From 40ba20673e3e87e0852ad9c9e3c6725af17443c6 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 1 Nov 2024 09:05:05 +0100 Subject: [PATCH 1/9] Gcp modular onboarding for workload scanning --- modules/vm-workload-scanning/README.md | 66 +++++++++++++ modules/vm-workload-scanning/controller.tf | 98 +++++++++++++++++++ modules/vm-workload-scanning/data.tf | 3 + modules/vm-workload-scanning/locals.tf | 7 ++ .../vm-workload-scanning/organizational.tf | 35 +++++++ modules/vm-workload-scanning/outputs.tf | 5 + modules/vm-workload-scanning/provider.tf | 14 +++ modules/vm-workload-scanning/variables.tf | 28 ++++++ .../vm-workload-scanning-cloud-run.tf | 17 ++++ .../vm-workload-scanning-functions.tf | 17 ++++ .../vm-workload-scanning-gke.tf | 17 ++++ .../vm-workload-scanning-cloud-run.tf | 15 +++ .../vm-workload-scanning-functions.tf | 15 +++ .../vm-workload-scanning-gke.tf | 15 +++ 14 files changed, 352 insertions(+) create mode 100644 modules/vm-workload-scanning/README.md create mode 100644 modules/vm-workload-scanning/controller.tf create mode 100644 modules/vm-workload-scanning/data.tf create mode 100644 modules/vm-workload-scanning/locals.tf create mode 100644 modules/vm-workload-scanning/organizational.tf create mode 100644 modules/vm-workload-scanning/outputs.tf create mode 100644 modules/vm-workload-scanning/provider.tf create mode 100644 modules/vm-workload-scanning/variables.tf create mode 100644 test/examples/modular_organization/vm-workload-scanning-cloud-run.tf create mode 100644 test/examples/modular_organization/vm-workload-scanning-functions.tf create mode 100644 test/examples/modular_organization/vm-workload-scanning-gke.tf create mode 100644 test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf create mode 100644 test/examples/modular_single_project/vm-workload-scanning-functions.tf create mode 100644 test/examples/modular_single_project/vm-workload-scanning-gke.tf diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md new file mode 100644 index 0000000..0b44e84 --- /dev/null +++ b/modules/vm-workload-scanning/README.md @@ -0,0 +1,66 @@ +# GCP VM Workload Scanning Module + +This Module creates the resources required to perform agentless workload scanning operations in Google Cloud Platform (GCP). It sets up the necessary roles, service accounts, and workload identity providers to enable Sysdig to scan workloads running in GCP projects. + +By default, it will create a service account with permissions necessary to access and access GAR and GCR repositories and pull their images. + +The following resources will be created in each instrumented project: +- A Service Account and associated roles that allow Sysdig to perform tasks necessary for VM agentless workload scanning, i.e., access GAR/GCR repositories and pull its images. +- A Workload Identity Provider to facilitate secure authentication between GCP and Sysdig. + +### Requirements + +| Name | Version | +|------|---------| +| terraform | ~> 1.7 | +| google | >= 4.50.0 | +| sysdig | ~> 1.37 | + +### Providers + +| Name | Version | +|------|---------| +| google | >= 4.50.0 | +| sysdig | ~> 1.37 | + +### Modules + +No modules. + +### Resources + +| Name | Type | +|------|------| +| google_service_account.controller | resource | +| google_project_iam_member.controller | resource | +| google_iam_workload_identity_pool.agentless | resource | +| google_iam_workload_identity_pool_provider.agentless | resource | +| google_iam_workload_identity_pool.agentless_gcp | resource | +| google_iam_workload_identity_pool_provider.agentless_gcp | resource | +| google_project.project | data source | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| project_id | GCP Project ID | string | n/a | yes | +| is_organizational | Set this field to 'true' to deploy workload scanning to a GCP Organization. | bool | false | no | +| organization_domain | (Optional) Organization domain. e.g. sysdig.com | string | "" | no | +| role_name | Name for the Worker Role on the Customer infrastructure | string | "SysdigAgentlessWorkloadRole" | no | +| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | string | n/a | yes | + +### Outputs + +| Name | Description | +|------|-------------| +| vm_workload_scanning_component_id | Component identifier of service principal created in Sysdig Backend for VM Workload Scanning | + + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. diff --git a/modules/vm-workload-scanning/controller.tf b/modules/vm-workload-scanning/controller.tf new file mode 100644 index 0000000..bfb32e1 --- /dev/null +++ b/modules/vm-workload-scanning/controller.tf @@ -0,0 +1,98 @@ +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + + +resource "google_service_account" "controller" { + project = var.project_id + account_id = "sysdig-ws-${local.suffix}" + display_name = "Sysdig Agentless Workload Scanning" +} + +resource "google_project_iam_custom_role" "controller" { + project = var.project_id + role_id = "${var.role_name}WorkloadController${title(local.suffix)}" + title = "Role for Sysdig Agentless Workload Controller" + permissions = [ + # artifact registry reader permissions + "artifactregistry.repositories.downloadArtifacts", + "artifactregistry.repositories.get", + "artifactregistry.repositories.list", + "artifactregistry.dockerimages.get", + "artifactregistry.dockerimages.list", + "storage.objects.get", + "storage.buckets.list", + "storage.objects.list", + + # workload identity federation + "iam.serviceAccounts.getAccessToken", + ] +} + +resource "google_project_iam_binding" "controller_custom" { + project = var.project_id + role = google_project_iam_custom_role.controller.id + + members = [ + "serviceAccount:${google_service_account.controller.email}", + ] +} + +resource "google_iam_workload_identity_pool" "agentless" { + workload_identity_pool_id = "sysdig-wl-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "agentless" { + workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}" + display_name = "Sysdig Workload Controller" + description = "AWS identity pool provider for Sysdig Secure Agentless Workload Scanning" + disabled = false + + attribute_condition = "attribute.aws_account==\"${data.sysdig_secure_trusted_cloud_identity.trusted_identity}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn" + "attribute.aws_account" = "assertion.account" + "attribute.role" = "assertion.arn.extract(\"/assumed-role/{role}/\")" + "attribute.session" = "assertion.arn.extract(\"/assumed-role/{role_and_session}/\").extract(\"/{session}\")" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +resource "google_service_account_iam_member" "controller_custom" { + service_account_id = google_service_account.controller.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity}" +} + + +#-------------------------------------------------------------------------------------------------------------- +# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account +#-------------------------------------------------------------------------------------------------------------- +resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { + account_id = var.sysdig_secure_account_id + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-posture" + version = "v0.1.0" + service_principal_metadata = jsonencode({ + gcp = { + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.agentless.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.controller.email + } + }) + depends_on = [ + google_service_account.controller, + google_project_iam_custom_role.controller, + google_project_iam_binding.controller_custom, + google_iam_workload_identity_pool.agentless, + google_organization_iam_member.controller, + ] +} \ No newline at end of file diff --git a/modules/vm-workload-scanning/data.tf b/modules/vm-workload-scanning/data.tf new file mode 100644 index 0000000..10117db --- /dev/null +++ b/modules/vm-workload-scanning/data.tf @@ -0,0 +1,3 @@ +data "google_project" "project" { + project_id = var.project_id +} diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf new file mode 100644 index 0000000..0e7ae91 --- /dev/null +++ b/modules/vm-workload-scanning/locals.tf @@ -0,0 +1,7 @@ +locals { + suffix = random_id.suffix[0].hex +} + +resource "random_id" "suffix" { + byte_length = 3 +} diff --git a/modules/vm-workload-scanning/organizational.tf b/modules/vm-workload-scanning/organizational.tf new file mode 100644 index 0000000..62f01ed --- /dev/null +++ b/modules/vm-workload-scanning/organizational.tf @@ -0,0 +1,35 @@ +#--------------# +# Organization # +#--------------# + +data "google_organization" "org" { + count = var.is_organizational ? 