feat: Add single-project deployment in K8s (#63)

* feat: Add single-project deployment in K8s

* chore(test): refactor tf backend usage (#62)

* Update CONTRIBUTE.md

* chore(doc): add Q3 troubleshooting

* chore(doc): Q3

* fix: Update build

Co-authored-by: iru <[email protected]>
Co-authored-by: Néstor Salceda <[email protected]>

Author: 3 people

README.md

@@ -126,6 +126,7 @@ Notice that:
   ```
   error starting scan runner for image ****: rpc error: code = PermissionDenied desc = Cloud Build API has not been used in project *** before or it is disabled.
   Enable it by visiting https://console.developers.google.com/apis/api/cloudbuild.googleapis.com/overview?project=*** then retry.
+
   If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry
   ```
   A3: Do as the error says and activate CloudBuild API. Check the list of all the required APIs that need to be activated per feature module.

examples/single-project-k8s/README.md

@@ -0,0 +1,99 @@
+# Sysdig Secure for Cloud in GCP :: Single-Account on Kubernetes Cluster
+
+Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.
+
+- Sysdig **Helm** charts will be used to deploy the secure-for-cloud stack:
+    - [Cloud-Connector Chart](https://charts.sysdig.com/charts/cloud-connector/)
+    - Because these charts require specific GCP credentials to be passed by parameter, a new service account + key will
+      be created within the project. See [`credentials.tf`](./credentials.tf)
+- Used architecture is similar to [single-project](../single-project) but changing Cloud Run <---> with an existing K8s
+
+All the required resources and workloads will be run under the same GCP project.
+
+## Prerequisites
+
+Minimum requirements:
+
+1. `gcloud` credentials configuration
+2. A Kubernetes cluster configured within your `~/.kube/config`
+3. Secure requirements, as input variable value
+    ```
+    sysdig_secure_api_token=<SECURE_API_TOKEN>
+    ```
+
+## Usage
+
+For quick testing, use this snippet on your terraform files
+
+```terraform
+module "secure_for_cloud_gcp_single_project_k8s" {
+  source = "sysdiglabs/secure-for-cloud/google//examples/single-project-k8s"
+
+  project_id              = "your-project-id"
+  sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
+}
+```
+
+See [inputs summary](#inputs) or module module [`variables.tf`](./variables.tf) file for more optional configuration.
+
+Notice that:
+
+* This example will create resources that **cost money**. Run `terraform destroy` when you don't need them anymore.
+* All created resources will be created within the tags `product:sysdig-secure-for-cloud`.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 3.67.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >=2.3.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | >= 3.67.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >=2.3.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_connector_project_sink"></a> [connector\_project\_sink](#module\_connector\_project\_sink) | ../../modules/infrastructure/project_sink |  |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_pubsub_subscription.subscription](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
+| [google_pubsub_subscription_iam_member.pull](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_member) | resource |
+| [google_service_account.connector_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_key.connector_sa_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
+| [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
+| <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
+| <a name="input_cloud_connector_image"></a> [cloud\_connector\_image](#input\_cloud\_connector\_image) | Cloud-connector image to deploy | `string` | `"quay.io/sysdig/cloud-connector"` | no |
+| <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
+| <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained and supported by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

examples/single-project-k8s/cloud-connector.tf

@@ -0,0 +1,75 @@
+module "connector_project_sink" {
+  source = "../../modules/infrastructure/project_sink"
+  name   = "${var.name}-cloudconnector"
+
+  filter = local.connector_filter
+}
+
+resource "google_pubsub_subscription" "subscription" {
+  name  = var.name
+  topic = module.connector_project_sink.pubsub_topic_name
+
+  labels = {
+    product = "sysdig-secure-for-cloud"
+  }
+
+  # 20 minutes
+  message_retention_duration = "1200s"
+  retain_acked_messages      = false
+
+  ack_deadline_seconds = 20
+
+  expiration_policy {
+    ttl = "300000.5s"
+  }
+  retry_policy {
+    minimum_backoff = "10s"
+  }
+
+  enable_message_ordering = false
+}
+
+resource "helm_release" "cloud_connector" {
+  name = "cloud-connector"
+
+  repository = "https://charts.sysdig.com"
+  chart      = "cloud-connector"
+
+  create_namespace = true
+  namespace        = var.name
+  atomic           = true
+  timeout          = 60
+
+  set_sensitive {
+    name  = "sysdig.secureAPIToken"
+    value = var.sysdig_secure_api_token
+  }
+
+  set {
+    name  = "sysdig.url"
+    value = var.sysdig_secure_endpoint
+  }
+
+  set {
+    name  = "sysdig.verifySSL"
+    value = local.verify_ssl
+  }
+
+  set {
+    name  = "image.repository"
+    value = var.cloud_connector_image
+  }
+
+  values = [
+    <<EOF
+rules: []
+ingestors:
+- gcp-auditlog-pubsub:
+    project: ${var.project_id}
+    subscription: ${google_pubsub_subscription.subscription.name}
+notifiers: []
+gcpCredentials: |
+  ${jsonencode(jsondecode(base64decode(google_service_account_key.connector_sa_key.private_key)))}
+EOF
+  ]
+}

