diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index d9c08ee..a146adb 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -9,16 +9,14 @@ The Foundational Onboarding module serves the following functions:
If instrumenting a project, the following resources will be created:
- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
- your behalf to validate resources.
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
- A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the
foundational functions.
-If instrumenting an Organziation, the following resources will be created:
+If instrumenting an Organization, the following resources will be created:
- All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
- your behalf to validate resources.
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
- A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve
the foundational functions.
- A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure
@@ -27,7 +25,7 @@ If instrumenting an Organziation, the following resources will be created:
Note:
- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other
- features/integrations modules for subsequent modular installs.
+ features/integrations modules for subsequent modular installations.
@@ -45,6 +43,8 @@ Note:
|------------------------------------------------------------|---------|
| [google](#provider\_google) | 5.0.0 |
| [random](#provider\_random) | >= 3.1 |
+| [time](#provider\_time) | 0.13.1 |
+
## Modules
@@ -56,15 +56,18 @@ No modules.
resource |
| [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) |
data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) |
data source |
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
| [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) |
resource |
| [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) |
resource |
-| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) |
-resource |
+| [google_service_account_iam_member.custom_onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
| [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) |
resource |
| [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) |
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index 50b2e15..21596cf 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -1,7 +1,13 @@
#------------------------------------------------------------------#
-# Fetch and compute required data for Service Account Key #
+# Fetch and compute required data for Workload Identity Federation #
#------------------------------------------------------------------#
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+ cloud_provider = "gcp"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
data "google_project" "project" {
project_id = var.project_id
}
@@ -23,9 +29,39 @@ resource "google_service_account" "onboarding_auth" {
project = var.project_id
}
-#---------------------------------
-# role permissions for onboarding
-#---------------------------------
+#------------------------------------------------------------#
+# Configure Workload Identity Federation for auth #
+# See https://cloud.google.com/iam/docs/access-resources-aws #
+#------------------------------------------------------------#
+
+resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
+ project = var.project_id
+ workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
+ project = var.project_id
+ workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+ workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
+ display_name = "Sysdigcloud onboarding auth"
+ description = "AWS based pool provider for Sysdig Secure Data Onboarding resources"
+ disabled = false
+
+ attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
+
+ attribute_mapping = {
+ "google.subject" = "assertion.arn",
+ "attribute.aws_role" = "assertion.arn"
+ }
+
+ aws {
+ account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
+ }
+}
+
+#---------------------------------------------------------------------------------------------
+# role permissions for Onboarding (GCP Predefined Roles for Sysdig Cloud Onboarding)
+#---------------------------------------------------------------------------------------------
resource "google_project_iam_member" "browser" {
count = var.is_organizational ? 0 : 1
@@ -34,12 +70,18 @@ resource "google_project_iam_member" "browser" {
member = "serviceAccount:${google_service_account.onboarding_auth.email}"
}
-#--------------------------------
-# service account private key
-
-#--------------------------------
-resource "google_service_account_key" "onboarding_service_account_key" {
+# attaching WIF as a member to the service account for auth
+resource "google_service_account_iam_member" "custom_onboarding_auth" {
service_account_id = google_service_account.onboarding_auth.name
+ role = "roles/iam.workloadIdentityUser"
+ member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
+}
+
+# add some timing for SA and permissions to be completely ready before calling Sysdig Backend, ensure that onboarding will pass first time
+resource "time_sleep" "wait_for_apply_google_permissions" {
+ depends_on = [google_organization_iam_member.browser, google_project_iam_member.browser]
+
+ create_duration = "30s"
}
#---------------------------------------------------------------------------------------------
@@ -53,22 +95,13 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
provider_type = "PROVIDER_GCP"
provider_alias = data.google_project.project.name
provider_tenant_id = var.organization_domain
-
- component {
- type = "COMPONENT_SERVICE_PRINCIPAL"
- instance = "secure-onboarding"
- version = "v0.1.0"
- service_principal_metadata = jsonencode({
- gcp = {
- key = google_service_account_key.onboarding_service_account_key.private_key
- }
- })
- }
-
depends_on = [
google_service_account.onboarding_auth,
+ google_iam_workload_identity_pool.onboarding_auth_pool,
+ google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
google_project_iam_member.browser,
- google_service_account_key.onboarding_service_account_key
+ google_service_account_iam_member.custom_onboarding_auth,
+ time_sleep.wait_for_apply_google_permissions
]
lifecycle {
@@ -77,4 +110,33 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
feature
]
}
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the service-principal integration for Onboarding to the Sysdig Cloud Account
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "onboarding_service_principal" {
+ account_id = sysdig_secure_cloud_auth_account.google_account.id
+ type = "COMPONENT_SERVICE_PRINCIPAL"
+ instance = "secure-onboarding"
+ version = "v0.1.0"
+ service_principal_metadata = jsonencode({
+ gcp = {
+ workload_identity_federation = {
+ pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+ pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+ project_number = data.google_project.project.number
+ }
+ email = google_service_account.onboarding_auth.email
+ }
+ })
+ depends_on = [
+ sysdig_secure_cloud_auth_account.google_account,
+ google_service_account.onboarding_auth,
+ google_iam_workload_identity_pool.onboarding_auth_pool,
+ google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
+ google_project_iam_member.browser,
+ google_service_account_iam_member.custom_onboarding_auth,
+ time_sleep.wait_for_apply_google_permissions
+ ]
}
\ No newline at end of file
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index 1e055b0..d3f1db6 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -39,7 +39,8 @@ resource "sysdig_secure_organization" "google_organization" {
automatic_onboarding = var.enable_automatic_onboarding
depends_on = [
google_organization_iam_member.browser,
- sysdig_secure_cloud_auth_account.google_account
+ sysdig_secure_cloud_auth_account.google_account,
+ sysdig_secure_cloud_auth_account_component.onboarding_service_principal,
]
lifecycle {
ignore_changes = [automatic_onboarding]
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
index 807c866..83288c7 100644
--- a/modules/onboarding/versions.tf
+++ b/modules/onboarding/versions.tf
@@ -14,5 +14,9 @@ terraform {
source = "hashicorp/random"
version = ">= 3.1"
}
+ time = {
+ source = "hashicorp/time"
+ version = "0.13.1"
+ }
}
}
\ No newline at end of file