From 11dae81b5c9eb1914017c932dd9e5d869bf37adc Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Tue, 17 Jun 2025 08:47:09 -0600
Subject: [PATCH 1/6] SSPROD-54737 - enhance: support WIF onboarding

---
 modules/onboarding/main.tf | 73 ++++++++++++++++++++++++++++++++------
 1 file changed, 62 insertions(+), 11 deletions(-)

diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index 50b2e15..c840c5c 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -1,7 +1,13 @@
 #------------------------------------------------------------------#
-# Fetch and compute required data for Service Account Key #
+# Fetch and compute required data for Workload Identity Federation #
 #------------------------------------------------------------------#
 
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "gcp"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
 data "google_project" "project" {
   project_id = var.project_id
 }
@@ -14,6 +20,7 @@ resource "random_id" "suffix" {
 
 locals {
   suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
+#   account_id = time_sleep.wait_for_apply_google_permissions[0].
 }
 
 resource "google_service_account" "onboarding_auth" {
@@ -23,9 +30,39 @@ resource "google_service_account" "onboarding_auth" {
   project      = var.project_id
 }
 
-#---------------------------------
-# role permissions for onboarding
-#---------------------------------
+#------------------------------------------------------------#
+# Configure Workload Identity Federation for auth            #
+# See https://cloud.google.com/iam/docs/access-resources-aws #
+#------------------------------------------------------------#
+
+resource "google_iam_workload_identity_pool" "onboarding_auth_pool" {
+  project                   = var.project_id
+  workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" {
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}"
+  display_name                       = "Sysdigcloud onboarding auth"
+  description                        = "AWS based pool provider for Sysdig Secure Data Onboarding resources"
+  disabled                           = false
+
+  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
+
+  attribute_mapping = {
+    "google.subject"     = "assertion.arn",
+    "attribute.aws_role" = "assertion.arn"
+  }
+
+  aws {
+    account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id
+  }
+}
+
+#---------------------------------------------------------------------------------------------
+# role permissions for Onboarding (GCP Predefined Roles for Sysdig Cloud Onboarding)
+#---------------------------------------------------------------------------------------------
 resource "google_project_iam_member" "browser" {
   count = var.is_organizational ? 0 : 1
 
@@ -34,12 +71,18 @@ resource "google_project_iam_member" "browser" {
   member  = "serviceAccount:${google_service_account.onboarding_auth.email}"
 }
 
-#--------------------------------
-# service account private key
-
-#--------------------------------
-resource "google_service_account_key" "onboarding_service_account_key" {
+# attaching WIF as a member to the service account for auth
+resource "google_service_account_iam_member" "custom_onboarding_auth" {
   service_account_id = google_service_account.onboarding_auth.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
+}
+
+# add some timing for SA and permissions to be completely ready before calling Sysdig Backend, ensure that onboarding will pass first time
+resource "time_sleep" "wait_for_apply_google_permissions" {
+  depends_on = [google_organization_iam_member.browser, google_project_iam_member.browser]
+
+  create_duration = "30s"
 }
 
 #---------------------------------------------------------------------------------------------
@@ -60,15 +103,23 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
     version  = "v0.1.0"
     service_principal_metadata = jsonencode({
       gcp = {
-        key = google_service_account_key.onboarding_service_account_key.private_key
+        workload_identity_federation = {
+          pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+          pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+          project_number   = data.google_project.project.number
+        }
+        email = google_service_account.onboarding_auth.email
       }
     })
   }
 
   depends_on = [
     google_service_account.onboarding_auth,
+    google_iam_workload_identity_pool.onboarding_auth_pool,
+    google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
     google_project_iam_member.browser,
-    google_service_account_key.onboarding_service_account_key
+    google_service_account_iam_member.custom_onboarding_auth,
+    time_sleep.wait_for_apply_google_permissions
   ]
 
   lifecycle {

From 681f2a83461f5d51b8236054c54c4f543428dc2f Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Tue, 17 Jun 2025 08:54:09 -0600
Subject: [PATCH 2/6] SSPROD-54737 - enhance: support WIF onboarding

