diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 735bcb0..7420a74 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -4,7 +4,12 @@ This module will deploy Config Posture resources in Oracle for a compartment or
The following resources will be created in each instrumented compartment/tenancy:
-- An Admit Policy on the target tenant that will allow sysdig tenant to `read` all-resources in the specified
+- A User on the target tenant.
+- A Group on the target tenant.
+- A Group Membership between the User and Group created on the target tenant.
+- If customer wants, a private and public RSA key will be generated for the user. Customer can opt to pass files for
+ public and private keys.
+- An Allow Policy on the target tenant that will allow the User to `read` all-resources in the specified
compartment/tenancy.
- A cloud account component in the Sysdig Backend, associated with the specified compartment/tenant and with the
required metadata to serve the Config Posture functions.
@@ -48,6 +53,8 @@ resource |
| [tenancy\_ocid](#input\_tenancy\_ocid) | (Required) Customer tenant OCID | `string` | n/a | yes |
| [compartment\_ocid](#input\_compartment\_ocid) | (Optional) Customer compartment OCID | `string` | `""` | no |
| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| [private\_key\_file\_path](#input\_private\_key\_file\_path) | (Optional) Path to the private key file | `string` | n/a | no |
+| [public\_key\_file\_path](#input\_public\_key\_file\_path) | (Optional) Path to the public key file | `string` | n/a | no |
## Outputs
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
index 7b3412e..098c6e5 100644
--- a/modules/config-posture/main.tf
+++ b/modules/config-posture/main.tf
@@ -2,10 +2,6 @@
# Fetch the data sources
#-----------------------------------------------------------------------------------------
-data "sysdig_secure_trusted_oracle_app" "config_posture" {
- name = "config_posture"
-}
-
// compartment data to populate policies if onboarding a compartment
data "oci_identity_compartment" "compartment" {
count = var.compartment_ocid != "" ? 1 : 0
@@ -19,17 +15,51 @@ resource "random_id" "suffix" {
}
#-----------------------------------------------------------------------------------------
-# Admit policy to allow Sysdig Tenant to read resources
+# Create Group, User and Group Membership
+#-----------------------------------------------------------------------------------------
+resource "oci_identity_group" "cspm_group" {
+ name = "SysdigSecureConfigPostureGroup-${random_id.suffix.hex}"
+ description = "Sysdig Secure CSPM Group"
+ compartment_id = var.tenancy_ocid
+}
+
+resource "oci_identity_user" "cspm_user" {
+ name = "SysdigSecureConfigPostureUser-${random_id.suffix.hex}"
+ description = "Sysdig Secure CSPM User"
+ compartment_id = var.tenancy_ocid
+ email = var.email
+}
+
+resource "oci_identity_user_group_membership" "cspm_user_to_group" {
+ user_id = oci_identity_user.cspm_user.id
+ group_id = oci_identity_group.cspm_group.id
+}
+
+#-----------------------------------------------------------------------------------------
+# Create RSA key for user
+#-----------------------------------------------------------------------------------------
+
+resource "tls_private_key" "rsa_key" {
+ count = var.private_key_file_path == "" && var.public_key_file_path == "" ? 1 : 0
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+resource "oci_identity_api_key" "cspm_user_api_key" {
+ user_id = oci_identity_user.cspm_user.id
+ key_value = (var.public_key_file_path == "" && var.private_key_file_path == "") ? tls_private_key.rsa_key[0].public_key_pem : file(var.public_key_file_path)
+}
+
+#-----------------------------------------------------------------------------------------
+# Allow policy to allow user to read resources
#-----------------------------------------------------------------------------------------
-resource "oci_identity_policy" "admit_cspm_policy" {
- name = "AdmitSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
- description = "Config Posture admit policy to read all resources in tenant"
+resource "oci_identity_policy" "allow_cspm_policy" {
+ name = "AllowSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
+ description = "Config Posture allow policy to read all resources in tenant"
compartment_id = var.tenancy_ocid
statements = [
- "Define tenancy sysdigTenancy as ${data.sysdig_secure_trusted_oracle_app.config_posture.tenancy_ocid}",
