Add GCP Ingestion onboarding module (#4)

Author: gi-erre

README.md

@@ -6,5 +6,7 @@ Provides unified threat-detection, compliance, forensics and analysis through th
 
 * **[CSPM](https://docs.sysdig.com/en/docs/sysdig-secure/benchmarks/)**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through `trust-relationship` module. <br/>
 
+* **CDR (Cloud Detection and Response)**: It send periodically the Audit Logs collected from a GCP project to Sysdig's systems, this by collecting them in a PubSub topic through a Sink and then sending them through a `PUSH` integration. Managed through `webhook-datasource` module. <br/>
+
 For other Cloud providers check: [AWS](https://github.com/draios/terraform-aws-secure-for-cloud)
 

modules/services/webhook-datasource/README.md

@@ -0,0 +1,61 @@
+# GCP Webhook Datasource Module
+
+This Module creates the resources required to send Project-specific AuditLogs to Sysdig by creating a dedicated Push Subscription tied to a ingestion PubSub topic.
+
+
+The following resources will be created in each instrumented account:
+- A Sink to direct the AuditLogs towards a dedicated PubSub topic
+- A PubSub ingestion topic that will hold all the AuditLogs coming from the specified project
+- A Push Subscription that will POST the AuditLogs collected from the project towards Sysdig's backend
+- All the necessary Service Accounts and Policies to enable the AuditLogs publishing operation
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | >= 4.21.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_logging_project_sink.ingestion_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
+| [google_project_iam_audit_config.audit_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_audit_config) | resource |
+| [google_pubsub_subscription.ingestion_topic_push_subscription](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
+| [google_pubsub_topic.deadletter_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
+| [google_pubsub_topic.ingestion_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
+| [google_pubsub_topic_iam_member.publisher_iam_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam_member) | resource |
+| [google_service_account.push_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.push_auth_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ack_deadline_seconds"></a> [ack\_deadline\_seconds](#input\_ack\_deadline\_seconds) | (Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message | `number` | `60` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | (Optional) Labels to be associated with Sysdig-originated resources | `map(string)` | <pre>{<br>  "originator": "Sysdig"<br>}</pre> | no |
+| <a name="input_max_delivery_attempts"></a> [max\_delivery\_attempts](#input\_max\_delivery\_attempts) | (Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one | `number` | `5` | no |
+| <a name="input_maximum_backoff"></a> [maximum\_backoff](#input\_maximum\_backoff) | (Optional) Maximum backoff time for exponential backoff of the push subscription retry policy | `string` | `"600s"` | no |
+| <a name="input_message_retention_duration"></a> [message\_retention\_duration](#input\_message\_retention\_duration) | (Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published | `string` | `"604800s"` | no |
+| <a name="input_minimum_backoff"></a> [minimum\_backoff](#input\_minimum\_backoff) | (Optional) Minimum backoff time for exponential backoff of the push subscription retry policy | `string` | `"10s"` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | (Required) Target Project identifier provided by the customer | `string` | n/a | yes |
+| <a name="input_push_endpoint"></a> [push\_endpoint](#input\_push\_endpoint) | (Required) Final endpoint towards which audit logs POST calls will be directed | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_project_id"></a> [project\_id](#output\_project\_id) | GCP Project Identifier |
+| <a name="output_push_endpoint"></a> [push\_endpoint](#output\_push\_endpoint) | Push endpoint towards which the POST request will be directed |
+| <a name="output_push_subscription_service_account"></a> [push\_subscription\_service\_account](#output\_push\_subscription\_service\_account) | Service Account used to send POST messages, a KMS key needs to be manually added in order to properly authenticate the requests at Sysdig's side |

