SSPROD-49726 - add(oracle): initial modules onboarding/config-posture (#2)

jose-pablo-camacho · web-flow · commit 3a25e15a95f7 · 2024-12-09T22:48:19.000-06:00
* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture
diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
@@ -0,0 +1,66 @@
+# Oracle Cloud Config Posture Module
+
+This module will deploy Config Posture resources in Oracle for a compartment or root tenancy.
+
+The following resources will be created in each instrumented compartment/tenancy:
+
+- An Admit Policy on the target tenant that will allow sysdig tenant to `read` all-resources in the specified
+  compartment/tenancy.
+- A cloud account component in the Sysdig Backend, associated with the specified compartment/tenant and with the
+  required metadata to serve the Config Posture functions.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+| Name                                                                      | Version |
+|---------------------------------------------------------------------------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_oci"></a> [oci](#requirement\_oci)                   | >= 6.19.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~> 1.42 |
+
+## Providers
+
+| Name                                                       | Version |
+|------------------------------------------------------------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci)          | 6.19.0  |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1  |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| [oci_identity_compartment.compartment](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_compartment) |
+data source |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [oci_identity_policy.admit_cspm_policy](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_policy) |
+resource |
+| [sysdig_secure_cloud_auth_account_component.oracle_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) |
+resource |
+
+## Inputs
+
+| Name                                                                                                             | Description                                                                                                                           | Type     | Default          | Required |
+|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------|------------------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                          | (Optional) True/False whether secure-for-cloud should be deployed in an organizational setup                                          | `bool`   | `false`          |    no    |
+| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid)                                         | (Required) Customer tenant OCID                                                                                                       | `string` | n/a              |   yes    |
+| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid)                             | (Optional) Customer compartment OCID                                                                                                  | `string` | `""`             |    no    |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | `string` | n/a              |   yes    |
+
+## Outputs
+
+| Name                                                                                                                                         | Description                                                                            |
+|----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
+| <a name="output_service_principal_component_id"></a> [sysdig\_service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Component identifier of Service Principal created in Sysdig Backend for Config Posture |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
@@ -0,0 +1,60 @@
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+
+data "sysdig_secure_trusted_oracle_app" "config_posture" {
+  name = "config_posture"
+}
+
+// compartment data to populate policies if onboarding a compartment
+data "oci_identity_compartment" "compartment" {
+  count = var.compartment_ocid != "" ? 1 : 0
+  id    = var.compartment_ocid
+}
+
+
+// random suffix for policy name
+resource "random_id" "suffix" {
+  byte_length = 3
+}
+
+#-----------------------------------------------------------------------------------------
+# Admit policy to allow Sysdig Tenant to read resources
+#-----------------------------------------------------------------------------------------
+
+resource "oci_identity_policy" "admit_cspm_policy" {
+  name           = "AdmitSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
+  description    = "Config Posture policy to allow read all resources in tenant/compartment"
+  compartment_id = var.tenancy_ocid
+  statements = [
+    "Define tenancy sysdigTenancy as ${data.sysdig_secure_trusted_oracle_app.config_posture.tenancy_ocid}",
+    "Define group configPostureGroup as ${data.sysdig_secure_trusted_oracle_app.config_posture.group_ocid}",
+      var.compartment_ocid != "" ?
