test(vm, cloud-scan): single-project use-case (#18)

.github/workflows/ci-pull-request.yaml

@@ -40,6 +40,7 @@ jobs:
           - "secure_config_posture_identity_access/organization/main.tf"
           - "secure_threat_detection/single/main.tf"
           - "secure_threat_detection/organization/main.tf"
+          - "agentless-scan/single/main.tf"
           - "agentless-scan/organization/main.tf"
     steps:
     - name: Set up Go

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - '--args=--sort-by required'
+      - id: terraform_tflint
+        args:
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'
+      - id: terrascan

modules/services/agentless-scan/README.md

@@ -7,9 +7,9 @@ This module will deploy required resources for Sysdig to be able to scan hosts o
 
 
 The following resources will be created on each instrumented project:
-- For the **Resource Discovery**: Enable Sysdig to authenticate through a Workload Identity Pool (requires provider, 
+- For the **Resource Discovery**: Enable Sysdig to authenticate through a Workload Identity Pool (requires provider,
   service account, role, and related bindings)  in order to be able to discover the VPC/Instance/Volumes
-- For the **Host Data Extraction**: Enable Sysdig to create a disk copy on our SaaS platform, to be able to extract 
+- For the **Host Data Extraction**: Enable Sysdig to create a disk copy on our SaaS platform, to be able to extract
   the data required for security assessment.
 
 
@@ -103,4 +103,4 @@ Module is maintained by [Sysdig](https://sysdig.com).
 
 ## License
 
-Apache 2 Licensed. See LICENSE for full details.
+Apache 2 Licensed. See LICENSE for full details.

modules/services/agentless-scan/controller_org.tf

@@ -15,4 +15,4 @@ resource "google_organization_iam_binding" "controller_custom" {
   members = [
     "serviceAccount:${google_service_account.controller.email}",
   ]
-}
+}

modules/services/agentless-scan/controller_single.tf

@@ -15,4 +15,4 @@ resource "google_project_iam_binding" "controller_custom" {
   members = [
     "serviceAccount:${google_service_account.controller.email}",
   ]
-}
+}

modules/services/agentless-scan/data.tf

@@ -5,4 +5,4 @@ data "google_project" "project" {
 data "google_organization" "org" {
   count  = local.is_organizational ? 1 : 0
   domain = var.organization_domain
-}
+}

modules/services/agentless-scan/locals.tf

@@ -30,4 +30,4 @@ locals {
 resource "random_id" "suffix" {
   count       = var.suffix == null ? 1 : 0
   byte_length = 3
-}
+}

modules/services/agentless-scan/outputs.tf

@@ -1,13 +1,17 @@
 output "project_id" {
-  value = var.project_id
+  value       = var.project_id
+  description = "Target project_id"
 }
 
 output "project_number" {
-  value = data.google_project.project.number
+  value       = data.google_project.project.number
+  description = "Target project_number"
 }
 
 output "controller_service_account" {
   value = google_service_account.controller.email
+
+  description = "Service Account (email) for Sysdig host Discovery to use"
 }
 
 output "workload_identity_pool_provider" {
@@ -16,6 +20,8 @@ output "workload_identity_pool_provider" {
     condition     = (var.sysdig_backend != null && var.sysdig_account_id == null) || (var.sysdig_backend == null && var.sysdig_account_id != null)
     error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
   }
+
+  description = "Workload Identity Pool Provider URL for Sysdig host Discovery to use"
 }
 
 output "json_payload" {
@@ -29,4 +35,6 @@ output "json_payload" {
     condition     = (var.sysdig_backend != null && var.sysdig_account_id == null) || (var.sysdig_backend == null && var.sysdig_account_id != null)
     error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
   }
+
+  description = "Deprecated. JSON Payload to internally provision customer on Sysdig VM Host scan on Sysdig"
 }

modules/services/agentless-scan/provider.tf

@@ -11,4 +11,4 @@ terraform {
       version = ">= 3.1, < 4.0"
     }
   }
-}
+}

modules/services/agentless-scan/variables.tf

@@ -9,6 +9,7 @@ variable "worker_identity" {
   description = "Sysdig provided Identity for the Service Account in charge of performing the host disk analysis"
 }
 