1 : 0 + domain = var.organization_domain +} + +################################################### +# Setup Service Account permissions +################################################### + +#--------------------------------------------------------------------------------------------- +# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management) +#--------------------------------------------------------------------------------------------- +resource "google_organization_iam_member" "controller" { + # adding ciem role with permissions to the service account alongside cspm roles + for_each = var.is_organizational ? toset([ + "artifactregistry.repositories.downloadArtifacts", + "artifactregistry.repositories.get", + "artifactregistry.repositories.list", + "artifactregistry.dockerimages.get", + "artifactregistry.dockerimages.list", + "storage.objects.get", + "storage.buckets.list", + "storage.objects.list", + + # workload identity federation + "iam.serviceAccounts.getAccessToken"]) : [] + + org_id = data.google_organization.org[0].org_id + role = each.key + member = "serviceAccount:${google_service_account.controller.email}" +} \ No newline at end of file diff --git a/modules/vm-workload-scanning/outputs.tf b/modules/vm-workload-scanning/outputs.tf new file mode 100644 index 0000000..fa9f16b --- /dev/null +++ b/modules/vm-workload-scanning/outputs.tf @@ -0,0 +1,5 @@ +output "vm_workload_scanning_component_id" { + value = "${sysdig_secure_cloud_auth_account_component.google_service_principal.type}/${sysdig_secure_cloud_auth_account_component.google_service_principal.instance}" + description = "Component identifier of service principal created in Sysdig Backend for VM Workload Scanning" + depends_on = [sysdig_secure_cloud_auth_account_component.google_service_principal] +} diff --git a/modules/vm-workload-scanning/provider.tf b/modules/vm-workload-scanning/provider.tf new file mode 100644 index 0000000..fba49cf --- /dev/null +++ b/modules/vm-workload-scanning/provider.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">=1.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.1, < 5.0" + } + random = { + source = "hashicorp/random" + version = ">= 3.1, < 4.0" + } + } +} \ No newline at end of file diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf new file mode 100644 index 0000000..1cfb955 --- /dev/null +++ b/modules/vm-workload-scanning/variables.tf @@ -0,0 +1,28 @@ +variable "project_id" { + type = string + description = "GCP Project ID" +} + +variable "is_organizational" { + type = bool + description = "Set this field to 'true' to deploy workload scanning to a GCP Organization." + default = false +} + +variable "organization_domain" { + type = string + description = "(Optional) Organization domain. e.g. sysdig.com" + default = "" +} + +# optionals +variable "role_name" { + type = string + description = "Name for the Worker Role on the Customer infrastructure" + default = "SysdigAgentlessWorkloadRole" +} + +variable "sysdig_secure_account_id" { + type = string + description = "ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)" +} diff --git a/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf b/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf new file mode 100644 index 0000000..71554b0 --- /dev/null +++ b/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf @@ -0,0 +1,17 @@ +module "vm_workload_scanning" { + source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + + +resource "sysdig_secure_cloud_auth_account_feature" "config_cloud_run" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_WORKLOAD_SCANNING_CONTAINERS" + enabled = true + components = [module.vm_workload_scanning.vm_workload_scanning_component_id] + depends_on = [module.vm_workload_scanning] +} \ No newline at end of file diff --git a/test/examples/modular_organization/vm-workload-scanning-functions.tf b/test/examples/modular_organization/vm-workload-scanning-functions.tf new file mode 100644 index 0000000..fbd4d7c --- /dev/null +++ b/test/examples/modular_organization/vm-workload-scanning-functions.tf @@ -0,0 +1,17 @@ +module "vm_workload_scanning" { + source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + + +resource "sysdig_secure_cloud_auth_account_feature" "config_functions" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_WORKLOAD_SCANNING_FUNCTIONS" + enabled = true + components = [module.vm_workload_scanning.vm_workload_scanning_component_id] + depends_on = [module.vm_workload_scanning] +} \ No newline at end of file diff --git