examples/single-project-k8s/credentials.tf

@@ -0,0 +1,14 @@
+resource "google_service_account" "connector_sa" {
+  account_id   = "${var.name}-cloudconnector"
+  display_name = "Service account for cloud-connector"
+}
+
+resource "google_service_account_key" "connector_sa_key" {
+  service_account_id = google_service_account.connector_sa.name
+}
+
+resource "google_pubsub_subscription_iam_member" "pull" {
+  subscription = google_pubsub_subscription.subscription.name
+  role         = "roles/pubsub.subscriber"
+  member       = "serviceAccount:${google_service_account.connector_sa.email}"
+}

examples/single-project-k8s/main.tf

@@ -0,0 +1,18 @@
+locals {
+  verify_ssl       = length(regexall("^https://.*?\\.sysdig.com/?", var.sysdig_secure_endpoint)) != 0
+  connector_filter = <<EOT
+  logName=~"^projects/${var.project_id}/logs/cloudaudit.googleapis.com" AND -resource.type="k8s_cluster"
+EOT
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.location
+}
+
+# TODO review ways to pass content as input var
+provider "helm" {
+  kubernetes {
+    config_path = "~/.kube/config"
+  }
+}

examples/single-project-k8s/outputs.tf

@@ -0,0 +1,42 @@
+# Mandatory vars
+variable "sysdig_secure_api_token" {
+  type        = string
+  description = "Sysdig's Secure API Token"
+}
+
+variable "project_id" {
+  type        = string
+  description = "Project ID where the secure-for-cloud workload is going to be deployed"
+}
+
+# --------------------------
+# optionals, with defaults
+# --------------------------
+variable "location" {
+  type        = string
+  default     = "us-central1"
+  description = "Zone where the stack will be deployed"
+}
+
+variable "sysdig_secure_endpoint" {
+  type        = string
+  default     = "https://secure.sysdig.com"
+  description = "Sysdig Secure API endpoint"
+}
+
+variable "name" {
+  type        = string
+  description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
+  default     = "sfc"
+
+  validation {
+    condition     = can(regex("^[a-z0-9]+$", var.name))
+    error_message = "ERROR: Invalid name. must contain only lowercase letters (a-z) and numbers (0-9)."
+  }
+}
+
+variable "cloud_connector_image" {
+  type        = string
+  description = "Cloud-connector image to deploy"
+  default     = "quay.io/sysdig/cloud-connector"
+}

examples/single-project-k8s/variables.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 0.15.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.67.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 0.5.19"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">=2.3.0"
+    }
+  }
+}

examples/single-project-k8s/versions.tf

@@ -38,6 +38,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_pubsub_topic_id"></a> [pubsub\_topic\_id](#output\_pubsub\_topic\_id) | Cloud Connector PubSub single account topic id |
+| <a name="output_pubsub_topic_name"></a> [pubsub\_topic\_name](#output\_pubsub\_topic\_name) | Cloud Connector PubSub single account topic name |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors

modules/infrastructure/project_sink/README.md

@@ -2,3 +2,8 @@ output "pubsub_topic_id" {
   value       = google_pubsub_topic.topic.id
   description = "Cloud Connector PubSub single account topic id"
 }
+
+output "pubsub_topic_name" {
+  value       = google_pubsub_topic.topic.name
+  description = "Cloud Connector PubSub single account topic name"
+}