+      "Admit group configPostureGroup of tenancy sysdigTenancy to read all-resources in compartment ${data.oci_identity_compartment.compartment[0].name}"
+      :
+      "Admit group configPostureGroup of tenancy sysdigTenancy to read all-resources in tenancy",
+  ]
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "oracle_service_principal" {
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_SERVICE_PRINCIPAL"
+  instance   = "secure-posture"
+  version    = "v0.1.0"
+  service_principal_metadata = jsonencode({
+    oci = {
+      api_key = {
+        user_id = data.sysdig_secure_trusted_oracle_app.config_posture.user_ocid
+      }
+      policy = {
+        policy_id = oci_identity_policy.admit_cspm_policy.id
+      }
+    }
+  })
+  depends_on = [
+    oci_identity_policy.admit_cspm_policy
+  ]
+}
diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf
@@ -0,0 +1,5 @@
+output "service_principal_component_id" {
+  value       = "${sysdig_secure_cloud_auth_account_component.oracle_service_principal.type}/${sysdig_secure_cloud_auth_account_component.oracle_service_principal.instance}"
+  description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture"
+  depends_on  = [sysdig_secure_cloud_auth_account_component.oracle_service_principal]
+}
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
@@ -0,0 +1,21 @@
+variable "is_organizational" {
+  type        = bool
+  default     = false
+  description = "(Optional) True/False whether secure-for-cloud should be deployed in an organizational setup"
+}
+
+variable "tenancy_ocid" {
+  type        = string
+  description = "(Required) Customer tenant OCID"
+}
+
+variable "compartment_ocid" {
+  type        = string
+  default     = ""
+  description = "(Optional) Customer compartment OCID"
+}
+
+variable "sysdig_secure_account_id" {
+  type        = string
+  description = "(Required) ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
+}
diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.42"
+    }
+    oci = {
+      source  = "hashicorp/oci"
+    }
+  }
+}
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
@@ -0,0 +1,77 @@
+# Oracle Cloud Onboarding Module
+
+This module will deploy foundational onboarding resources in Oracle for a compartment or root tenancy.
+
+The following resources will be created in each instrumented compartment/tenancy:
+
+- An Admit Policy on the target tenant that will allow sysdig tenant to `inspect` compartments in the specified
+  compartment/tenancy.
+- A cloud account in the Sysdig Backend, associated with the specified compartment/tenant and with the required
+  component to serve the foundational functions.
+- A cloud organization in the Sysdig Backend, associated with the specified compartment/tenant to fetch the organization
+  structure(compartment tree) to install Sysdig Secure for Cloud.
+
+Note:
+
+- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other
+  features/integrations modules for subsequent modular installations.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+| Name                                                                      | Version |
+|---------------------------------------------------------------------------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_oci"></a> [oci](#requirement\_oci)                   | >= 6.19.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~> 1.42 |
+
+## Providers
+
+| Name                                                       | Version |
+|------------------------------------------------------------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci)          | 6.19.0  |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1  |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| [oci_identity_compartment.compartment](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_compartment) |
+data source |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [oci_identity_policy.admit_onboarding_policy](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_policy) |
+resource |
+| [sysdig_secure_cloud_auth_account.oracle_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) |
+resource |
+| [sysdig_secure_organization.oracle_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) |
+resource |
+
+## Inputs
+
+| Name                                                                                    | Description                                                                                  | Type     | Default          | Required |
+|-----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|----------|------------------|:--------:|
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) True/False whether secure-for-cloud should be deployed in an organizational setup | `bool`   | `false`          |    no    |
+| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid)                | (Required) Customer tenant OCID                                                              | `string` | n/a              |   yes    |
+| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid)    | (Optional) Customer compartment OCID                                                         | `string` | `""`             |    no    |
+
+## Outputs
+
+| Name                                                                                                               | Description                                                                  |
+|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
+| <a name="output_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created                                       |
+| <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational)                          | Boolean value to indicate if secure-for-cloud is deployed as an organization |
+| <a name="output_tenancy_ocid"></a> [tenancy\_ocid](#output\_tenancy\_ocid)                                         | Customer tenant OCID                                                         |
+| <a name="output_compartment_ocid"></a> [compartment\_ocid](#output_compartment\_ocid)                              | Customer compartment OCID                                                    |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
@@ -0,0 +1,78 @@
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+
+data "sysdig_secure_trusted_oracle_app" "onboarding" {
+  name = "onboarding"
+}
+
+// compartment data to populate policies if onboarding a compartment
+data "oci_identity_compartment" "compartment" {
+  count = var.compartment_ocid != "" ? 1 : 0
+  id    = var.compartment_ocid
+}
+
+
+// random suffix for policy name
+resource "random_id" "suffix" {
+  byte_length = 3
+}
+
+#-----------------------------------------------------------------------------------------
+# Admit policy to allow Sysdig Tenant to read resources
+#-----------------------------------------------------------------------------------------
+
+resource "oci_identity_policy" "admit_onboarding_policy" {
+  name           = "AdmitSysdigSecureTenantOnboarding-${random_id.suffix.hex}"
+  description    = "Onboarding policy to allow inspect compartments in tenant/compartment"
+  compartment_id = var.tenancy_ocid
+  statements = [
+    "Define tenancy sysdigTenancy as ${data.sysdig_secure_trusted_oracle_app.onboarding.tenancy_ocid}",
+    "Define group onboardingGroup as ${data.sysdig_secure_trusted_oracle_app.onboarding.group_ocid}",
+    "Admit group onboardingGroup of tenancy sysdigTenancy to inspect tenancies in tenancy",
+      var.compartment_ocid != "" ?
