Skip to content

SSPROD-51715 - fix(oci): add cspm user in customer tenant to support identity resources #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jan 17, 2025
Merged

SSPROD-51715 - fix(oci): add cspm user in customer tenant to support identity resources #9

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7c3e4bb
fix(oci): add cspm user in customer tenant to support identity resources
jose-pablo-camacho Jan 15, 2025
da29684
fix(oci): add cspm user in customer tenant to support identity resources
jose-pablo-camacho Jan 15, 2025
3dbe51a
fix(oci): add cspm user in customer tenant to support identity resources
jose-pablo-camacho Jan 15, 2025
f3dfc65
fix(oci): add cspm user in customer tenant to support identity resources
jose-pablo-camacho Jan 17, 2025
b201a64
fix(oci): add cspm user in customer tenant to support identity resources
jose-pablo-camacho Jan 17, 2025
ef2157a
fix(oci): add cspm user in customer tenant to support identity resources
jose-pablo-camacho Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 53 additions & 3 deletions modules/config-posture/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,54 @@ resource "random_id" "suffix" {
byte_length = 3
}

#-----------------------------------------------------------------------------------------
# Create Group, User and Group Membership
#-----------------------------------------------------------------------------------------
resource "oci_identity_group" "cspm_group" {
name = "SysdigSecureConfigPostureGroup-${random_id.suffix.hex}"
description = "Sysdig Secure CSPM Group"
compartment_id = var.tenancy_ocid
}

resource "oci_identity_user" "cspm_user" {
name = "SysdigSecureConfigPostureUser-${random_id.suffix.hex}"
description = "Sysdig Secure CSPM User"
compartment_id = var.tenancy_ocid
email = var.email
}

resource "oci_identity_user_group_membership" "cspm_user_to_group" {
user_id = oci_identity_user.cspm_user.id
group_id = oci_identity_group.cspm_group.id
}

#-----------------------------------------------------------------------------------------
# Create RSA key for user
#-----------------------------------------------------------------------------------------

resource "tls_private_key" "rsa_key" {
count = var.private_key_file_path == "" && var.public_key_file_path == "" ? 1 : 0
algorithm = "RSA"
rsa_bits = 2048
}

resource "oci_identity_api_key" "cspm_user_api_key" {
user_id = oci_identity_user.cspm_user.id
key_value = (var.public_key_file_path == "" && var.private_key_file_path == "") ? tls_private_key.rsa_key[0].public_key_pem : file(var.public_key_file_path)
}

#-----------------------------------------------------------------------------------------
# Allow policy to allow user to read resources
#-----------------------------------------------------------------------------------------

resource "oci_identity_policy" "cspm_policy" {
name = "AllowSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
description = "Config Posture allow policy to read all resources in tenant"
compartment_id = var.tenancy_ocid
statements = [
"Allow group ${oci_identity_group.cspm_group.name} to read all-resources in tenancy",
]
}
#-----------------------------------------------------------------------------------------
# Admit policy to allow Sysdig Tenant to read resources
#-----------------------------------------------------------------------------------------
Expand All @@ -44,8 +92,10 @@ resource "sysdig_secure_cloud_auth_account_component" "oracle_service_principal"
service_principal_metadata = jsonencode({
oci = {
api_key = {
user_id = data.sysdig_secure_trusted_oracle_app.config_posture.user_ocid
region = var.region
user_id = oci_identity_user.cspm_user.id
region = var.region
# fingerprint = oci_identity_api_key.cspm_user_api_key.fingerprint
# private_key = (var.public_key_file_path == "" && var.private_key_file_path == "") ? base64encode(tls_private_key.rsa_key[0].private_key_pem) : base64encode(file(var.private_key_file_path))
}
policy = {
policy_id = oci_identity_policy.admit_cspm_policy.id
Expand All @@ -55,4 +105,4 @@ resource "sysdig_secure_cloud_auth_account_component" "oracle_service_principal"
depends_on = [
oci_identity_policy.admit_cspm_policy
]
}
}
20 changes: 19 additions & 1 deletion modules/config-posture/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,24 @@ variable "sysdig_secure_account_id" {
}

variable "region" {
type = string
type = string
description = "(Required) Customer home region"
}

variable "private_key_file_path" {
description = "Path to the private key file"
type = string
default = ""
}

variable "public_key_file_path" {
description = "Path to the public key file"
type = string
default = ""
}

variable "email" {
description = "Email for user created on customer tenant"
type = string
default = "[email protected]"
}
5 changes: 4 additions & 1 deletion modules/config-posture/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ terraform {
version = "~> 1.43"
}
oci = {
source = "oracle/oci"
source = "oracle/oci"
}
tls = {
source = "hashicorp/tls"
}
}
}