+# mandatory; one of  `sysdig_backend` or `sysdig_account_id`
 variable "sysdig_backend" {
   type        = string
   description = "Sysdig provided AWS Account designated for the host scan.<br/>One of `sysdig_backend` or `sysdig_account_id`must be provided"
@@ -29,6 +30,7 @@ variable "role_name" {
 }
 
 
+
 variable "suffix" {
   type        = string
   description = "Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated."

test/examples/agentless-scan/README

@@ -3,4 +3,4 @@ note;
 
 - we test the cloud-scan module together with its dependencies on the minimal use-case
     - cspm; for discovery + organizational setup (`secure-onboarding` component)
-    - sysdig provider `sysdig_secure_cloud_auth_account`; for authentication
+    - sysdig provider `sysdig_secure_cloud_auth_account`; for authentication

test/examples/agentless-scan/organization/deps_scanning_org.tf

@@ -1,9 +1,9 @@
 # this is required for organizational setup (+cloud-host vm)
 
-module "organization-posture" {
+module "organization_posture" {
   source               = "sysdiglabs/secure/google//modules/services/service-principal"
   project_id           = "org-child-project-1"
   service_account_name = "sysdig-secure-igm6"
   is_organizational    = true
   organization_domain  = "draios.com"
-}
+}

test/examples/agentless-scan/organization/main.tf

@@ -1,5 +1,5 @@
-provider "google"{
-  project="mytestproject"
+provider "google" {
+  project = "mytestproject"
 }
 
 
@@ -9,6 +9,6 @@ module "cloud_host" {
   sysdig_account_id = "012345678"
   worker_identity   = "foo@bar.com"
 
-  is_organizational = true
+  is_organizational   = true
   organization_domain = "myorg.com"
-}
+}

test/examples/agentless-scan/organization/sysdig_provider.tf

@@ -21,7 +21,7 @@ resource "sysdig_secure_cloud_auth_account" "gcp_project" {
     instance = "secure-onboarding"
     service_principal_metadata = jsonencode({
       gcp = {
-        key = module.organization-posture.service_account_key
+        key = module.organization_posture.service_account_key
       }
     })
   }
@@ -40,10 +40,10 @@ resource "sysdig_secure_cloud_auth_account" "gcp_project" {
     })
   }
 
-  depends_on = [module.cloud_host, module.organization-posture]
+  depends_on = [module.cloud_host, module.organization_posture]
 }
 
 resource "sysdig_secure_organization" "gcp_organization_myproject" {
   management_account_id = sysdig_secure_cloud_auth_account.gcp_project.id
-  depends_on = [module.organization-posture]
-}
+  depends_on            = [module.organization_posture]
+}

test/examples/agentless-scan/single/main.tf

@@ -0,0 +1,11 @@
+provider "google" {
+  project = "mytestproject"
+  region  = "us-west1"
+}
+
+module "agentless_scan" {
+  source            = "../../../..//modules/services/agentless-scan"
+  project_id        = "mytestproject"
+  sysdig_account_id = "012345678"
+  worker_identity   = "foo@bar.com"
+}

test/examples/agentless-scan/single/provider.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">=1.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.1, < 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1, < 4.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 1.23.1"
+    }
+  }
+}

test/examples/agentless-scan/single/sysdig_provider.tf

@@ -0,0 +1,31 @@
+provider "sysdig" {
+  sysdig_secure_url       = "https://secure-staging.sysdig.com"
+  sysdig_secure_api_token = "12124235"
+}
+
+resource "sysdig_secure_cloud_auth_account" "gcp_project" {
+  enabled       = true
+  provider_id   = "mytestproject"
+  provider_type = "PROVIDER_GCP"
+
+  feature {
+    secure_agentless_scanning {
+      enabled    = true
+      components = ["COMPONENT_SERVICE_PRINCIPAL/secure-scanning"]
+    }
+  }
+
+  component {
+    type     = "COMPONENT_SERVICE_PRINCIPAL"
+    instance = "secure-scanning"
+    service_principal_metadata = jsonencode({
+      gcp = {
+        workload_identity_federation = {
+          pool_provider_id = module.agentless_scan.workload_identity_pool_provider
+        }
+        email = module.agentless_scan.controller_service_account
+      }
+    })
+  }
+  depends_on = [module.agentless_scan]
+}