diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 50b2e15..aa168c7 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -1,7 +1,13 @@ #------------------------------------------------------------------# -# Fetch and compute required data for Service Account Key # +# Fetch and compute required data for Workload Identity Federation # #------------------------------------------------------------------# +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "gcp" +} + +data "sysdig_secure_tenant_external_id" "external_id" {} + data "google_project" "project" { project_id = var.project_id } @@ -14,6 +20,7 @@ resource "random_id" "suffix" { locals { suffix = var.suffix == null ? random_id.suffix[0].hex : var.suffix + # account_id = time_sleep.wait_for_apply_google_permissions[0]. } resource "google_service_account" "onboarding_auth" { @@ -23,9 +30,39 @@ resource "google_service_account" "onboarding_auth" { project = var.project_id } -#--------------------------------- -# role permissions for onboarding -#--------------------------------- +#------------------------------------------------------------# +# Configure Workload Identity Federation for auth # +# See https://cloud.google.com/iam/docs/access-resources-aws # +#------------------------------------------------------------# + +resource "google_iam_workload_identity_pool" "onboarding_auth_pool" { + project = var.project_id + workload_identity_pool_id = "sysdig-secure-onboarding-${local.suffix}" +} + +resource "google_iam_workload_identity_pool_provider" "onboarding_auth_pool_provider" { + project = var.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + workload_identity_pool_provider_id = "sysdig-onboarding-${local.suffix}" + display_name = "Sysdigcloud onboarding auth" + description = "AWS based pool provider for Sysdig Secure Data Onboarding resources" + disabled = false + + attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\"" + + attribute_mapping = { + "google.subject" = "assertion.arn", + "attribute.aws_role" = "assertion.arn" + } + + aws { + account_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id + } +} + +#--------------------------------------------------------------------------------------------- +# role permissions for Onboarding (GCP Predefined Roles for Sysdig Cloud Onboarding) +#--------------------------------------------------------------------------------------------- resource "google_project_iam_member" "browser" { count = var.is_organizational ? 0 : 1 @@ -34,12 +71,18 @@ resource "google_project_iam_member" "browser" { member = "serviceAccount:${google_service_account.onboarding_auth.email}" } -#-------------------------------- -# service account private key - -#-------------------------------- -resource "google_service_account_key" "onboarding_service_account_key" { +# attaching WIF as a member to the service account for auth +resource "google_service_account_iam_member" "custom_onboarding_auth" { service_account_id = google_service_account.onboarding_auth.name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}" +} + +# add some timing for SA and permissions to be completely ready before calling Sysdig Backend, ensure that onboarding will pass first time +resource "time_sleep" "wait_for_apply_google_permissions" { + depends_on = [google_organization_iam_member.browser, google_project_iam_member.browser] + + create_duration = "30s" } #--------------------------------------------------------------------------------------------- @@ -60,15 +103,23 @@ resource "sysdig_secure_cloud_auth_account" "google_account" { version = "v0.1.0" service_principal_metadata = jsonencode({ gcp = { - key = google_service_account_key.onboarding_service_account_key.private_key + workload_identity_federation = { + pool_id = google_iam_workload_identity_pool.onboarding_auth_pool.workload_identity_pool_id + pool_provider_id = google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider.workload_identity_pool_provider_id + project_number = data.google_project.project.number + } + email = google_service_account.onboarding_auth.email } }) } depends_on = [ google_service_account.onboarding_auth, + google_iam_workload_identity_pool.onboarding_auth_pool, + google_iam_workload_identity_pool_provider.onboarding_auth_pool_provider, google_project_iam_member.browser, - google_service_account_key.onboarding_service_account_key + google_service_account_iam_member.custom_onboarding_auth, + time_sleep.wait_for_apply_google_permissions ] lifecycle { diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 807c866..83288c7 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -14,5 +14,9 @@ terraform { source = "hashicorp/random" version = ">= 3.1" } + time = { + source = "hashicorp/time" + version = "0.13.1" + } } } \ No newline at end of file