a/test/examples/modular_organization/vm-workload-scanning-gke.tf b/test/examples/modular_organization/vm-workload-scanning-gke.tf new file mode 100644 index 0000000..4d1b03a --- /dev/null +++ b/test/examples/modular_organization/vm-workload-scanning-gke.tf @@ -0,0 +1,17 @@ +module "vm_workload_scanning" { + source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + + +resource "sysdig_secure_cloud_auth_account_feature" "config_gke" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_WORKLOAD_SCANNING_KUBERNETES" + enabled = true + components = [module.vm_workload_scanning.vm_workload_scanning_component_id] + depends_on = [module.vm_workload_scanning] +} \ No newline at end of file diff --git a/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf b/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf new file mode 100644 index 0000000..2a94e09 --- /dev/null +++ b/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf @@ -0,0 +1,15 @@ +module "vm_workload_scanning" { + source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + + project_id = module.onboarding.project_id + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + + +resource "sysdig_secure_cloud_auth_account_feature" "config_cloud_run" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_WORKLOAD_SCANNING_CONTAINERS" + enabled = true + components = [module.vm_workload_scanning.vm_workload_scanning_component_id] + depends_on = [module.vm_workload_scanning] +} \ No newline at end of file diff --git a/test/examples/modular_single_project/vm-workload-scanning-functions.tf b/test/examples/modular_single_project/vm-workload-scanning-functions.tf new file mode 100644 index 0000000..c257762 --- /dev/null +++ b/test/examples/modular_single_project/vm-workload-scanning-functions.tf @@ -0,0 +1,15 @@ +module "vm_workload_scanning" { + source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + + project_id = module.onboarding.project_id + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + + +resource "sysdig_secure_cloud_auth_account_feature" "config_functions" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_WORKLOAD_SCANNING_FUNCTIONS" + enabled = true + components = [module.vm_workload_scanning.vm_workload_scanning_component_id] + depends_on = [module.vm_workload_scanning] +} \ No newline at end of file diff --git a/test/examples/modular_single_project/vm-workload-scanning-gke.tf b/test/examples/modular_single_project/vm-workload-scanning-gke.tf new file mode 100644 index 0000000..d016c4a --- /dev/null +++ b/test/examples/modular_single_project/vm-workload-scanning-gke.tf @@ -0,0 +1,15 @@ +module "vm_workload_scanning" { + source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + + project_id = module.onboarding.project_id + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id +} + + +resource "sysdig_secure_cloud_auth_account_feature" "config_gke" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_WORKLOAD_SCANNING_KUBERNETES" + enabled = true + components = [module.vm_workload_scanning.vm_workload_scanning_component_id] + depends_on = [module.vm_workload_scanning] +} \ No newline at end of file From 5d9681adbbf42eb74442870584cc7a10de0804b0 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 1 Nov 2024 09:20:57 +0100 Subject: [PATCH 2/9] Fmt-fix --- modules/vm-workload-scanning/organizational.tf | 2 +- modules/vm-workload-scanning/variables.tf | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/vm-workload-scanning/organizational.tf b/modules/vm-workload-scanning/organizational.tf index 62f01ed..8ecb725 100644 --- a/modules/vm-workload-scanning/organizational.tf +++ b/modules/vm-workload-scanning/organizational.tf @@ -27,7 +27,7 @@ resource "google_organization_iam_member" "controller" { "storage.objects.list", # workload identity federation - "iam.serviceAccounts.getAccessToken"]) : [] + "iam.serviceAccounts.getAccessToken"]) : [] org_id = data.google_organization.org[0].org_id role = each.key diff --git a/modules/vm-workload-scanning/variables.tf b/modules/vm-workload-scanning/variables.tf index 1cfb955..c904eec 100644 --- a/modules/vm-workload-scanning/variables.tf +++ b/modules/vm-workload-scanning/variables.tf @@ -4,15 +4,15 @@ variable "project_id" { } variable "is_organizational" { - type = bool - description = "Set this field to 'true' to deploy workload scanning to a GCP Organization." - default = false + type = bool + description = "Set this field to 'true' to deploy workload scanning to a GCP Organization." + default = false } variable "organization_domain" { type = string description = "(Optional) Organization domain. e.g. sysdig.com" - default = "" + default = false } # optionals From e91b2d8ac4558f2ae51c9f0eac15913496257beb Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 1 Nov 2024 09:25:43 +0100 Subject: [PATCH 3/9] Adding constraint for sysdig --- modules/services/workload-scan/provider.