Implement Organizational CloudLogs module (#7)

* First implementation draft

* Enable AuditLogs for org case, refactor

* Create organizational template file and refactor

* Remove unnecessary output declaration

* Update documentation for the organizational case

* Remove unused google_project declaration

* Update README files

* Use organization domain instead of organization id as module input

Author: gi-erre

README.md

@@ -8,7 +8,7 @@ Provides unified threat-detection, compliance, forensics and analysis through th
 
 * **[CIEM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/)**: Permissions and Entitlements management. Managed through `service-principal` module. <br/>
 
-* **CDR (Cloud Detection and Response)**: It send periodically the Audit Logs collected from a GCP project to Sysdig's systems, this by collecting them in a PubSub topic through a Sink and then sending them through a `PUSH` integration. Managed through `webhook-datasource` module. <br/>
+* **CDR (Cloud Detection and Response)**: It sends periodically the Audit Logs collected from a GCP project/organization to Sysdig's systems, this by collecting them in a PubSub topic through a Sink and then sending them through a `PUSH` integration. Managed through `webhook-datasource` module. <br/>
 
 For other Cloud providers check: [AWS](https://github.com/draios/terraform-aws-secure-for-cloud)
 

modules/services/webhook-datasource/README.md

@@ -1,13 +1,13 @@
 # GCP Webhook Datasource Module
 
-This Module creates the resources required to send Project-specific AuditLogs to Sysdig by creating a dedicated Push Subscription tied to a ingestion PubSub topic.
+This Module creates the resources required to send Project or Organization-specific AuditLogs to Sysdig by creating a dedicated Push Subscription tied to a ingestion PubSub topic.
 
 
 The following resources will be created in each instrumented account:
-- A Sink to direct the AuditLogs towards a dedicated PubSub topic
-- A PubSub ingestion topic that will hold all the AuditLogs coming from the specified project
-- A Push Subscription that will POST the AuditLogs collected from the project towards Sysdig's backend
-- All the necessary Service Accounts and Policies to enable the AuditLogs publishing operation
+- A Project/Organization `Sink` to direct the AuditLogs towards a dedicated PubSub topic
+- A `PubSub` ingestion topic that will hold all the AuditLogs coming from the specified project
+- A `Push` Subscription that will POST the AuditLogs collected from the project towards Sysdig's backend
+- All the necessary `Service Accounts` and `Policies` to enable the `AuditLogs` publishing operation
 
 ## Requirements
 
@@ -20,7 +20,7 @@ The following resources will be created in each instrumented account:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | >= 4.21.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.0.0 |
 
 ## Modules
 
@@ -30,32 +30,35 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_logging_organization_sink.ingestion_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink) | resource |
 | [google_logging_project_sink.ingestion_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
+| [google_organization_iam_audit_config.audit_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_audit_config) | resource |
 | [google_project_iam_audit_config.audit_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_audit_config) | resource |
 | [google_pubsub_subscription.ingestion_topic_push_subscription](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_topic.deadletter_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
 | [google_pubsub_topic.ingestion_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
 | [google_pubsub_topic_iam_member.publisher_iam_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam_member) | resource |
 | [google_service_account.push_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account_iam_binding.push_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ack_deadline_seconds"></a> [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | (Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message | `number` | `60` | no |
-| <a name="input_labels"></a> [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | <pre>{<br>  "originator": "Sysdig"<br>}</pre> | no |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization. | `bool` | `false` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | <pre>{<br>  "originator": "sysdig"<br>}</pre> | no |
 | <a name="input_max_delivery_attempts"></a> [max\_delivery\_attempts](#input\_max\_delivery\_attempts) | (Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one | `number` | `5` | no |
 | <a name="input_maximum_backoff"></a> [maximum\_backoff](#input\_maximum\_backoff) | (Optional) Maximum backoff time for exponential backoff of the push subscription retry policy | `string` | `"600s"` | no |
 | <a name="input_message_retention_duration"></a> [message\_retention\_duration](#input\_message\_retention\_duration) | (Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published | `string` | `"604800s"` | no |
 | <a name="input_minimum_backoff"></a> [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no |
+| <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
 | <a name="input_push_endpoint"></a> [push\_endpoint](#input\_push\_endpoint) | (Required) Final endpoint towards which audit logs POST calls will be directed | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_project_id"></a> [project\_id](#output\_project\_id) | GCP Project Identifier |
 | <a name="output_push_endpoint"></a> [push\_endpoint](#output\_push\_endpoint) | Push endpoint towards which the POST request will be directed |
-| <a name="output_push_subscription_service_account"></a> [push\_subscription\_service\_account](#output\_push\_subscription\_service\_account) | Service Account used to send POST messages, a KMS key needs to be manually added in order to properly authenticate the requests at Sysdig's side |

modules/services/webhook-datasource/main.tf

@@ -16,21 +16,20 @@
 # Subscription that will send the data to Sysdig's backend. This module takes also care
 # of creating the necessary service accounts along with the necessary policies to enable
 # pushing logs to Sysdig's system.
+#
+# Note: The alternative definitions for the organizational variant of this module are contained
+# in organizational.tf. The only differences w.r.t. the standalone template is in using an
+# organizational sink instead of a project-specific one, as well as enabling AuditLogs for
+# all the projects that fall within the organization.
 ########################################################################################
 
