diff --git a/examples/organization/.generate-providers.sh b/examples/organization/.generate-providers.sh index 36a163a..3511c71 100755 --- a/examples/organization/.generate-providers.sh +++ b/examples/organization/.generate-providers.sh @@ -1,4 +1,5 @@ #!/usr/bin/env bash +go install github.com/hashicorp/terraform-config-inspect@latest terraform-config-inspect --json ./examples/organization | jq -r ' [.required_providers[].aliases] | flatten diff --git a/examples/organization/README.md b/examples/organization/README.md index 2fe0de6..d9d75dc 100644 --- a/examples/organization/README.md +++ b/examples/organization/README.md @@ -48,7 +48,7 @@ For quick testing, use this snippet on your terraform files and provide followin - `ORG_DOMAIN` GCP organization identification - `PROJECT_ID` GCP project where workload will be deployed - `REGION_ID` for the workload to be deployed - + ```terraform terraform { @@ -87,7 +87,7 @@ module "secure-for-cloud_example_organization" { google-beta.multiproject = google-beta.multiproject } - source = "sysdiglabs/secure-for-cloud/google//examples/organization" + source = "sysdiglabs/secure-for-cloud/google//examples/organization" organization_domain = "" } ``` @@ -106,8 +106,8 @@ module "secure-for-cloud_example_organization" { | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | -| [sysdig](#provider\_sysdig) | 0.5.37 | +| [google](#provider\_google) | 4.30.0 | +| [sysdig](#provider\_sysdig) | 0.5.39 | ## Modules diff --git a/examples/single-project-k8s/README.md b/examples/single-project-k8s/README.md index 9c5920c..c520edb 100644 --- a/examples/single-project-k8s/README.md +++ b/examples/single-project-k8s/README.md @@ -81,9 +81,9 @@ See [inputs summary](#inputs) or module module [`variables.tf`](./variables.tf) | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | -| [helm](#provider\_helm) | 2.5.1 | -| [sysdig](#provider\_sysdig) | 0.5.37 | +| [google](#provider\_google) | 4.30.0 | +| [helm](#provider\_helm) | 2.6.0 | +| [sysdig](#provider\_sysdig) | 0.5.39 | ## Modules diff --git a/examples/single-project/README.md b/examples/single-project/README.md index 19af878..e1c1ab4 100644 --- a/examples/single-project/README.md +++ b/examples/single-project/README.md @@ -82,8 +82,8 @@ module "secure-for-cloud_example_single-project" { | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | -| [sysdig](#provider\_sysdig) | 0.5.37 | +| [google](#provider\_google) | 4.30.0 | +| [sysdig](#provider\_sysdig) | 0.5.39 | ## Modules diff --git a/examples/trigger-events/README.md b/examples/trigger-events/README.md index 97ae8e2..6b81f0b 100644 --- a/examples/trigger-events/README.md +++ b/examples/trigger-events/README.md @@ -38,7 +38,7 @@ module "secure-for-cloud_trigger_events" { | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | +| [google](#provider\_google) | 4.30.0 | ## Modules diff --git a/modules/infrastructure/organization_sink/README.md b/modules/infrastructure/organization_sink/README.md index 61ac34c..fe3fe65 100644 --- a/modules/infrastructure/organization_sink/README.md +++ b/modules/infrastructure/organization_sink/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | +| [google](#provider\_google) | 4.30.0 | ## Modules diff --git a/modules/infrastructure/project_sink/README.md b/modules/infrastructure/project_sink/README.md index 90ec5d9..b289c2b 100644 --- a/modules/infrastructure/project_sink/README.md +++ b/modules/infrastructure/project_sink/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | +| [google](#provider\_google) | 4.30.0 | ## Modules diff --git a/modules/infrastructure/pubsub_subscription/README.md b/modules/infrastructure/pubsub_subscription/README.md index e7b626a..eef0bd1 100644 --- a/modules/infrastructure/pubsub_subscription/README.md +++ b/modules/infrastructure/pubsub_subscription/README.md @@ -15,7 +15,7 @@ already exists in the project. It will create the topic if it doesn't exist. | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | +| [google](#provider\_google) | 4.30.0 | ## Modules diff --git a/modules/infrastructure/secrets/README.md b/modules/infrastructure/secrets/README.md index 6160f90..62cfcec 100644 --- a/modules/infrastructure/secrets/README.md +++ b/modules/infrastructure/secrets/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | +| [google](#provider\_google) | 4.30.0 | ## Modules diff --git a/modules/services/cloud-connector/README.md b/modules/services/cloud-connector/README.md index 1a704c5..a0905de 100644 --- a/modules/services/cloud-connector/README.md +++ b/modules/services/cloud-connector/README.md @@ -32,7 +32,7 @@ module "cloud_connector_gcp" { | Name | Version | |------|---------| -| [google](#provider\_google) | 4.24.0 | +| [google](#provider\_google) | 4.30.0 | ## Modules diff --git a/use-cases/org-k8s-threat-compliance.md b/use-cases/org-k8s-threat-compliance.md index 36a29d0..da21572 100644 --- a/use-cases/org-k8s-threat-compliance.md +++ b/use-cases/org-k8s-threat-compliance.md @@ -104,16 +104,16 @@ Check that deployment logs throw no errors and can go to [confirm services are w 1. **Register Customer Organization Projects** on Sysdig - For each project you want to provision for the Compliance feature, we need to register them on Sysdig Secure - - For Sysdig Secure backend API communication [Howto use development tools](https://docs.sysdig.com/en/docs/developer-tools/). Also we have this [AWS provisioning script](https://github.com/sysdiglabs/aws-templates-secure-for-cloud/blob/main/utils/sysdig_cloud_compliance_provisioning.sh) as reference, but we will explain it here too. + - For Sysdig Secure backend API communication [How to use development tools](https://docs.sysdig.com/en/docs/developer-tools/). Also we have this [AWS provisioning script](https://github.com/sysdiglabs/aws-templates-secure-for-cloud/blob/main/utils/sysdig_cloud_compliance_provisioning.sh) as reference, but we will explain it here too. ```shell - curl "https:///api/cloud/v2/accounts?includeExternalID=true\&upsert=true" \ + curl "https:///api/cloud/v2/accounts?upsert=true" \ --header "Authorization: Bearer " \ -X POST \ -H 'Accept: application/json' \ -H 'Content-Type: application/json' \ -d '{ - "accountId": "", - "alias": "", + "accountId": "", + "alias": "", "provider": "gcp", "roleAvailable": true, "roleName": "sysdigcloudbench" @@ -167,9 +167,9 @@ Check that deployment logs throw no errors and can go to [confirm services are w ### Compliance - Customer's Side -We'll need, **for each project** (`GCP_PROJECT_ID`) +We'll need, **for each project** (`GCP_PROJECT_NUMBER`) -- A **Service Account** (SA) with `IAM Workload Identity Federation` on Sysdigs AWS Cloud infrastructure, to be able to assess your infrastructure Compliance +- A **Service Account** (SA) with `IAM Workload Identity Federation` that provides access to Sysdig's AWS Cloud infrastructure, to be able to assess your infrastructure Compliance - currently, federation is only available through AWS, but we will enable other clouds in the near-future - **Permissions** set to the SA to be able to read customer's infrastructure @@ -181,6 +181,7 @@ We'll need, **for each project** (`GCP_PROJECT_ID`) - `bigquery.tables.list` - this is required to add some more permissions that are not available in GCP builtin viewer role 2. Create a **Service Account** with the name 'sysdigcloudbench' + - This role must match the `roleName` set when the project was registered with Sydig in step 1 of Compliance - Sysdig Side - Give it GCP builtin `roles/viewer` **Viewer Role** - And previously created Custom Role @@ -198,13 +199,8 @@ We'll need, **for each project** (`GCP_PROJECT_ID`) 4. In the previously created 'sysdigcloudbench' SA, we need to create a **Service Account Pool Binding** - Set Pool Binding the role `roles/iam.workloadIdentityUser` - For the members value, we will add the following - > principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools//attribute.aws_role/arn:aws:sts:::assumed-role// + > principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools//attribute.aws_role/arn:aws:sts:::assumed-role// -5. You can check the communication between Sysdig and your infrastructure by querying this API endpoint for each of the projects you have registered: - ```shell - curl -v https:///api/cloud/v2/accounts//validateRole \ - --header 'Authorization: Bearer ' - ``` ## Confirm services are working - [Official Docs Check Guide](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-gcp/#confirm-the-services-are-working)