From 138a764adadd7173d1fd613b2c8deafb3c72608c Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Fri, 26 Sep 2025 13:39:05 -0700 Subject: [PATCH 1/2] Remove unnecessary WorkloadIdentity role from CSPM Org member Change summary: ---------------- 1. Removing the WI role used for WIF under org membership. We already add it directly at the SA membership level. 2. Updated the README with Modular Onboarding details and legacy notes. Test summary: -------------- Validated this change on a live foundational onboarding. --- README.md | 94 +++++++++++++++++++++++- modules/config-posture/organizational.tf | 2 +- 2 files changed, 91 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9110677..b72bf15 100644 --- a/README.md +++ b/README.md @@ -2,13 +2,99 @@ Terraform module that deploys the Sysdig Secure for Cloud stack in GCP. +With Modular Onboarding, introducing the following design and install structure for `terraform-google-secure`: + +* **[Onboarding]**: It onboards a GCP Project or Organization for the first time to Sysdig Secure for Cloud, and collects +inventory and organizational hierarchy in the given GCP Organization. Managed through `onboarding` module.
+ Provides unified threat-detection, compliance, forensics and analysis through these major components: -* **[CSPM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through `service-principal` module.
+* **[CSPM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through `config-posture` module.
+ +* **[CIEM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/)**: Permissions and Entitlements management. Managed through `config-posture` module.
+ +* **[CDR (Cloud Detection and Response)]((https://docs.sysdig.com/en/docs/sysdig-secure/threats/activity/events-feed/))**: It sends periodically the Audit Logs collected from a GCP project/organization to Sysdig's systems, this by collecting them in a PubSub topic through a Sink and then sending them through a `PUSH` integration. Managed through `pub-sub` integrations module.
+ +For other Cloud providers check: [AWS](https://github.com/sysdiglabs/terraform-aws-secure) + +
+ +## Modules + +### Feature modules + +These are independent feature modules which deploy and manage all the required Cloud resources and Sysdig resources +for the respective Sysdig features. They manage both, onboarding a single GCP Project or a GCP Organization to Sysdig Secure for Cloud. + +`onboarding`, `config-posture`, `agentless-scan` and `vm-workload-scanning` are independent feature modules. + +### Integrations + +The modules under `integrations` are feature agnostic modules which deploy and manage all the required Cloud resources and Sysdig resources for shared Sysdig integrations. That is to say, one or more Sysdig features can be enabled by installing an integration. + +These modules manage both, onboarding a single GCP Project or a GCP Organization to Sysdig Secure for Cloud. + +`pub-sub` is an integration module. + +## Examples and usage + +The modules in this repository can be installed on a single GCP project, or on an entire GCP Organization, or organizational folders within the org. + +The `test` directory has sample `examples` for all these module deployments i.e under `modular_single_project`, or `modular_organization` sub-folders. + +For example, to onboard a single GCP project, with CSPM and Basic CIEM enabled, with modular installation :- +1. Run the terraform snippet under `test/examples/modular_single_project/onboarding_with_posture.tf` with + the appropriate attribute values populated. +2. This will install the `onboarding` module, which will also create a Cloud Account on Sysdig side. +3. It will also install the `config-posture` module, which will also install cloud resources as well as Sysdig resources + for successfully running CSPM and Basic Identity scans. +4. On Sysdig side, you will be able to see the Cloud account onboarded with required components, and CSPM & Basic CIEM features installed and enabled. + +To run this example you need have your GCP auth login via gcloud CLI and execute: +```terraform +$ terraform init +$ terraform plan +$ terraform apply +``` + +Notice that: +* This example will create resources that cost money.
Run `terraform destroy` when you don't need them anymore +* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud` + +
+ +## Organizational Install Configurations + +There are four new parameters to configure organizational deployments on the cloud for Sysdig Secure for Cloud :- +1. `include_folders` - List of GCP Organizational Folders to deploy the Sysdig Secure for Cloud resources in. +2. `exclude_folders` - List of GCP Organizational Folders to exclude deploying the Sysdig Secure for Cloud resources in. +3. `include_projects` - List of GCP Projects to deploy the Sysdig Secure for Cloud resources in. +4. `exclude_projects` - List of GCP Projects to exclude deploying the Sysdig Secure for Cloud resources in. + +**WARNING**: module variable `management_group_ids` will be DEPRECATED on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use `include_folders` instead to achieve the same deployment outcome. + +**Note**: The modules under `modules/services/` folder are legacy installs and soon to be deprecated. Those modules are no longer used for Onboarding. Please use the corresponding feature modules as mentioned in `## Modules` section above for Modular Onboarding. It is the recommended form of Onboarding. + +
+ +## Best practices + +For contributing to existing modules or adding new modules, below are some of the best practices recommended :- +* Module names referred and used in deployment snippets should be consistent with those in their source path. +* A module can fall into one of two categories - feature module or an integrations module. +* Every user-facing deployment snippet will, + - at the top level first call the feature module or integrations module from this repo. These modules deploy corresponding cloud resources and Sysdig component resources. + - the corresponding feature resource will be added as the last block and enabled from the module installed component resource reference. + See sample deployment snippets in `test/examples` for more. +* integrations modules are shared and could enable multiple features. Hence, one should be careful with changes to them. +* Module naming follows the pattern with "-" , resource and variable naming follows the pattern with "_". + +## Authors + +Module is maintained and supported by [Sysdig](https://sysdig.com). -* **[CIEM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/)**: Permissions and Entitlements management. Managed through `service-principal` module.