-#-------------#
-# GCP Project #
-#-------------#
-
-data "google_project" "target_project" {
-  project_id = var.project_id
-}
-
 #------------#
 # Audit Logs #
 #------------#
 
 resource "google_project_iam_audit_config" "audit_config" {
+  count = var.is_organizational ? 0 : 1
+
   project = var.project_id
   service = "allServices"
 
@@ -47,11 +46,31 @@ resource "google_project_iam_audit_config" "audit_config" {
   }
 }
 
+#-----------------#
+# Ingestion topic #
+#-----------------#
+
+resource "google_pubsub_topic" "ingestion_topic" {
+  name                       = "ingestion_topic"
+  labels                     = var.labels
+  project                    = var.project_id
+  message_retention_duration = var.message_retention_duration
+}
+
+resource "google_pubsub_topic" "deadletter_topic" {
+  name = "dl-${google_pubsub_topic.ingestion_topic.name}"
+
+  project                    = var.project_id
+  message_retention_duration = var.message_retention_duration
+}
+
 #------#
 # Sink #
 #------#
 
 resource "google_logging_project_sink" "ingestion_sink" {
+  count = var.is_organizational ? 0 : 1
+
   name        = "${google_pubsub_topic.ingestion_topic.name}_sink"
   description = "Sysdig sink to direct the AuditLogs to the PubSub topic used for data gathering"
 
@@ -68,25 +87,7 @@ resource "google_pubsub_topic_iam_member" "publisher_iam_member" {
   project = google_pubsub_topic.ingestion_topic.project
   topic   = google_pubsub_topic.ingestion_topic.name
   role    = "roles/pubsub.publisher"
-  member  = google_logging_project_sink.ingestion_sink.writer_identity
-}
-
-#-----------------#
-# Ingestion topic #
-#-----------------#
-
-resource "google_pubsub_topic" "ingestion_topic" {
-  name                       = "ingestion_topic"
-  labels                     = var.labels
-  project                    = var.project_id
-  message_retention_duration = var.message_retention_duration
-}
-
-resource "google_pubsub_topic" "deadletter_topic" {
-  name = "dl-${google_pubsub_topic.ingestion_topic.name}"
-
-  project                    = var.project_id
-  message_retention_duration = var.message_retention_duration
+  member  = var.is_organizational ? google_logging_organization_sink.ingestion_sink[0].writer_identity : google_logging_project_sink.ingestion_sink[0].writer_identity
 }
 
 #-------------------#
@@ -96,6 +97,7 @@ resource "google_pubsub_topic" "deadletter_topic" {
 resource "google_service_account" "push_auth" {
   account_id   = "ingestion-topic-push-auth"
   display_name = "Push Auth Service Account"
+  project      = var.project_id
 }
 
 resource "google_service_account_iam_binding" "push_auth_binding" {
@@ -113,6 +115,7 @@ resource "google_pubsub_subscription" "ingestion_topic_push_subscription" {
   labels                     = var.labels
   ack_deadline_seconds       = var.ack_deadline_seconds
   message_retention_duration = var.message_retention_duration
+  project                    = var.project_id
 
   push_config {
     push_endpoint = var.push_endpoint

modules/services/webhook-datasource/organizational.tf

@@ -0,0 +1,50 @@
+#--------------#
+# Organization #
+#--------------#
+
+data "google_organization" "org" {
+  count  = var.is_organizational ? 1 : 0
+  domain = var.organization_domain
+}
+
+#------------#
+# Audit Logs #
+#------------#
+resource "google_organization_iam_audit_config" "audit_config" {
+  count = var.is_organizational ? 1 : 0
+
+  org_id  = data.google_organization.org[0].org_id
+  service = "allServices"
+
+  audit_log_config {
+    log_type = "ADMIN_READ"
+  }
+
+  audit_log_config {
+    log_type = "DATA_READ"
+  }
+
+  audit_log_config {
+    log_type = "DATA_WRITE"
+  }
+}
+
+#------#
+# Sink #
+#------#
+
+resource "google_logging_organization_sink" "ingestion_sink" {
+  count = var.is_organizational ? 1 : 0
+
+  name        = "${google_pubsub_topic.ingestion_topic.name}_sink"
+  description = "Sysdig sink to direct the AuditLogs to the PubSub topic used for data gathering"
+  org_id      = data.google_organization.org[0].org_id
+
+  # NOTE: The target destination is a PubSub topic
+  destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}"
+  filter      = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\""
+
+  # NOTE: The include_children attribute is set to true in order to ingest data
+  # even from potential sub-organizations
+  include_children = true
+}

modules/services/webhook-datasource/outputs.tf

@@ -1,13 +1,3 @@
-output "project_id" {
-  value       = data.google_project.target_project.id
-  description = "GCP Project Identifier"
-}
-
-output "push_subscription_service_account" {
-  value       = google_service_account.push_auth.name
-  description = "Service Account used to send POST messages, a KMS key needs to be manually added in order to properly authenticate the requests at Sysdig's side"
-}
-
 output "push_endpoint" {
   value       = google_pubsub_subscription.ingestion_topic_push_subscription.push_config[0].push_endpoint
   description = "Push endpoint towards which the POST request will be directed"

modules/services/webhook-datasource/variables.tf

@@ -45,3 +45,15 @@ variable "maximum_backoff" {
   description = "(Optional) Maximum backoff time for exponential backoff of the push subscription retry policy"
   default     = "600s"
 }
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to a GCP Organization."
+  type        = bool
+  default     = false
+}
+
+variable "organization_domain" {
+  type        = string
+  description = "(Optional) Organization domain. e.g. sysdig.com"
+  default     = ""
+}