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/workload-scan/provider.tf b/modules/services/workload-scan/provider.tf index fba49cf..13561b5 100644 --- a/modules/services/workload-scan/provider.tf +++ b/modules/services/workload-scan/provider.tf @@ -10,5 +10,9 @@ terraform { source = "hashicorp/random" version = ">= 3.1, < 4.0" } + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.37" + } } } \ No newline at end of file From 5d45861814a1c9de9654bd2d8aaaab894cd469e5 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 1 Nov 2024 09:32:48 +0100 Subject: [PATCH 4/9] Corrections --- modules/vm-workload-scanning/controller.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/vm-workload-scanning/controller.tf b/modules/vm-workload-scanning/controller.tf index bfb32e1..bf5c22c 100644 --- a/modules/vm-workload-scanning/controller.tf +++ b/modules/vm-workload-scanning/controller.tf @@ -2,6 +2,7 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "gcp" } +data "sysdig_secure_tenant_external_id" "external_id" {} resource "google_service_account" "controller" { project = var.project_id @@ -43,13 +44,14 @@ resource "google_iam_workload_identity_pool" "agentless" { } resource "google_iam_workload_identity_pool_provider" "agentless" { + project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}" display_name = "Sysdig Workload Controller" description = "AWS identity pool provider for Sysdig Secure Agentless Workload Scanning" disabled = false - attribute_condition = "attribute.aws_account==\"${data.sysdig_secure_trusted_cloud_identity.trusted_identity}\"" + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" attribute_mapping = { "google.subject" = "assertion.arn" @@ -66,7 +68,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" { resource "google_service_account_iam_member" "controller_custom" { service_account_id = google_service_account.controller.name role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity}" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.agentless.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" } From bfac26bab382ba95c7d0dd75a416db26f5952252 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 1 Nov 2024 09:34:24 +0100 Subject: [PATCH 5/9] Adding required version --- modules/vm-workload-scanning/provider.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/vm-workload-scanning/provider.tf b/modules/vm-workload-scanning/provider.tf index fba49cf..13561b5 100644 --- a/modules/vm-workload-scanning/provider.tf +++ b/modules/vm-workload-scanning/provider.tf @@ -10,5 +10,9 @@ terraform { source = "hashicorp/random" version = ">= 3.1, < 4.0" } + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.37" + } } } \ No newline at end of file From cdcf2fef636411f33a600f35e6494dfec1d2611b Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 7 Nov 2024 09:24:34 +0100 Subject: [PATCH 6/9] comments from jose's code review --- modules/vm-workload-scanning/README.md | 14 ++++++------- modules/vm-workload-scanning/data.tf | 3 --- modules/vm-workload-scanning/locals.tf | 7 ------- .../{controller.tf => main.tf} | 20 +++++++++++++++---- .../{provider.tf => versions.tf} | 0 .../vm-workload-scanning-cloud-run.tf | 2 +- .../vm-workload-scanning-functions.tf | 2 +- .../vm-workload-scanning-gke.tf | 2 +- .../vm-workload-scanning-cloud-run.tf | 2 +- .../vm-workload-scanning-functions.tf | 2 +- .../vm-workload-scanning-gke.tf | 2 +- 11 files changed, 29 insertions(+), 27 deletions(-) delete mode 100644 modules/vm-workload-scanning/data.tf delete mode 100644 modules/vm-workload-scanning/locals.tf rename modules/vm-workload-scanning/{controller.tf => main.tf} (91%) rename modules/vm-workload-scanning/{provider.tf => versions.tf} (100%) diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md index 0b44e84..d1ac2e1 100644 --- a/modules/vm-workload-scanning/README.md +++ b/modules/vm-workload-scanning/README.md @@ -41,13 +41,13 @@ No