- "Define group configPostureGroup as ${data.sysdig_secure_trusted_oracle_app.config_posture.group_ocid}",
- "Admit group configPostureGroup of tenancy sysdigTenancy to read all-resources in tenancy",
+ "Allow group ${oci_identity_group.cspm_group.name} to read all-resources in tenancy",
]
}
@@ -44,15 +74,17 @@ resource "sysdig_secure_cloud_auth_account_component" "oracle_service_principal"
service_principal_metadata = jsonencode({
oci = {
api_key = {
- user_id = data.sysdig_secure_trusted_oracle_app.config_posture.user_ocid
- region = var.region
+ user_id = oci_identity_user.cspm_user.id
+ region = var.region
+ fingerprint = oci_identity_api_key.cspm_user_api_key.fingerprint
+ private_key = (var.public_key_file_path == "" && var.private_key_file_path == "") ? base64encode(tls_private_key.rsa_key[0].private_key_pem) : base64encode(file(var.private_key_file_path))
}
policy = {
- policy_id = oci_identity_policy.admit_cspm_policy.id
+ policy_id = oci_identity_policy.allow_cspm_policy.id
}
}
})
depends_on = [
- oci_identity_policy.admit_cspm_policy
+ oci_identity_policy.allow_cspm_policy
]
-}
+}
\ No newline at end of file
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index ef92443..56b059a 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -21,6 +21,24 @@ variable "sysdig_secure_account_id" {
}
variable "region" {
- type = string
+ type = string
description = "(Required) Customer home region"
+}
+
+variable "private_key_file_path" {
+ description = "Path to the private key file"
+ type = string
+ default = ""
+}
+
+variable "public_key_file_path" {
+ description = "Path to the public key file"
+ type = string
+ default = ""
+}
+
+variable "email" {
+ description = "Email for user created on customer tenant"
+ type = string
+ default = "email@sysdig.com"
}
\ No newline at end of file
diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf
index 82852ab..57de939 100644
--- a/modules/config-posture/versions.tf
+++ b/modules/config-posture/versions.tf
@@ -3,10 +3,13 @@ terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.43"
+ version = "~> 1.46"
}
oci = {
- source = "oracle/oci"
+ source = "oracle/oci"
+ }
+ tls = {
+ source = "hashicorp/tls"
}
}
}
\ No newline at end of file
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index d1fb4b0..5f2d97f 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -1,6 +1,6 @@
locals {
home_region = [
- for subscription in data.oci_identity_region_subscriptions.test_region_subscriptions.region_subscriptions :
+ for subscription in data.oci_identity_region_subscriptions.region_subscriptions.region_subscriptions :
subscription.region_name
if subscription.is_home_region == true
]
@@ -27,7 +27,7 @@ data "oci_identity_tenancy" "tenancy" {
}
// tenancy region data
-data "oci_identity_region_subscriptions" "test_region_subscriptions" {
+data "oci_identity_region_subscriptions" "region_subscriptions" {
tenancy_id = var.tenancy_ocid
}
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
index 82852ab..58a7083 100644
--- a/modules/onboarding/versions.tf
+++ b/modules/onboarding/versions.tf
@@ -3,10 +3,10 @@ terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.43"
+ version = "~> 1.46"
}
oci = {
- source = "oracle/oci"
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/tests/examples/modular_organization/onboarding_cspm_compartment.tf b/tests/examples/modular_organization/onboarding_cspm_compartment.tf
index a1fff17..b0d33bf 100644
--- a/tests/examples/modular_organization/onboarding_cspm_compartment.tf
+++ b/tests/examples/modular_organization/onboarding_cspm_compartment.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.43.0"
+ version = "~> 1.46.0"
}
oci = {
source = "oracle/oci"
@@ -17,9 +17,7 @@ provider "sysdig" {
provider "oci" {
tenancy_ocid = ""
- user_ocid = ""
- fingerprint = ""
- private_key_path = ""
+ config_file_profile = "DEFAULT"
region = ""
}
diff --git a/tests/examples/modular_organization/onboarding_cspm_tenancy.tf b/tests/examples/modular_organization/onboarding_cspm_tenancy.tf
index 721639d..309c754 100644
--- a/tests/examples/modular_organization/onboarding_cspm_tenancy.tf
+++ b/tests/examples/modular_organization/onboarding_cspm_tenancy.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
- version = "~> 1.43.0"
+ version = "~> 1.46.0"
}
oci = {
source = "oracle/oci"
@@ -17,9 +17,7 @@ provider "sysdig" {
provider "oci" {
tenancy_ocid = ""
- user_ocid = ""
- fingerprint = ""
- private_key_path = ""
+ config_file_profile = "DEFAULT"
region = ""
}