa.name
+}

modules/services/trust-relationship/main.tf

@@ -0,0 +1,45 @@
+###################################################
+# Fetch & compute required data
+###################################################
+
+data "google_organization" "org" {
+  count  = var.is_organizational ? 1 : 0
+  domain = var.organization_domain
+}
+
+###################################################
+# Setup Service Account permissions
+###################################################
+
+#---------------------------------
+# role permissions for onboarding
+#---------------------------------
+resource "google_organization_iam_member" "onboarding_role" {
+  count = var.is_organizational ? 1 : 0
+
+  org_id = data.google_organization.org[0].org_id
+  role   = "roles/browser"
+  member = "serviceAccount:${google_service_account.sa.email}"
+}
+
+#--------------------------------------------------------------------------------------
+# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Trust Relationship)
+#--------------------------------------------------------------------------------------
+resource "google_organization_iam_member" "trust_relationship_role" {
+  for_each = var.is_organizational ? toset(["roles/cloudasset.viewer"]) : []
+
+  org_id = data.google_organization.org[0].org_id
+  role   = each.key
+  member = "serviceAccount:${google_service_account.sa.email}"
+}
+
+#---------------------------------------------------------------------------------------
+# role permissions for CIEM (GCP Predefined Roles for Sysdig Cloud Identity Management)
+#---------------------------------------------------------------------------------------
+resource "google_organization_iam_member" "identity_mgmt_role" {
+  for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer"]) : []
+
+  org_id = data.google_organization.org[0].org_id
+  role   = each.key
+  member = "serviceAccount:${google_service_account.sa.email}"
+}

modules/services/trust-relationship/organizational.tf

@@ -0,0 +1,10 @@
+output "service_account_email" {
+  value       = google_service_account.sa.email
+  description = "email address of the Service Account created (used to allow Sysdig Secure access)"
+}
+
+output "service_account_key" {
+  value       = google_service_account_key.secure_service_account_key.private_key
+  description = "Private Key of the Service Account created"
+  sensitive   = true
+}

modules/services/trust-relationship/outputs.tf

@@ -0,0 +1,22 @@
+variable "project_id" {
+  type        = string
+  description = "The ID of the target Google cloud project to create resources in."
+}
+
+variable "service_account_name" {
+  type        = string
+  description = "The name of the Service Account that will be created."
+  default     = "sysdig-secure"
+}
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization."
+  type        = bool
+  default     = false
+}
+
+variable "organization_domain" {
+  type        = string
+  description = "Organization domain. e.g. sysdig.com"
+  default     = ""
+}

modules/services/trust-relationship/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.21.0"
+    }
+  }
+}

modules/services/trust-relationship/versions.tf

@@ -0,0 +1,2 @@
+test:
+	@echo "Functional Tests to be added here."