---
 modules/onboarding/main.tf     | 2 +-
 modules/onboarding/versions.tf | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index c840c5c..aa168c7 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -20,7 +20,7 @@ resource "random_id" "suffix" {
 
 locals {
   suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
-#   account_id = time_sleep.wait_for_apply_google_permissions[0].
+  #   account_id = time_sleep.wait_for_apply_google_permissions[0].
 }
 
 resource "google_service_account" "onboarding_auth" {
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
index 807c866..83288c7 100644
--- a/modules/onboarding/versions.tf
+++ b/modules/onboarding/versions.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.13.1"
+    }
   }
 }
\ No newline at end of file

From 78a07735475359d233e8d324e2c4c70c4c5cdf9e Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Wed, 25 Jun 2025 12:30:18 -0600
Subject: [PATCH 3/6] SSPROD-54737 - wif support

---
 modules/onboarding/main.tf           | 59 +++++++++++++++++++++-------
 modules/onboarding/organizational.tf |  3 +-
 2 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index aa168c7..c9828e5 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -97,21 +97,21 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
   provider_alias     = data.google_project.project.name
   provider_tenant_id = var.organization_domain
 
-  component {
-    type     = "COMPONENT_SERVICE_PRINCIPAL"
-    instance = "secure-onboarding"
-    version  = "v0.1.0"
-    service_principal_metadata = jsonencode({
-      gcp = {
-        workload_identity_federation = {
-          pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-          pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
-          project_number   = data.google_project.project.number
-        }
-        email = google_service_account.onboarding_auth.email
-      }
-    })
-  }
+#   component {
+#     type     = "COMPONENT_SERVICE_PRINCIPAL"
+#     instance = "secure-onboarding"
+#     version  = "v0.1.0"
+#     service_principal_metadata = jsonencode({
+#       gcp = {
+#         workload_identity_federation = {
+#           pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+#           pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+#           project_number   = data.google_project.project.number
+#         }
+#         email = google_service_account.onboarding_auth.email
+#       }
+#     })
+#   }
 
   depends_on = [
     google_service_account.onboarding_auth,
@@ -128,4 +128,33 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
       feature
     ]
   }
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "onboarding_service_principal" {
+  account_id = sysdig_secure_cloud_auth_account.google_account.id
+  type       = "COMPONENT_SERVICE_PRINCIPAL"
+  instance   = "secure-onboarding"
+  version    = "v0.1.0"
+  service_principal_metadata = jsonencode({
+    gcp = {
+      workload_identity_federation = {
+        pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
+        pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
+        project_number   = data.google_project.project.number
+      }
+      email = google_service_account.onboarding_auth.email
+    }
+  })
+  depends_on = [
+    sysdig_secure_cloud_auth_account.google_account,
+    google_service_account.onboarding_auth,
+    google_iam_workload_identity_pool.onboarding_auth_pool,
+    google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider,
+    google_project_iam_member.browser,
+    google_service_account_iam_member.custom_onboarding_auth,
+    time_sleep.wait_for_apply_google_permissions
+  ]
 }
\ No newline at end of file
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index 1e055b0..d3f1db6 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -39,7 +39,8 @@ resource "sysdig_secure_organization" "google_organization" {
   automatic_onboarding           = var.enable_automatic_onboarding
   depends_on = [
     google_organization_iam_member.browser,
-    sysdig_secure_cloud_auth_account.google_account
+    sysdig_secure_cloud_auth_account.google_account,
+    sysdig_secure_cloud_auth_account_component.onboarding_service_principal,
   ]
   lifecycle {
     ignore_changes = [automatic_onboarding]

From e547917566317ab84e5cb366ca8e9f7e81ab9168 Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Wed, 25 Jun 2025 12:57:06 -0600
Subject: [PATCH 4/6] SSPROD-54737 - wif support

