From f26768d6270294b28b850554d827f4976d75b7ac Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Tue, 17 Dec 2024 11:37:29 +0100 Subject: [PATCH 1/3] Fixing gcp onboarding on gcp regions --- modules/vm-workload-scanning/main.tf | 42 ++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index 7862df2..cbf738e 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -1,3 +1,8 @@ +#----------------------------------------------------------------------------------------- +# Fetch the data sources +#----------------------------------------------------------------------------------------- +data "sysdig_secure_agentless_scanning_assets" "assets" {} + locals { suffix = random_id.suffix.hex } @@ -54,6 +59,8 @@ resource "google_iam_workload_identity_pool" "agentless" { } resource "google_iam_workload_identity_pool_provider" "agentless" { + count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? 1 : 0 + project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}" @@ -76,11 +83,42 @@ resource "google_iam_workload_identity_pool_provider" "agentless" { } resource "google_service_account_iam_member" "controller_binding" { + count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? 1 : 0 + service_account_id = google_service_account.controller.name role = "roles/iam.workloadIdentityUser" member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}" } +resource "google_iam_workload_identity_pool_provider" "agentless_gcp" { + count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "gcp" ? 1 : 0 + + workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-ws-${local.suffix}-gcp" + display_name = "Sysdig Agentless Workload Controller" + description = "GCP identity pool provider for Sysdig Secure Agentless Workload Scanning" + disabled = false + + attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloudId}\"" + + attribute_mapping = { + "google.subject" = "assertion.sub" + "attribute.sa_id" = "assertion.sub" + } + + oidc { + issuer_uri = "https://accounts.google.com" + } +} + +resource "google_service_account_iam_member" "controller_binding_gcp" { + count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "gcp" ? 1 : 0 + + service_account_id = google_service_account.controller.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloudId}" +} + #-------------------------------------------------------------------------------------------------------------- # Call Sysdig Backend to add the service-principal integration for VM Workload Scanning to the Sysdig Cloud Account @@ -105,6 +143,10 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" google_project_iam_custom_role.controller, google_project_iam_binding.controller_binding, google_iam_workload_identity_pool.agentless, + google_iam_workload_identity_pool_provider.agentless, + google_iam_workload_identity_pool_provider.agentless_gcp, + google_service_account_iam_member.controller_binding, + google_service_account_iam_member.controller_binding_gcp, google_organization_iam_member.controller, ] } From e055db148e0c556f7856c193464e31513c3fc435 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Tue, 17 Dec 2024 12:12:11 +0100 Subject: [PATCH 2/3] Fixing bugs --- modules/vm-workload-scanning/main.tf | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index cbf738e..ac2df4c 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -55,11 +55,11 @@ resource "google_project_iam_binding" "controller_binding" { } resource "google_iam_workload_identity_pool" "agentless" { - workload_identity_pool_id = "sysdig-wl-${local.suffix}" + workload_identity_pool_id = "sysdig-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "agentless" { - count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? 1 : 0 + count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0 project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id @@ -83,7 +83,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" { } resource "google_service_account_iam_member" "controller_binding" { - count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? 1 : 0 + count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0 service_account_id = google_service_account.controller.name role = "roles/iam.workloadIdentityUser" @@ -91,15 +91,15 @@ resource "google_service_account_iam_member" "controller_binding" { } resource "google_iam_workload_identity_pool_provider" "agentless_gcp" { - count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "gcp" ? 1 : 0 + count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0 workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-ws-${local.suffix}-gcp" - display_name = "Sysdig Agentless Workload Controller" + workload_identity_pool_provider_id = "sysdig-${local.suffix}" + display_name = "Sysdig Agentless Workload" description = "GCP identity pool provider for Sysdig Secure Agentless Workload Scanning" disabled = false - attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloudId}\"" + attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\"" attribute_mapping = { "google.subject" = "assertion.sub" @@ -112,14 +112,13 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" { } resource "google_service_account_iam_member" "controller_binding_gcp" { - count = data.sysdig_secure_agentless_scanning_assets.assets.backend == "gcp" ? 1 : 0 + count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0 service_account_id = google_service_account.controller.name role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloudId}" + member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}" } - #-------------------------------------------------------------------------------------------------------------- # Call Sysdig Backend to add the service-principal integration for VM Workload Scanning to the Sysdig Cloud Account #-------------------------------------------------------------------------------------------------------------- @@ -132,7 +131,7 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal" gcp = { workload_identity_federation = { pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id - pool_provider_id = google_iam_workload_identity_pool_provider.agentless.workload_identity_pool_provider_id + pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].workload_identity_pool_provider_id : google_iam_workload_identity_pool_provider.agentless_gcp[0].workload_identity_pool_provider_id project_number = data.google_project.project.number } email = google_service_account.controller.email From 0f9ba6d7d5970750dbf8d4246a664d4691682105 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Tue, 17 Dec 2024 17:38:30 +0100 Subject: [PATCH 3/3] Keeping names as were --- modules/vm-workload-scanning/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index ac2df4c..5da95fb 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -55,7 +55,7 @@ resource "google_project_iam_binding" "controller_binding" { } resource "google_iam_workload_identity_pool" "agentless" { - workload_identity_pool_id = "sysdig-${local.suffix}" + workload_identity_pool_id = "sysdig-wl-${local.suffix}" } resource "google_iam_workload_identity_pool_provider" "agentless" { @@ -94,7 +94,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" { count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0 workload_identity_pool_id = google_iam_workload_identity_pool.agentless.workload_identity_pool_id - workload_identity_pool_provider_id = "sysdig-${local.suffix}" + workload_identity_pool_provider_id = "sysdig-wl-${local.suffix}" display_name = "Sysdig Agentless Workload" description = "GCP identity pool provider for Sysdig Secure Agentless Workload Scanning" disabled = false