+## License -* **[CDR (Cloud Detection and Response)]((https://docs.sysdig.com/en/docs/sysdig-secure/threats/activity/events-feed/))**: It sends periodically the Audit Logs collected from a GCP project/organization to Sysdig's systems, this by collecting them in a PubSub topic through a Sink and then sending them through a `PUSH` integration. Managed through `webhook-datasource` module.
+Apache 2 Licensed. See LICENSE for full details. -For other Cloud providers check: [AWS](https://github.com/draios/terraform-aws-secure-for-cloud) diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf index 0d09f99..4d943c3 100644 --- a/modules/config-posture/organizational.tf +++ b/modules/config-posture/organizational.tf @@ -16,7 +16,7 @@ data "google_organization" "org" { #--------------------------------------------------------------------------------------------- resource "google_organization_iam_member" "cspm" { # adding ciem role with permissions to the service account alongside cspm roles - for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : [] + for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : [] org_id = data.google_organization.org[0].org_id role = each.key From 74692d14925284314de18a5c105d1455ddc2b402 Mon Sep 17 00:00:00 2001 From: Alejandro Terron Date: Mon, 29 Sep 2025 19:11:12 +0200 Subject: [PATCH 2/2] tune down pre-ccommit + fmt --- .github/git-chglog/CHANGELOG.tpl.md | 2 +- .github/git-chglog/config.yml | 2 +- .pre-commit-config.yaml | 40 +++++++++---------- CONTRIBUTING.md | 2 - README.md | 2 - modules/agentless-scan/README.md | 2 +- modules/agentless-scan/outputs.tf | 2 +- modules/agentless-scan/versions.tf | 2 +- modules/config-posture/README.md | 2 +- modules/config-posture/organizational.tf | 2 +- modules/config-posture/outputs.tf | 2 +- modules/config-posture/versions.tf | 2 +- .../integrations/pub-sub/organizational.tf | 2 +- modules/integrations/pub-sub/outputs.tf | 2 +- modules/integrations/pub-sub/versions.tf | 2 +- modules/onboarding/README.md | 2 +- modules/onboarding/locals.tf | 2 +- modules/onboarding/main.tf | 2 +- modules/onboarding/organizational.tf | 2 +- modules/onboarding/outputs.tf | 2 +- modules/onboarding/versions.tf | 2 +- modules/services/service-principal/README.md | 4 +- modules/services/service-principal/main.tf | 2 +- .../service-principal/organizational.tf | 2 +- modules/services/service-principal/outputs.tf | 2 +- .../services/service-principal/variables.tf | 2 +- .../services/service-principal/versions.tf | 2 +- modules/services/workload-scan/provider.tf | 2 +- modules/vm-workload-scanning/versions.tf | 2 +- project/README.md | 1 - project/main.tf | 1 - project/outputs.tf | 1 - project/variables.tf | 1 - test/Makefile | 2 +- .../modular_organization/agentless-scan.tf | 2 +- .../onboarding_with_posture.tf | 4 +- .../pub-sub-admin-write-only1.tf | 18 ++++----- .../pub-sub-admin-write-only2.tf | 20 +++++----- test/examples/modular_organization/pub-sub.tf | 16 ++++---- .../vm-workload-scanning-cloud-run.tf | 4 +- .../vm-workload-scanning-functions.tf | 4 +- .../vm-workload-scanning-gke.tf | 4 +- .../modular_single_project/agentless-scan.tf | 2 +- .../onboarding_with_posture.tf | 6 +-- .../pub-sub-admin-write-only1.tf | 14 +++---- .../pub-sub-admin-write-only2.tf | 16 ++++---- .../modular_single_project/pub-sub.tf | 12 +++--- .../vm-workload-scanning-cloud-run.tf | 4 +- .../vm-workload-scanning-functions.tf | 4 +- .../vm-workload-scanning-gke.tf | 4 +- .../project_api_enablement/cdr_ciem/main.tf | 12 +++--- .../project_api_enablement/cspm/main.tf | 12 +++--- .../project_api_enablement/vm/main.tf | 12 +++--- .../organization/main.tf | 1 - .../organization/main.tf | 13 +++--- .../secure_threat_detection/single/main.tf | 8 ++-- test/functional.sh | 2 +- 57 files changed, 144 insertions(+), 154 deletions(-) diff --git a/.github/git-chglog/CHANGELOG.tpl.md b/.github/git-chglog/CHANGELOG.tpl.md index a10bacc..4407075 100644 --- a/.github/git-chglog/CHANGELOG.tpl.md +++ b/.github/git-chglog/CHANGELOG.tpl.md @@ -25,4 +25,4 @@ {{ end }} {{ end -}} {{ end -}} -{{ end -}} \ No newline at end of file +{{ end -}} diff --git a/.github/git-chglog/config.yml b/.github/git-chglog/config.yml index dde2704..1742f4b 100644 --- a/.github/git-chglog/config.yml +++ b/.github/git-chglog/config.yml @@ -29,4 +29,4 @@ options: - Subject notes: keywords: - - BREAKING CHANGE \ No newline at end of file + - BREAKING CHANGE diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5444631..dd8bc7b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v6.0.