---
 modules/onboarding/main.tf | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index c9828e5..9a58e8e 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -96,23 +96,6 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
   provider_type      = "PROVIDER_GCP"
   provider_alias     = data.google_project.project.name
   provider_tenant_id = var.organization_domain
-
-#   component {
-#     type     = "COMPONENT_SERVICE_PRINCIPAL"
-#     instance = "secure-onboarding"
-#     version  = "v0.1.0"
-#     service_principal_metadata = jsonencode({
-#       gcp = {
-#         workload_identity_federation = {
-#           pool_id          = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id
-#           pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id
-#           project_number   = data.google_project.project.number
-#         }
-#         email = google_service_account.onboarding_auth.email
-#       }
-#     })
-#   }
-
   depends_on = [
     google_service_account.onboarding_auth,
     google_iam_workload_identity_pool.onboarding_auth_pool,

From 385d42b682eb52da719a6132dcd57ab232f6571c Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Wed, 25 Jun 2025 12:57:34 -0600
Subject: [PATCH 5/6] SSPROD-54737 - wif support

---
 modules/onboarding/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index 9a58e8e..47e0efd 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -114,7 +114,7 @@ resource "sysdig_secure_cloud_auth_account" "google_account" {
 }
 
 #--------------------------------------------------------------------------------------------------------------
-# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
+# Call Sysdig Backend to add the service-principal integration for Onboarding to the Sysdig Cloud Account
 #--------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "onboarding_service_principal" {
   account_id = sysdig_secure_cloud_auth_account.google_account.id

From 6e1f20fff3c6a852560ad57d69e4352559af1131 Mon Sep 17 00:00:00 2001
From: Jose Pablo Camacho <jose.camacho@sysdig.com>
Date: Wed, 25 Jun 2025 17:25:28 -0600
Subject: [PATCH 6/6] SSPROD-54737 - wif support

---
 modules/onboarding/README.md | 19 +++++++++++--------
 modules/onboarding/main.tf   |  1 -
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index d9c08ee..a146adb 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -9,16 +9,14 @@ The Foundational Onboarding module serves the following functions:
 If instrumenting a project, the following resources will be created:
 
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the project level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
-  your behalf to validate resources.
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
 - A cloud account in the Sysdig Backend, associated with the GCP project and with the required component to serve the
   foundational functions.
 
-If instrumenting an Organziation, the following resources will be created:
+If instrumenting an Organization, the following resources will be created:
 
 - All the necessary `Service Accounts` and `Policies` to enable the Onboarding operation at the organization level
-- A `Service Account key` and added role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on
-  your behalf to validate resources.
+- A `Workload Identity Pool`, `Provider` and added custom role permissions to the `Service Account`, to allow Sysdig to authenticate to GCP on your behalf to validate resources.
 - A cloud account in the Sysdig Backend, associated with the management project and with the required component to serve
   the foundational functions.
 - A cloud organization in the Sysdig Backend, associated with the GCP Organization to fetch the organization structure
@@ -27,7 +25,7 @@ If instrumenting an Organziation, the following resources will be created:
 Note:
 
 - The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other
-  features/integrations modules for subsequent modular installs.
+  features/integrations modules for subsequent modular installations.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -45,6 +43,8 @@ Note:
 |------------------------------------------------------------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | 5.0.0   |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1  |
+| <a name="provider_time"></a> [time](#provider\_time)       | 0.13.1  |
+
 
 ## Modules
 
@@ -56,15 +56,18 @@ No modules.
 resource |
 | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) |
 data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) |
 data source |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [google_iam_workload_identity_pool.onboarding_auth_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
 | [google_project_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) |
 resource |
 | [google_organization_iam_member.browser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member) |
 resource |
-| [google_service_account_key.onboarding_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) |
-resource |
+| [google_service_account_iam_member.custom_onboarding_auth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member) | resource |
 | [sysdig_secure_cloud_auth_account.google_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) |
 resource |
 | [sysdig_secure_organization.google_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) |
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index 47e0efd..21596cf 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -20,7 +20,6 @@ resource "random_id" "suffix" {
 
 locals {
   suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix
-  #   account_id = time_sleep.wait_for_apply_google_permissions[0].
 }
 
 resource "google_service_account" "onboarding_auth" {