Add support for CloudTrail SNS ingestion

Author: lorenzo-merici

sysdig/data_source_sysdig_secure_onboarding.go

@@ -8,10 +8,11 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws/arn"
-	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
 )
 
 func getSecureOnboardingClient(c SysdigClients) (v2.OnboardingSecureInterface, error) {
@@ -344,6 +345,15 @@ func dataSourceSysdigSecureCloudIngestionAssets() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"cloud_provider": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringInSlice([]string{"aws", "gcp", "azure"}, false),
+			},
+			"cloud_provider_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
 			"aws": {
 				Type:     schema.TypeMap,
 				Computed: true,
@@ -359,6 +369,14 @@ func dataSourceSysdigSecureCloudIngestionAssets() *schema.Resource {
 				Type:     schema.TypeMap,
 				Computed: true,
 			},
+			"sns_routing_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"sns_metadata": {
+				Type:     schema.TypeMap,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -370,7 +388,7 @@ func dataSourceSysdigSecureCloudIngestionAssetsRead(ctx context.Context, d *sche
 		return diag.FromErr(err)
 	}
 
-	assets, err := client.GetCloudIngestionAssetsSecure(ctx)
+	assets, err := client.GetCloudIngestionAssetsSecure(ctx, d.Get("cloud_provider").(string), d.Get("cloud_provider_id").(string))
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -380,8 +398,10 @@ func dataSourceSysdigSecureCloudIngestionAssetsRead(ctx context.Context, d *sche
 
 	d.SetId("cloudIngestionAssets")
 	err = d.Set("aws", map[string]interface{}{
-		"eventBusARN":    assetsAws["eventBusARN"],
-		"eventBusARNGov": assetsAws["eventBusARNGov"],
+		"eventBusARN":     assetsAws["eventBusARN"],
+		"eventBusARNGov":  assetsAws["eventBusARNGov"],
+		"sns_routing_key": assetsAws["snsRoutingKey"],
+		"sns_metadata":    assetsAws["snsMetadata"],
 	})
 	if err != nil {
 		return diag.FromErr(err)

sysdig/data_source_sysdig_secure_onboarding_test.go

@@ -175,6 +175,10 @@ func TestAccCloudIngestionAssetsDataSource(t *testing.T) {
 			},
 		},
 		Steps: []resource.TestStep{
+			{
+				Config:      `data "sysdig_secure_cloud_ingestion_assets" "assets" {	cloud_provider = "invalid" }`,
+				ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`),
+			},
 			{
 				Config: `data "sysdig_secure_cloud_ingestion_assets" "assets" {}`,
 				Check: resource.ComposeTestCheckFunc(
@@ -188,6 +192,15 @@ func TestAccCloudIngestionAssetsDataSource(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_cloud_ingestion_assets.assets", "gcp_metadata.ingestionURL"),
 				),
 			},
+			{
+				Config: `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {	cloud_provider = "aws" }`,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "cloud_provider", "aws"),
+					resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_account_id"),
+					resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_role_name"),
+					// not asserting the gov exported fields because not every backend environment is gov supported and thus will have empty values
+				),
+			},
 		},
 	})
 }

sysdig/internal/client/v2/onboarding.go

@@ -11,7 +11,7 @@ const (
 	onboardingTrustedAzureAppPath         = "%s/api/secure/onboarding/v2/trustedAzureApp?app=%s"
 	onboardingTenantExternaIDPath         = "%s/api/secure/onboarding/v2/externalID"
 	onboardingAgentlessScanningAssetsPath = "%s/api/secure/onboarding/v2/agentlessScanningAssets"
-	onboardingCloudIngestionAssetsPath    = "%s/api/secure/onboarding/v2/cloudIngestionAssets"
+	onboardingCloudIngestionAssetsPath    = "%s/api/secure/onboarding/v2/cloudIngestionAssets?provider=%s&providerID=%s"
 	onboardingTrustedRegulationAssetsPath = "%s/api/secure/onboarding/v2/trustedRegulationAssets?provider=%s"
 	onboardingTrustedOracleAppPath        = "%s/api/secure/onboarding/v2/trustedOracleApp?app=%s"
 )
@@ -22,7 +22,7 @@ type OnboardingSecureInterface interface {
 	GetTrustedAzureAppSecure(ctx context.Context, app string) (map[string]string, error)
 	GetTenantExternalIDSecure(ctx context.Context) (string, error)
 	GetAgentlessScanningAssetsSecure(ctx context.Context) (map[string]any, error)
-	GetCloudIngestionAssetsSecure(ctx context.Context) (map[string]any, error)
+	GetCloudIngestionAssetsSecure(ctx context.Context, provider, providerID string) (map[string]any, error)
 	GetTrustedCloudRegulationAssetsSecure(ctx context.Context, provider string) (map[string]string, error)
 	GetTrustedOracleAppSecure(ctx context.Context, app string) (map[string]string, error)
 }
@@ -83,8 +83,8 @@ func (client *Client) GetAgentlessScanningAssetsSecure(ctx context.Context) (map
 	return Unmarshal[map[string]interface{}](response.Body)
 }
 
-func (client *Client) GetCloudIngestionAssetsSecure(ctx context.Context) (map[string]interface{}, error) {
-	response, err := client.requester.Request(ctx, http.MethodGet, fmt.Sprintf(onboardingCloudIngestionAssetsPath, client.config.url), nil)
+func (client *Client) GetCloudIngestionAssetsSecure(ctx context.Context, provider, providerID string) (map[string]interface{}, error) {
+	response, err := client.requester.Request(ctx, http.MethodGet, fmt.Sprintf(onboardingCloudIngestionAssetsPath, client.config.url, provider, providerID), nil)
 	if err != nil {
 		return nil, err
 	}

website/docs/d/secure_cloud_ingestion_assets.md

@@ -32,3 +32,6 @@ In addition to all arguments above, the following attributes are exported:
 
 * `gcp_metadata` - GCP ingestion metadata
 
+* `sns_routing_key` - CloudTrail SNS ingestion routing key
+
+* `sns_metadata` - CloudTrail SNS ingestion metadata