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer @@ -11,22 +11,22 @@ repos: rev: v1.86.0 hooks: - id: terraform_fmt - - id: terraform_docs - args: - - '--args=--sort-by required' - - id: terraform_tflint - args: - - '--args=--only=terraform_deprecated_interpolation' - - '--args=--only=terraform_deprecated_index' - - '--args=--only=terraform_unused_declarations' - - '--args=--only=terraform_comment_syntax' - - '--args=--only=terraform_documented_outputs' - - '--args=--only=terraform_documented_variables' - - '--args=--only=terraform_typed_variables' - - '--args=--only=terraform_module_pinned_source' - - '--args=--only=terraform_naming_convention' - - '--args=--only=terraform_required_version' - - '--args=--only=terraform_required_providers' - - '--args=--only=terraform_standard_module_structure' - - '--args=--only=terraform_workspace_remote' - - id: terrascan + # - id: terraform_docs + # args: + # - '--args=--sort-by required' + # - id: terraform_tflint + # args: + # - '--args=--only=terraform_deprecated_interpolation' + # - '--args=--only=terraform_deprecated_index' + # - '--args=--only=terraform_unused_declarations' + # - '--args=--only=terraform_comment_syntax' + # - '--args=--only=terraform_documented_outputs' + # - '--args=--only=terraform_documented_variables' + # - '--args=--only=terraform_typed_variables' + # - '--args=--only=terraform_module_pinned_source' + # - '--args=--only=terraform_naming_convention' + # - '--args=--only=terraform_required_version' + # - '--args=--only=terraform_required_providers' + # - '--args=--only=terraform_standard_module_structure' + # - '--args=--only=terraform_workspace_remote' + # - id: terrascan diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0e679de..e44b20e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -32,5 +32,3 @@ It's recommended to use an .envrc file to keep environment variables under contr ## Release - push a new tag and the Github Action will draft a release (with notes) - - diff --git a/README.md b/README.md index b72bf15..7c0cb94 100644 --- a/README.md +++ b/README.md @@ -96,5 +96,3 @@ Module is maintained and supported by [Sysdig](https://sysdig.com). ## License Apache 2 Licensed. See LICENSE for full details. - - diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md index e0ea595..f60757c 100644 --- a/modules/agentless-scan/README.md +++ b/modules/agentless-scan/README.md @@ -1,6 +1,6 @@ # GCP Agentless Scanning Module -This Module creates the resources required to scan hosts on Google Cloud Projects. Before applying the changes defined +This Module creates the resources required to scan hosts on Google Cloud Projects. Before applying the changes defined in this module, the following operations need to be performed on the target GCP environment: - The APIs needed for the VM feature are listed below: diff --git a/modules/agentless-scan/outputs.tf b/modules/agentless-scan/outputs.tf index 36b8b1c..339128e 100644 --- a/modules/agentless-scan/outputs.tf +++ b/modules/agentless-scan/outputs.tf @@ -2,4 +2,4 @@ output "agentless_scan_component_id" { value = "${sysdig_secure_cloud_auth_account_component.gcp_agentless_scan.type}/${sysdig_secure_cloud_auth_account_component.gcp_agentless_scan.instance}" description = "Component identifier of Agentless Scan integration created in Sysdig Backend for VM" depends_on = [sysdig_secure_cloud_auth_account_component.gcp_agentless_scan] -} \ No newline at end of file +} diff --git a/modules/agentless-scan/versions.tf b/modules/agentless-scan/versions.tf index adb6e1a..e2c6cfe 100644 --- a/modules/agentless-scan/versions.tf +++ b/modules/agentless-scan/versions.tf @@ -15,4 +15,4 @@ terraform { version = ">= 3.1" } } -} \ No newline at end of file +} diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 097e46b..85a2c7a 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -76,4 +76,4 @@ Module is maintained by [Sysdig](https://sysdig.com). ## License -Apache 2 Licensed. See LICENSE for full details. \ No newline at end of file +Apache 2 Licensed. See LICENSE for full details. diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf index 4d943c3..93fb9e9 100644 --- a/modules/config-posture/organizational.tf +++ b/modules/config-posture/organizational.tf @@ -21,4 +21,4 @@ resource "google_organization_iam_member" "cspm" { org_id = data.google_organization.org[0].org_id role = each.key member = "serviceAccount:${google_service_account.posture_auth.email}" -} \ No newline at end of file +} diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf index 20c9f5d..589966c 100644 --- a/modules/config-posture/outputs.tf +++ b/modules/config-posture/outputs.tf @@ -2,4 +2,4 @@ output "service_principal_component_id" { value = "${sysdig_secure_cloud_auth_account_component.google_service_principal.type}/${sysdig_secure_cloud_auth_account_component.google_service_principal.instance}" description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture" depends_on = [sysdig_secure_cloud_auth_account_component.google_service_principal] -} \ No newline at end of file +} diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf index adb6e1a..e2c6cfe 100644 --- a/modules/config-posture/versions.tf +++ b/modules/config-posture/versions.tf @@ -15,4 +15,4 @@ terraform { version = ">= 3.1" } } -} \ No newline at end of file +} diff --git a/modules/integrations/pub-sub/organizational.tf b/modules/integrations/pub-sub/organizational.tf index aab3de1..6846377 100644 --- a/modules/integrations/pub-sub/organizational.tf +++ b/modules/integrations/pub-sub/organizational.tf @@ -84,4 +84,4 @@ resource "google_organization_iam_member" "custom" { org_id = data.google_organization.org[0].org_id role = google_organization_iam_custom_role.custom_ingestion_auth_role[0].id member = "serviceAccount:${google_service_account.push_auth.email}" -} \ No newline at end of file +} diff --git a/modules/integrations/pub-sub/outputs.tf b/modules/integrations/pub-sub/outputs.tf index a1f7b73..1df5a53 100644 --- a/modules/integrations/pub-sub/outputs.tf +++ b/modules/integrations/pub-sub/outputs.tf @@ -2,4 +2,4 @@ output "pubsub_datasource_component_id" { value = "${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.type}/${sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource.instance}" description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion" depends_on = [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource] -} \ No newline at end of file +} diff --git a/modules/integrations/pub-sub/versions.tf b/modules/integrations/pub-sub/versions.tf index 623419b..56cff14 100644 --- a/modules/integrations/pub-sub/versions.tf +++ b/modules/integrations/pub-sub/versions.tf @@ -19,4 +19,4 @@ terraform { version = "0.13.1" } } -} \ No newline at end of file +} diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index a146adb..9265d56 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -109,4 +109,4 @@ Module is maintained by [Sysdig](https://sysdig.com). ## License -Apache 2 Licensed. See LICENSE for full details. \ No newline at end of file +Apache 2 Licensed. See LICENSE for full details. diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf index 5762f2a..1827f3c 100644 --- a/modules/onboarding/locals.tf +++ b/modules/onboarding/locals.tf @@ -35,4 +35,4 @@ check "validate_org_configuration_params" { Note: management_group_ids is going to be DEPRECATED 'management_group_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs. EOT } -} \ No newline at end of file +} diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 21596cf..4be70c2 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -139,4 +139,4 @@ resource "sysdig_secure_cloud_auth_account_component" "onboarding_service_princi google_service_account_iam_member.custom_onboarding_auth, time_sleep.wait_for_apply_google_permissions ] -} \ No newline at end of file +} diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index d3f1db6..134315b 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -45,4 +45,4 @@ resource "sysdig_secure_organization" "google_organization" { lifecycle { ignore_changes = [automatic_onboarding] } -} \ No newline at end of file +} diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index 84c3a09..c713c62 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -36,4 +36,4 @@ output "include_projects" { output "exclude_projects" { description = "projects to exclude for organization" value = var.exclude_projects -} \ No newline at end of file +} diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 83288c7..f1302db 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -19,4 +19,4 @@ terraform { version = "0.13.1" } } -} \ No newline at end of file +} diff --git a/modules/services/service-principal/README.md b/modules/services/service-principal/README.md index 228020b..0919211 100644 --- a/modules/services/service-principal/README.md +++ b/modules/services/service-principal/README.md @@ -4,9 +4,9 @@ This module will deploy a Service Principal (GCP Service Account) for a single G The following resources will be created in each instrumented project: - A Service Account with associated role permissions to grant Sysdig read only permissions to secure your GCP Project. - - A Service Account Key attached to this service account using its name. + - A Service Account Key attached to this service account using its name. -If instrumenting a GCP Organization, the service account will be created in the Management Account (provided via the project ID), with appropriate organizational level permissions. +If instrumenting a GCP Organization, the service account will be created in the Management Account (provided via the project ID), with appropriate organizational level permissions. ## Requirements diff --git a/modules/services/service-principal/main.tf b/modules/services/service-principal/main.tf index 99a4040..68651e2 100644 --- a/modules/services/service-principal/main.tf +++ b/modules/services/service-principal/main.tf @@ -46,4 +46,4 @@ resource "google_project_iam_member" "identity_mgmt" { #-------------------------------- resource "google_service_account_key" "secure_service_account_key" { service_account_id = google_service_account.sa.name -} \ No newline at end of file +} diff --git a/modules/services/service-principal/organizational.tf b/modules/services/service-principal/organizational.tf index 5303f23..c45176c 100644 --- a/modules/services/service-principal/organizational.tf +++ b/modules/services/service-principal/organizational.tf @@ -42,4 +42,4 @@ resource "google_organization_iam_member" "identity_mgmt" { org_id = data.google_organization.org[0].org_id role = each.key member = "serviceAccount:${google_service_account.sa.email}" -} \ No newline at end of file +} diff --git a/modules/services/service-principal/outputs.tf b/modules/services/service-principal/outputs.tf index 40b6fa5..0b0f156 100644 --- a/modules/services/service-principal/outputs.tf +++ b/modules/services/service-principal/outputs.tf @@ -7,4 +7,4 @@ output "service_account_key" { value = google_service_account_key.secure_service_account_key.private_key description = "Private Key of the Service Account created" sensitive = true -} \ No newline at end of file +} diff --git a/modules/services/service-principal/variables.tf b/modules/services/service-principal/variables.tf index f7f8426..b86e874 100644 --- a/modules/services/service-principal/variables.tf +++ b/modules/services/service-principal/variables.tf @@ -19,4 +19,4 @@ variable "organization_domain" { type = string description = "Organization domain. e.g. sysdig.com" default = "" -} \ No newline at end of file +} diff --git a/modules/services/service-principal/versions.tf b/modules/services/service-principal/versions.tf index 72404ce..675359b 100644 --- a/modules/services/service-principal/versions.tf +++ b/modules/services/service-principal/versions.tf @@ -7,4 +7,4 @@ terraform { version = ">= 4.21.0" } } -} \ No newline at end of file +} diff --git a/modules/services/workload-scan/provider.tf b/modules/services/workload-scan/provider.tf index 13561b5..6bf3a36 100644 --- a/modules/services/workload-scan/provider.tf +++ b/modules/services/workload-scan/provider.tf @@ -15,4 +15,4 @@ terraform { version = "~> 1.37" } } -} \ No newline at end of file +} diff --git a/modules/vm-workload-scanning/versions.tf b/modules/vm-workload-scanning/versions.tf index c16110f..8eab59a 100644 --- a/modules/vm-workload-scanning/versions.tf +++ b/modules/vm-workload-scanning/versions.tf @@ -15,4 +15,4 @@ terraform { version = "~> 1.37" } } -} \ No newline at end of file +} diff --git a/project/README.md b/project/README.md index 8b13789..e69de29 100644 --- a/project/README.md +++ b/project/README.md @@ -1 +0,0 @@ - diff --git a/project/main.tf b/project/main.tf index 8b13789..e69de29 100644 --- a/project/main.tf +++ b/project/main.tf @@ -1 +0,0 @@ - diff --git a/project/outputs.tf b/project/outputs.tf index 8b13789..e69de29 100644 --- a/project/outputs.tf +++ b/project/outputs.tf @@ -1 +0,0 @@ - diff --git a/project/variables.tf b/project/variables.tf index 8b13789..e69de29 100644 --- a/project/variables.tf +++ b/project/variables.tf @@ -1 +0,0 @@ - diff --git a/test/Makefile b/test/Makefile index e02115d..ef7ec39 100644 --- a/test/Makefile +++ b/test/Makefile @@ -1,2 +1,2 @@ test: - ./functional.sh \ No newline at end of file + ./functional.sh diff --git a/test/examples/modular_organization/agentless-scan.tf b/test/examples/modular_organization/agentless-scan.tf index 3f7cca8..f45db6c 100644 --- a/test/examples/modular_organization/agentless-scan.tf +++ b/test/examples/modular_organization/agentless-scan.tf @@ -17,4 +17,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "agentless_scanning" { enabled = true components = [module.agentless-scan.agentless_scan_component_id] depends_on = [module.agentless-scan] -} \ No newline at end of file +} diff --git a/test/examples/modular_organization/onboarding_with_posture.tf b/test/examples/modular_organization/onboarding_with_posture.tf index a94e035..7e49202 100644 --- a/test/examples/modular_organization/onboarding_with_posture.tf +++ b/test/examples/modular_organization/onboarding_with_posture.tf @@ -27,8 +27,8 @@ module "onboarding" { # management_group_ids = ["folders/123456789012"] # include/exclude parameters - include_folders = ["123456789012", "12345678911"] - exclude_folders = [] + include_folders = ["123456789012", "12345678911"] + exclude_folders = [] include_projects = ["", ""] exclude_projects = ["", ""] diff --git a/test/examples/modular_organization/pub-sub-admin-write-only1.tf b/test/examples/modular_organization/pub-sub-admin-write-only1.tf index 38f57c7..56030a6 100644 --- a/test/examples/modular_organization/pub-sub-admin-write-only1.tf +++ b/test/examples/modular_organization/pub-sub-admin-write-only1.tf @@ -4,15 +4,15 @@ #--------------------------------------------------------------------------------------------- module "pub-sub" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id - is_organizational = module.onboarding.is_organizational - organization_domain = module.onboarding.organization_domain + source = "../../../modules/integrations/pub-sub" + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - ingestion_sink_filter = "" + ingestion_sink_filter = "" audit_log_config = [ { - service = "allServices" + service = "allServices" log_config = [] } ] @@ -23,8 +23,8 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] - depends_on = [ module.pub-sub ] + components = [module.pub-sub.pubsub_datasource_component_id] + depends_on = [module.pub-sub] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" { @@ -33,7 +33,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id]) depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/modular_organization/pub-sub-admin-write-only2.tf b/test/examples/modular_organization/pub-sub-admin-write-only2.tf index efa1d06..95ba012 100644 --- a/test/examples/modular_organization/pub-sub-admin-write-only2.tf +++ b/test/examples/modular_organization/pub-sub-admin-write-only2.tf @@ -4,22 +4,22 @@ #--------------------------------------------------------------------------------------------- module "pub-sub" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id - is_organizational = module.onboarding.is_organizational - organization_domain = module.onboarding.organization_domain + source = "../../../modules/integrations/pub-sub" + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - ingestion_sink_filter = "" - audit_log_config = [] - exclude_logs_filter = [] + ingestion_sink_filter = "" + audit_log_config = [] + exclude_logs_filter = [] } resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] - depends_on = [ module.pub-sub ] + components = [module.pub-sub.pubsub_datasource_component_id] + depends_on = [module.pub-sub] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" { @@ -28,7 +28,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id]) depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf index eb08e0a..bf68550 100644 --- a/test/examples/modular_organization/pub-sub.tf +++ b/test/examples/modular_organization/pub-sub.tf @@ -4,12 +4,12 @@ #--------------------------------------------------------------------------------------------- module "pub-sub" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id - is_organizational = module.onboarding.is_organizational - organization_domain = module.onboarding.organization_domain + source = "../../../modules/integrations/pub-sub" + project_id = module.onboarding.project_id + is_organizational = module.onboarding.is_organizational + organization_domain = module.onboarding.organization_domain sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))" + ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))" audit_log_config = [ { service = "cloudsql.googleapis.com" @@ -49,8 +49,8 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] - depends_on = [ module.pub-sub ] + components = [module.pub-sub.pubsub_datasource_component_id] + depends_on = [module.pub-sub] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" { @@ -59,7 +59,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id]) depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf b/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf index 9506c3b..ac3067e 100644 --- a/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf +++ b/test/examples/modular_organization/vm-workload-scanning-cloud-run.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "../../../modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational @@ -14,4 +14,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_cloud_run" { enabled = true components = [module.vm_workload_scanning.vm_workload_scanning_component_id] depends_on = [module.vm_workload_scanning] -} \ No newline at end of file +} diff --git a/test/examples/modular_organization/vm-workload-scanning-functions.tf b/test/examples/modular_organization/vm-workload-scanning-functions.tf index f8a3489..2022931 100644 --- a/test/examples/modular_organization/vm-workload-scanning-functions.tf +++ b/test/examples/modular_organization/vm-workload-scanning-functions.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "../../../modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational @@ -14,4 +14,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_functions" { enabled = true components = [module.vm_workload_scanning.vm_workload_scanning_component_id] depends_on = [module.vm_workload_scanning] -} \ No newline at end of file +} diff --git a/test/examples/modular_organization/vm-workload-scanning-gke.tf b/test/examples/modular_organization/vm-workload-scanning-gke.tf index 5ace0bb..0c6b27b 100644 --- a/test/examples/modular_organization/vm-workload-scanning-gke.tf +++ b/test/examples/modular_organization/vm-workload-scanning-gke.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "../../../modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id is_organizational = module.onboarding.is_organizational @@ -14,4 +14,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_gke" { enabled = true components = [module.vm_workload_scanning.vm_workload_scanning_component_id] depends_on = [module.vm_workload_scanning] -} \ No newline at end of file +} diff --git a/test/examples/modular_single_project/agentless-scan.tf b/test/examples/modular_single_project/agentless-scan.tf index 1f082f8..6fae0b1 100644 --- a/test/examples/modular_single_project/agentless-scan.tf +++ b/test/examples/modular_single_project/agentless-scan.tf @@ -15,4 +15,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "agentless_scanning" { enabled = true components = [module.agentless-scan.agentless_scan_component_id] depends_on = [module.agentless-scan] -} \ No newline at end of file +} diff --git a/test/examples/modular_single_project/onboarding_with_posture.tf b/test/examples/modular_single_project/onboarding_with_posture.tf index 9cabef2..a71812b 100644 --- a/test/examples/modular_single_project/onboarding_with_posture.tf +++ b/test/examples/modular_single_project/onboarding_with_posture.tf @@ -18,8 +18,8 @@ provider "google" { } module "onboarding" { - source = "../../../modules/onboarding" - project_id = "org-child-project-3" + source = "../../../modules/onboarding" + project_id = "org-child-project-3" } module "config-posture" { @@ -43,7 +43,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" components = [module.config-posture.service_principal_component_id] depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture] flags = { - "CIEM_FEATURE_MODE": "basic" + "CIEM_FEATURE_MODE" : "basic" } lifecycle { diff --git a/test/examples/modular_single_project/pub-sub-admin-write-only1.tf b/test/examples/modular_single_project/pub-sub-admin-write-only1.tf index 363f233..f5b402a 100644 --- a/test/examples/modular_single_project/pub-sub-admin-write-only1.tf +++ b/test/examples/modular_single_project/pub-sub-admin-write-only1.tf @@ -4,13 +4,13 @@ #--------------------------------------------------------------------------------------------- module "pub-sub" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id + source = "../../../modules/integrations/pub-sub" + project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - ingestion_sink_filter = "" + ingestion_sink_filter = "" audit_log_config = [ { - service = "allServices" + service = "allServices" log_config = [] } ] @@ -21,8 +21,8 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] - depends_on = [ module.pub-sub ] + components = [module.pub-sub.pubsub_datasource_component_id] + depends_on = [module.pub-sub] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" { @@ -31,7 +31,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id]) depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/modular_single_project/pub-sub-admin-write-only2.tf b/test/examples/modular_single_project/pub-sub-admin-write-only2.tf index 52404bc..b28f1bc 100644 --- a/test/examples/modular_single_project/pub-sub-admin-write-only2.tf +++ b/test/examples/modular_single_project/pub-sub-admin-write-only2.tf @@ -4,20 +4,20 @@ #--------------------------------------------------------------------------------------------- module "pub-sub" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id + source = "../../../modules/integrations/pub-sub" + project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - ingestion_sink_filter = "" - audit_log_config = [] - exclude_logs_filter = [] + ingestion_sink_filter = "" + audit_log_config = [] + exclude_logs_filter = [] } resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] - depends_on = [ module.pub-sub ] + components = [module.pub-sub.pubsub_datasource_component_id] + depends_on = [module.pub-sub] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" { @@ -26,7 +26,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id]) depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf index 386e2e1..f26e2d8 100644 --- a/test/examples/modular_single_project/pub-sub.tf +++ b/test/examples/modular_single_project/pub-sub.tf @@ -4,10 +4,10 @@ #--------------------------------------------------------------------------------------------- module "pub-sub" { - source = "../../../modules/integrations/pub-sub" - project_id = module.onboarding.project_id + source = "../../../modules/integrations/pub-sub" + project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))" + ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))" audit_log_config = [ { service = "cloudsql.googleapis.com" @@ -47,8 +47,8 @@ resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true - components = [ module.pub-sub.pubsub_datasource_component_id ] - depends_on = [ module.pub-sub ] + components = [module.pub-sub.pubsub_datasource_component_id] + depends_on = [module.pub-sub] } resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanced" { @@ -57,7 +57,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id]) depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf b/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf index 7763f4c..8565c5b 100644 --- a/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf +++ b/test/examples/modular_single_project/vm-workload-scanning-cloud-run.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "../../../modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id @@ -12,4 +12,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_cloud_run" { enabled = true components = [module.vm_workload_scanning.vm_workload_scanning_component_id] depends_on = [module.vm_workload_scanning] -} \ No newline at end of file +} diff --git a/test/examples/modular_single_project/vm-workload-scanning-functions.tf b/test/examples/modular_single_project/vm-workload-scanning-functions.tf index 3191eeb..9035fad 100644 --- a/test/examples/modular_single_project/vm-workload-scanning-functions.tf +++ b/test/examples/modular_single_project/vm-workload-scanning-functions.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "../../../modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id @@ -12,4 +12,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_functions" { enabled = true components = [module.vm_workload_scanning.vm_workload_scanning_component_id] depends_on = [module.vm_workload_scanning] -} \ No newline at end of file +} diff --git a/test/examples/modular_single_project/vm-workload-scanning-gke.tf b/test/examples/modular_single_project/vm-workload-scanning-gke.tf index fea16c4..7871264 100644 --- a/test/examples/modular_single_project/vm-workload-scanning-gke.tf +++ b/test/examples/modular_single_project/vm-workload-scanning-gke.