modules. ### Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| project_id | GCP Project ID | string | n/a | yes | -| is_organizational | Set this field to 'true' to deploy workload scanning to a GCP Organization. | bool | false | no | -| organization_domain | (Optional) Organization domain. e.g. sysdig.com | string | "" | no | -| role_name | Name for the Worker Role on the Customer infrastructure | string | "SysdigAgentlessWorkloadRole" | no | -| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | string | n/a | yes | +| Name | Description | Type | Default | Required | +|------|----------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:| +| project_id | GCP Project ID | string | n/a | yes | +| is_organizational | Set this field to 'true' to deploy workload scanning to a GCP Organization. | bool | false | no | +| organization_domain | (Optional) Organization domain. e.g. sysdig.com | string | "" | no | +| role_name | Name for the Worker Role on the Customer infrastructure | string | "SysdigAgentlessWorkloadRole" | no | +| sysdig_secure_account_id | ID of the Sysdig Cloud Account to enable VM Workload Scanning for (in case of organization, ID of the Sysdig management account) | string | n/a | yes | ### Outputs diff --git a/modules/vm-workload-scanning/data.tf b/modules/vm-workload-scanning/data.tf deleted file mode 100644 index 10117db..0000000 --- a/modules/vm-workload-scanning/data.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "google_project" "project" { - project_id = var.project_id -} diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf deleted file mode 100644 index 0e7ae91..0000000 --- a/modules/vm-workload-scanning/locals.tf +++ /dev/null @@ -1,7 +0,0 @@ -locals { - suffix = random_id.suffix[0].hex -} - -resource "random_id" "suffix" { - byte_length = 3 -} diff --git a/modules/vm-workload-scanning/controller.tf b/modules/vm-workload-scanning/main.tf similarity index 91% rename from modules/vm-workload-scanning/controller.tf rename to modules/vm-workload-scanning/main.tf index bf5c22c..55437b0 100644 --- a/modules/vm-workload-scanning/controller.tf +++ b/modules/vm-workload-scanning/main.tf @@ -1,3 +1,15 @@ +locals { + suffix = random_id.suffix[0].hex +} + +resource "random_id" "suffix" { + byte_length = 3 +} + +data "google_project" "project" { + project_id = var.project_id +} + data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { cloud_provider = "gcp" } @@ -30,7 +42,7 @@ resource "google_project_iam_custom_role" "controller" { ] } -resource "google_project_iam_binding" "controller_custom" { +resource "google_project_iam_binding" "controller_binding" { project = var.project_id role = google_project_iam_custom_role.controller.id @@ -65,7 +77,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" { } } -resource "google_service_account_iam_member" "controller_custom" { +resource "google_service_account_iam_member" "controller_binding" { service_account_id = google_service_account.controller.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.agentless.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" @@ -73,7 +85,7 @@ resource "google_service_account_iam_member" "controller_custom" { #-------------------------------------------------------------------------------------------------------------- -# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account +# Call Sysdig Backend to add the service-principal integration for VM Workload Scanning to the Sysdig Cloud Account #-------------------------------------------------------------------------------------------------------------- resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { account_id = var.sysdig_secure_account_id @@ -93,7 +105,7 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" depends_on = [ google_service_account.controller, google_project_iam_custom_role.controller, - google_project_iam_binding.controller_custom, + google_project_iam_binding.controller_binding, google_iam_workload_identity_pool.agentless, google_organization_iam_member.controller, ] diff --git a/modules/vm-workload-scanning/provider.tf b/modules/vm-workload-scanning/versions.tf similarity index 100% rename from modules/vm-workload-scanning/provider.tf rename to modules/vm-workload-scanning/versions.tf diff --git a/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf b/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf index 71554b0..9506c3b 100644 --- a/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf +++ b/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational diff --git a/test/examples/modular_organization/vm-workload-scanning-functions.tf b/test/examples/modular_organization/vm-workload-scanning-functions.tf index fbd4d7c..f8a3489 100644 --- a/test/examples/modular_organization/vm-workload-scanning-functions.tf +++ b/test/examples/modular_organization/vm-workload-scanning-functions.