SSPROD-54737 - enhance: support WIF onboarding (#70)

* SSPROD-54737 - enhance: support WIF onboarding

* SSPROD-54737 - enhance: support WIF onboarding

* SSPROD-54737 - wif support

* SSPROD-54737 - wif support

* SSPROD-54737 - wif support

* SSPROD-54737 - wif support

Author: jose-pablo-camacho

modules/onboarding/README.md

@@ -9,16 +9,14 @@ The Foundational Onboarding module serves the following functions:
 If instrumenting a project, the following resources will be created:
 
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
-  your behalf to validate resources.
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
 - A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the
   foundational functions.
 
-If instrumenting an Organziation, the following resources will be created:
+If instrumenting an Organization, the following resources will be created:
 
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
-  your behalf to validate resources.
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
 - A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve
   the foundational functions.
 - A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure
@@ -27,7 +25,7 @@ If instrumenting an Organziation, the following resources will be created:
 Note:
 
 - The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other
-  features/integrations modules for subsequent modular installs.
+  features/integrations modules for subsequent modular installations.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -45,6 +43,8 @@ Note:
 |------------------------------------------------------------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | 5.0.0   |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1  |
+| <a name="provider_time"></a> [time](#provider\_time)       | 0.13.1  |
+
 
 ## Modules
 
@@ -56,15 +56,18 @@ No modules.
 resource |
 | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) |
 data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) |
 data source |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
 | [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) |
 resource |
 | [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) |
 resource |
-| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) |
-resource |
+| [google_service_account_iam_member.custom_onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
 | [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) |
 resource |
 | [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) |

modules/onboarding/main.tf

@@ -1,7 +1,13 @@
 #------------------------------------------------------------------#
-# Fetch and compute required data for Service Account Key #
+# Fetch and compute required data for Workload Identity Federation #
 #------------------------------------------------------------------#
 
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "gcp"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
 data "google_project" "project" {
   project_id = var.project_id
 }
@@ -23,9 +29,39 @@ resource "google_service_account" "onboarding_auth" {
   project      = var.project_id
 }
 
-#---------------------------------
-# role permissions for onboarding
-#---------------------------------
+#------------------------------------------------------------#
+# Configure Workload Identity Federation for auth            #
+# See https://cloud.google.com/iam/docs/access-resources-aws #
+#------------------------------------------------------------#
+
+resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
+  project                   = var.project_id
+  workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
+  display_name                       = "Sysdigcloud onboarding auth"
+  description                        = "AWS based pool provider for Sysdig Secure Data Onboarding resources"
+  disabled                           = false
+
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
+
+  attribute_mapping = {
+    "google.subject"     = "assertion.arn",
+    "attribute.aws_role" = "assertion.arn"
+  }
+
+  aws {
+    account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
+  }
+}
+
+#---------------------------------------------------------------------------------------------
+# role permissions for Onboarding (GCP Predefined Roles for Sysdig Cloud Onboarding)
+#---------------------------------------------------------------------------------------------
 resource "google_project_iam_member" "browser" {
   count = var.is_organizational ? 0 : 1
 
@@ -34,12 +70,18 @@ resource "google_project_iam_member" "browser" {
   member  = "serviceAccount:${google_service_account.onboarding_auth.email}"
 }
 
-#--------------------------------
-# service account private key
-
-#--------------------------------
-resource "google_service_account_key" "onboarding_service_account_key" {
+# attaching WIF as a member to the service account for auth
+resource "google_service_account_iam_member" "custom_onboarding_auth" {
   service_account_id = google_service_account.onboarding_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
+}
+
+# add some timing for SA and permissions to be completely ready before calling Sysdig Backend, ensure that onboarding will pass first time
+resource "time_sleep" "wait_for_apply_google_permissions" {
+  depends_on = [google_organization_iam_member.browser, google_project_iam_member.browser]
+
+  create_duration = "30s"
 }
 
 #---------------------------------------------------------------------------------------------
@@ -53,22 +95,13 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
   provider_type      = "PROVIDER_GCP"
   provider_alias     = data.google_project.project.name
   provider_tenant_id = var.organization_domain
-
-  component {
-    type     = "COMPONENT_SERVICE_PRINCIPAL"
-    instance = "secure-onboarding"
-    version  = "v0.1.0"
-    service_principal_metadata = jsonencode({
-      gcp = {
-        key = google_service_account_key.onboarding_service_account_key.private_key
-      }
-    })
-  }
-
   depends_on = [
     google_service_account.onboarding_auth,
+    google_iam_workload_identity_pool.onboarding_auth_pool,
+    google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
     google_project_iam_member.browser,
-    google_service_account_key.onboarding_service_account_key
+    google_service_account_iam_member.custom_onboarding_auth,
+    time_sleep.wait_for_apply_google_permissions
   ]
 
   lifecycle {
@@ -77,4 +110,33 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
       feature
     ]
   }
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the service-principal integration for Onboarding to the Sysdig Cloud Account
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "onboarding_service_principal" {
+  account_id = sysdig_secure_cloud_auth_account.google_account.id
+  type       = "COMPONENT_SERVICE_PRINCIPAL"
+  instance   = "secure-onboarding"
+  version    = "v0.1.0"
+  service_principal_metadata = jsonencode({
+    gcp = {
+      workload_identity_federation = {
+        pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+        pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+        project_number   = data.google_project.project.number
+      }
+      email = google_service_account.onboarding_auth.email
+    }
+  })
+  depends_on = [
+    sysdig_secure_cloud_auth_account.google_account,
+    google_service_account.onboarding_auth,
+    google_iam_workload_identity_pool.onboarding_auth_pool,
+    google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
+    google_project_iam_member.browser,
+    google_service_account_iam_member.custom_onboarding_auth,
+    time_sleep.wait_for_apply_google_permissions
+  ]
 }

modules/onboarding/organizational.tf

@@ -39,7 +39,8 @@ resource "sysdig_secure_organization" "google_organization" {
   automatic_onboarding           = var.enable_automatic_onboarding
   depends_on = [
     google_organization_iam_member.browser,
-    sysdig_secure_cloud_auth_account.google_account
+    sysdig_secure_cloud_auth_account.google_account,
+    sysdig_secure_cloud_auth_account_component.onboarding_service_principal,
   ]
   lifecycle {
     ignore_changes = [automatic_onboarding]

modules/onboarding/versions.tf

@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.13.1"
+    }
   }
 }