sysdiglabs · wideawakening · Aug 10, 2022 · Aug 10, 2022 · Aug 10, 2022 · Aug 10, 2022
@@ -59,6 +59,7 @@ Besides, the following GCP **APIs must be enabled** to deploy resources correctl
 * [IAM Service Account Credentials API](https://console.cloud.google.com/marketplace/product/google/iamcredentials.googleapis.com)
 * [Cloud Resource Manager API](https://console.cloud.google.com/marketplace/product/google/cloudresourcemanager.googleapis.com)
 * [Security Token Service API](https://console.cloud.google.com/marketplace/product/google/sts.googleapis.com)
+* [Cloud Asset API](https://console.cloud.google.com/marketplace/product/google/cloudasset.googleapis.com)
 
 
 ## Usage
@@ -114,8 +115,8 @@ A: On your GCP infrastructure, per-project where Comliance has been setup, check
 1. there is a Workload Identity Pool and associated Workload Identity Pool Provider configured, which must have an ID of `sysdigcloud` (display name doesn't matter)
 2. the pool should have a connected service account with the name `sfcsysdigcloudbench`, with the email `[email protected]`
 3. this serviceaccount should allow access to the following format `principalset: principalSet://iam.googleapis.com/projects/<PROJECTID>/locations/global/workloadIdentityPools/sysdigcloud/attribute.aws_role/arn:aws:sts::***:assumed-role/***`
-4. the serviceaccount should have the `viewer role` on the target project, as well as a custom role containing the "storage.buckets.getIamPolicy" and "bigquery.tables.list" permissions
-5. the pool provider should allow access to Sysdig's  trusted identity, retrieved through 
+4. the serviceaccount should have the `viewer role` on the target project, as well as a custom role containing the "storage.buckets.getIamPolicy", "bigquery.tables.list", "cloudasset.assets.listIamPolicy" and "cloudasset.assets.listResource" permissions
+5. the pool provider should allow access to Sysdig's  trusted identity, retrieved through
   ```
   $ curl https://<SYSDIG_SECURE_URL>/api/cloud/v2/gcp/trustedIdentity \
   --header 'Authorization: Bearer <SYSDIG_SECURE_API_TOKEN>'

@@ -106,7 +106,7 @@ module "secure-for-cloud_example_organization" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
 
 ## Modules

@@ -81,7 +81,7 @@ See [inputs summary](#inputs) or module module [`variables.tf`](./variables.tf)
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.6.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
 

@@ -82,7 +82,7 @@ module "secure-for-cloud_example_single-project" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
 
 ## Modules

@@ -38,7 +38,7 @@ module "secure-for-cloud_trigger_events" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 
 ## Modules
 

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 
 ## Modules
 

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 
 ## Modules
 

@@ -15,7 +15,7 @@ already exists in the project. It will create the topic if it doesn't exist.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 
 ## Modules
 

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 
 ## Modules
 

@@ -57,7 +57,7 @@ resource "google_project_iam_custom_role" "custom" {
   role_id     = var.role_name
   title       = "Sysdig Cloud Benchmark Role"
   description = "A Role providing the required permissions for Sysdig Cloud Benchmarks that are not included in roles/viewer"
-  permissions = ["storage.buckets.getIamPolicy", "bigquery.tables.list"]
+  permissions = ["storage.buckets.getIamPolicy", "bigquery.tables.list", "cloudasset.assets.listIamPolicy", "cloudasset.assets.listResource"]
 }
 
 resource "google_service_account_iam_binding" "sa_pool_binding" {

@@ -32,7 +32,7 @@ module "cloud_connector_gcp" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.30.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.31.0 |
 
 ## Modules
 

@@ -180,6 +180,8 @@ We'll need, **for each project** (`GCP_PROJECT_NUMBER`)
 1. Create a **Custom Role** (ex.: 'Sysdig Cloud Benchmark Role') and assign to it following permissions
    - `storage.buckets.getIamPolicy`
    - `bigquery.tables.list`
+   - `cloudasset.assets.listIamPolicy`
+   - `cloudasset.assets.listResource`
    - this is required to add some more permissions that are not available in GCP builtin viewer role
 2. Create a **Service Account** with the name 'sysdigcloudbench'
    - This role must match the `roleName` set when the project was registered with Sydig in step 1 of Compliance - Sysdig Side