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational diff --git a/test/examples/modular_organization/vm-workload-scanning-gke.tf b/test/examples/modular_organization/vm-workload-scanning-gke.tf index 4d1b03a..5ace0bb 100644 --- a/test/examples/modular_organization/vm-workload-scanning-gke.tf +++ b/test/examples/modular_organization/vm-workload-scanning-gke.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational diff --git a/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf b/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf index 2a94e09..7763f4c 100644 --- a/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf +++ b/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id diff --git a/test/examples/modular_single_project/vm-workload-scanning-functions.tf b/test/examples/modular_single_project/vm-workload-scanning-functions.tf index c257762..3191eeb 100644 --- a/test/examples/modular_single_project/vm-workload-scanning-functions.tf +++ b/test/examples/modular_single_project/vm-workload-scanning-functions.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id diff --git a/test/examples/modular_single_project/vm-workload-scanning-gke.tf b/test/examples/modular_single_project/vm-workload-scanning-gke.tf index d016c4a..fea16c4 100644 --- a/test/examples/modular_single_project/vm-workload-scanning-gke.tf +++ b/test/examples/modular_single_project/vm-workload-scanning-gke.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/google//modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id From 503fb198b9241151e8d9d716721f53702e389707 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 8 Nov 2024 09:36:03 +0100 Subject: [PATCH 7/9] Fixes found during testing --- modules/vm-workload-scanning/main.tf | 2 +- modules/vm-workload-scanning/versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index 55437b0..2488421 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -1,5 +1,5 @@ locals { - suffix = random_id.suffix[0].hex + suffix = random_id.suffix.hex } resource "random_id" "suffix" { diff --git a/modules/vm-workload-scanning/versions.tf b/modules/vm-workload-scanning/versions.tf index 13561b5..c16110f 100644 --- a/modules/vm-workload-scanning/versions.tf +++ b/modules/vm-workload-scanning/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.1, < 5.0" + version = ">= 4.21.0" } random = { source = "hashicorp/random" From 50231d8d3ef1085134bbbf402319fead4b223126 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 8 Nov 2024 09:37:30 +0100 Subject: [PATCH 8/9] Correcting service principal instance name --- modules/vm-workload-scanning/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index 2488421..537f450 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -90,7 +90,7 @@ resource "google_service_account_iam_member" "controller_binding" { resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" { account_id = var.sysdig_secure_account_id type = "COMPONENT_SERVICE_PRINCIPAL" - instance = "secure-posture" + instance = "secure-vm-workload-scanning" version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { From decbe90c0687107f125a8a8658cebb20ff5d79da Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Fri, 8 Nov 2024 18:19:17 +0100 Subject: [PATCH 9/9] Last fix --- modules/vm-workload-scanning/main.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index 537f450..fafefbb 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -66,10 +66,8 @@ resource "google_iam_workload_identity_pool_provider" "agentless" { attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" attribute_mapping = { - "google.subject" = "assertion.arn" - "attribute.aws_account" = "assertion.account" - "attribute.role" = "assertion.arn.extract(\"/assumed-role/{role}/\")" - "attribute.session" = "assertion.arn.extract(\"/assumed-role/{role_and_session}/\").extract(\"/{session}\")" + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" } aws {