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "../../../modules/vm-workload-scanning" + source = "../../../modules/vm-workload-scanning" project_id = module.onboarding.project_id sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id @@ -12,4 +12,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_gke" { enabled = true components = [module.vm_workload_scanning.vm_workload_scanning_component_id] depends_on = [module.vm_workload_scanning] -} \ No newline at end of file +} diff --git a/test/examples/project_api_enablement/cdr_ciem/main.tf b/test/examples/project_api_enablement/cdr_ciem/main.tf index 64c06d1..cff67ae 100644 --- a/test/examples/project_api_enablement/cdr_ciem/main.tf +++ b/test/examples/project_api_enablement/cdr_ciem/main.tf @@ -21,16 +21,16 @@ locals { # GCP provider provider "google" { - project = local.project - region = "us-west-1" + project = local.project + region = "us-west-1" } // Enable API services for GCP project resource "google_project_service" "enable_cdr_ciem_apis" { - project = local.project + project = local.project - for_each = toset(local.services) - service = each.value + for_each = toset(local.services) + service = each.value disable_on_destroy = false } @@ -40,4 +40,4 @@ output "enabled_projects" { } output "enabled_services" { value = [for service in local.services : google_project_service.enable_cdr_ciem_apis[service].service] -} \ No newline at end of file +} diff --git a/test/examples/project_api_enablement/cspm/main.tf b/test/examples/project_api_enablement/cspm/main.tf index 79c0c3a..7bcab48 100644 --- a/test/examples/project_api_enablement/cspm/main.tf +++ b/test/examples/project_api_enablement/cspm/main.tf @@ -29,16 +29,16 @@ locals { # GCP provider provider "google" { - project = local.project - region = "us-west-1" + project = local.project + region = "us-west-1" } // Enable API services for GCP project resource "google_project_service" "enable_cspm_apis" { - project = local.project + project = local.project - for_each = toset(local.services) - service = each.value + for_each = toset(local.services) + service = each.value disable_on_destroy = false } @@ -48,4 +48,4 @@ output "enabled_projects" { } output "enabled_services" { value = [for service in local.services : google_project_service.enable_cspm_apis[service].service] -} \ No newline at end of file +} diff --git a/test/examples/project_api_enablement/vm/main.tf b/test/examples/project_api_enablement/vm/main.tf index f64a55a..489d2f6 100644 --- a/test/examples/project_api_enablement/vm/main.tf +++ b/test/examples/project_api_enablement/vm/main.tf @@ -17,16 +17,16 @@ locals { # GCP provider provider "google" { - project = local.project - region = "us-west-1" + project = local.project + region = "us-west-1" } // Enable API services for GCP project resource "google_project_service" "enable_vm_apis" { - project = local.project + project = local.project - for_each = toset(local.services) - service = each.value + for_each = toset(local.services) + service = each.value disable_on_destroy = false } @@ -36,4 +36,4 @@ output "enabled_projects" { } output "enabled_services" { value = [for service in local.services : google_project_service.enable_vm_apis[service].service] -} \ No newline at end of file +} diff --git a/test/examples/secure_config_posture_identity_access/organization/main.tf b/test/examples/secure_config_posture_identity_access/organization/main.tf index 595cded..cac1b00 100644 --- a/test/examples/secure_config_posture_identity_access/organization/main.tf +++ b/test/examples/secure_config_posture_identity_access/organization/main.tf @@ -68,4 +68,3 @@ resource "sysdig_secure_organization" "gcp_organization_mytestproject" { management_account_id = sysdig_secure_cloud_auth_account.gcp_project_mytestproject.id depends_on = [module.organization-posture] } - diff --git a/test/examples/secure_threat_detection/organization/main.tf b/test/examples/secure_threat_detection/organization/main.tf index f271277..1a75783 100644 --- a/test/examples/secure_threat_detection/organization/main.tf +++ b/test/examples/secure_threat_detection/organization/main.tf @@ -4,12 +4,12 @@ provider "google" { } module "organization-threat-detection" { - source = "../../../..//modules/services/webhook-datasource" - project_id = "mytestproject" - push_endpoint = "test_sysdig_secure_cloudingestion_endpoint" - is_organizational = true - organization_domain = "mytestorg.com" - external_id = "external_id" + source = "../../../..//modules/services/webhook-datasource" + project_id = "mytestproject" + push_endpoint = "test_sysdig_secure_cloudingestion_endpoint" + is_organizational = true + organization_domain = "mytestorg.com" + external_id = "external_id" ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))" audit_log_config = [ { @@ -124,4 +124,3 @@ resource "sysdig_secure_organization" "gcp_organization_mytestproject" { management_account_id = sysdig_secure_cloud_auth_account.gcp_project_mytestproject.id depends_on = [module.organization-posture] } - diff --git a/test/examples/secure_threat_detection/single/main.tf b/test/examples/secure_threat_detection/single/main.tf index fb753cc..dd8e59d 100644 --- a/test/examples/secure_threat_detection/single/main.tf +++ b/test/examples/secure_threat_detection/single/main.tf @@ -4,10 +4,10 @@ provider "google" { } module "single-project-threat-detection" { - source = "../../../..//modules/services/webhook-datasource" - project_id = "mytestproject" - push_endpoint = "test_sysdig_secure_cloudingestion_endpoint" - external_id = "external_id" + source = "../../../..//modules/services/webhook-datasource" + project_id = "mytestproject" + push_endpoint = "test_sysdig_secure_cloudingestion_endpoint" + external_id = "external_id" ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))" audit_log_config = [ { diff --git a/test/functional.sh b/test/functional.sh index d57be27..1300e00 100755 --- a/test/functional.sh +++ b/test/functional.sh @@ -16,4 +16,4 @@ for example in ${EXAMPLES} ; do # cleanup (except configuration file) git clean -fxde main.tf popd -done \ No newline at end of file +done