Allow onboarding at org level

README.md

@@ -7,12 +7,26 @@ Configures a log sink to send data to a pub/sub queue that
 :exclamation: Terraform state may contain sensitive information. Please follow best security practices when securing your state.
 
 ## Usage
+
+### Onboarding a GCP Organization with Expel Workbench
+When the `org_id` variable is set, this module will create the resources required to onboard all GKE clusters in an organization to Expel Workbench.
+```hcl
+module "expel_gcp_gke" {
+  source  = "expel-io/gke/gcp"
+  version = "1.0.1"
+
+  org_id = "my-gcp-project-id"
+}
+```
+
+### Onboarding a GCP Project with Expel Workbench
+When the `project_id` variable is set, this module will create the resources required to onboard all GKE clusters in a specific project to Expel Workbench.
 ```hcl
 module "expel_gcp_gke" {
-  source  = "expel-io/k8s-control-plane/gke"
-  version = "1.1.0"
+  source  = "expel-io/gke/gcp"
+  version = "1.0.1"
 
-  project = "my-gcp-project-id"
+  project_id = "my-gcp-project-id"
 }
 ```
 Once you have configured your GCP environment, go to
@@ -23,9 +37,8 @@ security device to enable Expel to begin monitoring your AWS environment.
 The permissions allocated by this module allow Expel Workbench to perform investigations and discover GKE clusters in the environment.
 
 ## Limitations
-1. Only supports onboarding a single GCP project, not an entire GCP organization.
-2. Will always create a new log sink
-3. Will always create a new pub/sub queue
+1. Will always create a new log sink
+2. Will always create a new pub/sub queue
 
 See Expel's Getting Started Guide for GKE for more onboarding information.
 
@@ -45,10 +58,12 @@ See Expel's Getting Started Guide for GKE for more onboarding information.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_project"></a> [project](#input\_project) | The project name to onboard with Expel Workbench. | `string` | n/a | yes |
+| <a name="input_expel_project_id"></a> [expel\_project\_id](#input\_expel\_project\_id) | When onboarding at the organization level, a new project will be created with this ID. | `string` | `"expel-gke-integration"` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | The name of the IAM role to be created for Expel | `string` | `"ExpelIntegrationKubernetesReader"` | no |
 | <a name="input_log_sink_filter"></a> [log\_sink\_filter](#input\_log\_sink\_filter) | The log sink filter that determines what logs are delivered to pub/sub and consumed by Expel. | `string` | `"(resource.type=gke_cluster OR resource.type=k8s_cluster)\n-proto_payload.method_name=\"io.k8s.core.v1.nodes.proxy.get\"\n-proto_payload.method_name=\"io.k8s.coordination.v1.leases.update\"\n-proto_payload.method_name=\"io.k8s.core.v1.limitranges.update\"\n-proto_payload.method_name=\"io.k8s.autoscaling\"\n"` | no |
+| <a name="input_org_id"></a> [org\_id](#input\_org\_id) | The organization ID to onboard with Expel Workbench. | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | A prefix to group all Expel integration resources. | `string` | `"expel-integration"` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID to onboard with Expel Workbench. | `string` | `null` | no |
 | <a name="input_pubsub_ack_deadline_seconds"></a> [pubsub\_ack\_deadline\_seconds](#input\_pubsub\_ack\_deadline\_seconds) | The number of seconds pub/sub will wait for a subscriber to acknowledge receiving a message before re-attempting delivery. | `number` | `600` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | The name of the service account to be created for Expel. | `string` | `"gke-account"` | no |
 ## Outputs
@@ -61,8 +76,14 @@ See Expel's Getting Started Guide for GKE for more onboarding information.
 
 | Name | Type |
 |------|------|
+| [google_logging_organization_sink.expel_log_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink) | resource |
 | [google_logging_project_sink.expel_log_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
+| [google_organization_iam_custom_role.expel_k8s_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
+| [google_organization_iam_member.expel_browser_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
+| [google_organization_iam_member.expel_k8s_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
+| [google_project.expel_gke_integration_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project) | resource |
 | [google_project_iam_custom_role.expel_k8s_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
+| [google_project_iam_member.expel_browser_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.expel_k8s_role_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_pubsub_subscription.expel_pubsub_subscription](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription_iam_member.expel_pubsub_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_member) | resource |

examples/basic/main.tf

@@ -1,4 +1,4 @@
-variable "project" {
+variable "project_id" {
   type = string
 }
 
@@ -14,7 +14,7 @@ module "expel_gcp_gke_integration" {
   source = "../../"
 
   # The project to onboard GKE logs for
-  project = var.project
+  project_id = var.project_id
   # A prefix applied to all created resources
   prefix = "expel-integration"
   # How long pub/sub waits for an acknowledgement

examples/basic/terraform.tfvars

@@ -1,2 +1,2 @@
 region     = "Set this to the region where you'd like resources to be created"
-project    = "Set this to the project you're onboarding with Expel"
+project_id    = "Set this to the project you're onboarding with Expel"

examples/org_level/README.md

@@ -0,0 +1,32 @@
+# Org Level
+
+This configuration sets up appropriate GCP resources that are necessary to integrate Expel Workbench with existing GKE clusters in an organization.
+
+This `Org Level` example describes how to onboard all GKE clusters in a GCP organization.
+
+## Usage
+
+
+To run this example you need to execute:
+
+```bash
+terraform init
+terraform apply -var-file="terraform.tfvars"
+```
+
+Note that sensitive values such as the generated service account key are not printed to standard out by default, however they are persisted to the statefile. Please ensure the statefile and it's stored secrets are secured.
+
+ To view the service account key created, run:
+
+```bash
+terraform output -json
+```
+
+Note that this example may create resources which cost money (pub/sub queue, for example). Run `terraform destroy` when you don't need these resources.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.1.0 |
+| google | ~> 4.10.0 |

examples/org_level/main.tf

@@ -0,0 +1,35 @@
+variable "org_id" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+provider "google" {
+  region = var.region
+}
+
+module "expel_gcp_gke_integration" {
+  source = "../../"
+
+  # The organization to onboard GKE logs for
+  org_id = var.org_id
+  # A prefix applied to all created resources
+  prefix = "expel-integration"
+  # How long pub/sub waits for an acknowledgement
+  pubsub_ack_deadline_seconds = 600
+  # Filter that determines what logs Expel collects
+  log_sink_filter = <<EOT
+(resource.type=gke_cluster OR resource.type=k8s_cluster)
+-proto_payload.method_name="io.k8s.core.v1.nodes.proxy.get"
+-proto_payload.method_name="io.k8s.coordination.v1.leases.update"
+-proto_payload.method_name="io.k8s.core.v1.limitranges.update"
+-proto_payload.method_name="io.k8s.autoscaling"
+EOT
+}
+
+output "expel_gcp_gke_integration" {
+  value     = module.expel_gcp_gke_integration
+  sensitive = true
+}

examples/org_level/terraform.tfvars

@@ -0,0 +1,2 @@
+region     = "Set this to the region where you'd like resources to be created"
+org_id     = "Set this to the organization you're onboarding with Expel"