+      "Admit group onboardingGroup of tenancy sysdigTenancy to inspect compartments in compartment ${data.oci_identity_compartment.compartment[0].name}"
+      :
+      "Admit group onboardingGroup of tenancy sysdigTenancy to inspect compartments in tenancy",
+  ]
+}
+
+
+#---------------------------------------------------------------------------------------------
+# Call Sysdig Backend to create account with foundational onboarding
+# (ensure it is called after all above cloud resources are created using explicit depends_on)
+#---------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account" "oracle_account" {
+  enabled            = true
+  provider_tenant_id = var.tenancy_ocid // tenancy ocid
+  // when compartmentID is not specified, default to the rootCompartmentOCID which is the same value as tenancyOCID
+  provider_id        = var.compartment_ocid == "" ? var.tenancy_ocid : var.compartment_ocid
+  provider_type      = "PROVIDER_ORACLECLOUD"
+
+  component {
+    type     = "COMPONENT_SERVICE_PRINCIPAL"
+    instance = "secure-onboarding"
+    version  = "v0.1.0"
+    service_principal_metadata = jsonencode({
+      oci = {
+        api_key = {
+          user_id = data.sysdig_secure_trusted_oracle_app.onboarding.user_ocid
+        }
+        policy = {
+          policy_id = oci_identity_policy.admit_onboarding_policy.id
+        }
+      }
+    })
+  }
+
+  lifecycle {
+    # features and components are managed outside this module
+    ignore_changes = [
+      component,
+      feature
+    ]
+  }
+  depends_on = [
+    oci_identity_policy.admit_onboarding_policy
+  ]
+}
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
@@ -0,0 +1,12 @@
+#---------------------------------------------------------------------------------------------
+# Call Sysdig Backend to create organization with foundational onboarding
+# (ensure it is called after all above cloud resources are created)
+#---------------------------------------------------------------------------------------------
+resource "sysdig_secure_organization" "oracle_organization" {
+  count                 = var.is_organizational ? 1 : 0
+  management_account_id = sysdig_secure_cloud_auth_account.oracle_account.id
+  depends_on = [
+    oci_identity_policy.admit_onboarding_policy,
+    sysdig_secure_cloud_auth_account.oracle_account
+  ]
+}
diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf
@@ -0,0 +1,19 @@
+output "tenancy_ocid" {
+  value       = var.tenancy_ocid
+  description = "Customer tenancy OCID"
+}
+
+output "compartment_ocid" {
+  value       = var.compartment_ocid
+  description = "Customer compartment OCID"
+}
+
+output "sysdig_secure_account_id" {
+  value       = sysdig_secure_cloud_auth_account.oracle_account.id
+  description = "ID of the Sysdig Cloud Account created"
+}
+
+output "is_organizational" {
+  value       = var.is_organizational
+  description = "Boolean value to indicate if secure-for-cloud is deployed to an entire Oracle organization or not"
+}
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
@@ -0,0 +1,17 @@
+variable "is_organizational" {
+  type        = bool
+  default     = false
+  description = "(Optional) True/False whether secure-for-cloud should be deployed in an organizational setup"
+}
+
+variable "tenancy_ocid" {
+  type        = string
+  description = "(Required) Customer tenant OCID"
+}
+
+variable "compartment_ocid" {
+  type        = string
+  default     = ""
+  description = "(Optional) Customer compartment OCID"
+}
+
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.42"
+    }
+    oci = {
+      source  = "hashicorp/oci"
+    }
+  }
+}
diff --git a/tests/examples/modular_organization/onboarding_cspm_compartment.tf b/tests/examples/modular_organization/onboarding_cspm_compartment.tf
diff --git a/tests/examples/modular_organization/onboarding_cspm_tenancy.tf b/tests/examples/modular_organization/onboarding_cspm_tenancy.tf