modules/services/webhook-datasource/main.tf

@@ -0,0 +1,140 @@
+########################################################################################
+# The webhook-datasource module takes care of provisioning the necessary resources to make Sysdig's
+# backend able to ingest data from a single GCP project.
+#
+# Before applying the changes defined in this module, the following operations need to
+# be performed on the target GCP environment:
+#   - Creating a GCP project
+#   - Enabling the following APIs in the target environment (https://support.google.com/googleapi/answer/6158841?hl=en)
+#     - Cloud Pub/Sub API
+#     - Identity and Access Management (IAM) API
+#     - IAM Service Account Credentials API
+#     - Cloud Resource Manager API
+#
+# Given that, this module will take care of enabling the AuditLogs for the selected
+# project, direct them to a dedicated PubSub through a Sink and finally creating a Push
+# Subscription that will send the data to Sysdig's backend. This module takes also care
+# of creating the necessary service accounts along with the necessary policies to enable
+# pushing logs to Sysdig's system.
+########################################################################################
+
+#-------------#
+# GCP Project #
+#-------------#
+
+data "google_project" "target_project" {
+  project_id = var.project_id
+}
+
+#------------#
+# Audit Logs #
+#------------#
+
+resource "google_project_iam_audit_config" "audit_config" {
+  project = var.project_id
+  service = "allServices"
+
+  audit_log_config {
+    log_type = "ADMIN_READ"
+  }
+
+  audit_log_config {
+    log_type = "DATA_READ"
+  }
+
+  audit_log_config {
+    log_type = "DATA_WRITE"
+  }
+}
+
+#------#
+# Sink #
+#------#
+
+resource "google_logging_project_sink" "ingestion_sink" {
+  name        = "${google_pubsub_topic.ingestion_topic.name}_sink"
+  description = "Sysdig sink to direct the AuditLogs to the PubSub topic used for data gathering"
+
+  # NOTE: The target destination is a PubSub topic
+  destination = "pubsub.googleapis.com/projects/${var.project_id}/topics/${google_pubsub_topic.ingestion_topic.name}"
+
+  filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\""
+
+  # NOTE: Used to create a dedicated writer identity and not using the default one
+  unique_writer_identity = true
+}
+
+resource "google_pubsub_topic_iam_member" "publisher_iam_member" {
+  project = google_pubsub_topic.ingestion_topic.project
+  topic   = google_pubsub_topic.ingestion_topic.name
+  role    = "roles/pubsub.publisher"
+  member  = google_logging_project_sink.ingestion_sink.writer_identity
+}
+
+#-----------------#
+# Ingestion topic #
+#-----------------#
+
+resource "google_pubsub_topic" "ingestion_topic" {
+  name                       = "ingestion_topic"
+  labels                     = var.labels
+  project                    = var.project_id
+  message_retention_duration = var.message_retention_duration
+}
+
+resource "google_pubsub_topic" "deadletter_topic" {
+  name = "dl-${google_pubsub_topic.ingestion_topic.name}"
+
+  project                    = var.project_id
+  message_retention_duration = var.message_retention_duration
+}
+
+#-------------------#
+# Push Subscription #
+#-------------------#
+
+resource "google_service_account" "push_auth" {
+  account_id   = "ingestion-topic-push-auth"
+  display_name = "Push Auth Service Account"
+}
+
+resource "google_service_account_iam_binding" "push_auth_binding" {
+  service_account_id = google_service_account.push_auth.name
+  role               = "roles/iam.serviceAccountTokenCreator"
+
+  members = [
+    "serviceAccount:${google_service_account.push_auth.email}",
+  ]
+}
+
+resource "google_pubsub_subscription" "ingestion_topic_push_subscription" {
+  name                       = "${google_pubsub_topic.ingestion_topic.name}_push_subscription"
+  topic                      = google_pubsub_topic.ingestion_topic.name
+  labels                     = var.labels
+  ack_deadline_seconds       = var.ack_deadline_seconds
+  message_retention_duration = var.message_retention_duration
+
+  push_config {
+    push_endpoint = var.push_endpoint
+
+    attributes = {
+      x-goog-version = "v1"
+    }
+
+    oidc_token {
+      service_account_email = google_service_account.push_auth.email
+      audience              = "sysdig_secure"
+    }
+  }
+
+  retry_policy {
+    minimum_backoff = var.minimum_backoff
+    maximum_backoff = var.maximum_backoff
+  }
+
+  dead_letter_policy {
+    dead_letter_topic     = google_pubsub_topic.deadletter_topic.id
+    max_delivery_attempts = var.max_delivery_attempts
+  }
+}
+

modules/services/webhook-datasource/outputs.tf

@@ -0,0 +1,14 @@
+output "project_id" {
+  value       = data.google_project.target_project.id
+  description = "GCP Project Identifier"
+}
+
+output "push_subscription_service_account" {
+  value       = google_service_account.push_auth.name
+  description = "Service Account used to send POST messages, a KMS key needs to be manually added in order to properly authenticate the requests at Sysdig's side"
+}
+
+output "push_endpoint" {
+  value       = google_pubsub_subscription.ingestion_topic_push_subscription.push_config[0].push_endpoint
+  description = "Push endpoint towards which the POST request will be directed"
+}

modules/services/webhook-datasource/variables.tf

@@ -0,0 +1,47 @@
+variable "project_id" {
+  type        = string
+  description = "(Required) Target Project identifier provided by the customer"
+}
+
+variable "push_endpoint" {
+  type        = string
+  description = "(Required) Final endpoint towards which audit logs POST calls will be directed"
+}
+
+variable "labels" {
+  type        = map(string)
+  description = "(Optional) Labels to be associated with Sysdig-originated resources"
+  default = {
+    originator = "sysdig"
+  }
+}
+
+variable "ack_deadline_seconds" {
+  type        = number
+  description = "(Optional) Maximum time in seconds after Sysdig's subscriber receives a message before the subscriber should acknowledge the message"
+  default     = 60
+}
+
+variable "message_retention_duration" {
+  type        = string
+  description = "(Optional) How long unacknowledged messages are retained in Sysdig's subscription backlog, from the moment a message is published"
+  default     = "604800s"
+}
+
+variable "max_delivery_attempts" {
+  type        = number
+  description = "(Optional) Number of attempts redelivering missed messages from the deadletter topic to the main one"
+  default     = 5
+}
+
+variable "minimum_backoff" {
+  type        = string
+  description = "(Optional) Minimum backoff time for exponential backoff of the push subscription retry policy"
+  default     = "10s"
+}
+
+variable "maximum_backoff" {
+  type        = string
+  description = "(Optional) Maximum backoff time for exponential backoff of the push subscription retry policy"
+  default     = "600s"
+}

modules/services/webhook-datasource/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.21.0"
+    }
+  }
+}