From ff4b6ac657a07437c3a96c4c34b978a247199527 Mon Sep 17 00:00:00 2001
From: Federico Barcelona <fede_rico_94@hotmail.com>
Date: Thu, 9 Sep 2021 10:24:43 +0200
Subject: [PATCH 1/3] feat: Add organizational support for cloud-scanning

---
 examples/organization/README.md    |  7 +++
 examples/organization/main.tf      | 73 +++++++++++++++++++++++++++---
 examples/organization/variables.tf |  6 +++
 3 files changed, 80 insertions(+), 6 deletions(-)

diff --git a/examples/organization/README.md b/examples/organization/README.md
index 7589dce..2c0f08c 100644
--- a/examples/organization/README.md
+++ b/examples/organization/README.md
@@ -22,19 +22,26 @@ This example deploys Cloud Connector into a GCP organizational GCP account.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
+| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_connector_organization_sink"></a> [connector\_organization\_sink](#module\_connector\_organization\_sink) | ../../modules/infrastructure/organization_sink |  |
+| <a name="module_scanning_organization_sink"></a> [scanning\_organization\_sink](#module\_scanning\_organization\_sink) | ../../modules/infrastructure/organization_sink |  |
+| <a name="module_secure_secrets"></a> [secure\_secrets](#module\_secure\_secrets) | ../../modules/infrastructure/secrets |  |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [google_organization_iam_custom_role.org_gcr_image_puller](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
+| [google_organization_iam_member.organization_image_puller](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
 | [google_service_account.connector_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account.scanning_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create_gcr_topic"></a> [create\_gcr\_topic](#input\_create\_gcr\_topic) | Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic). | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the workloads | `number` | `1` | no |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Naming prefix for all the resources created | `string` | `"sfc"` | no |
diff --git a/examples/organization/main.tf b/examples/organization/main.tf
index 90c82ea..13a6fd8 100644
--- a/examples/organization/main.tf
+++ b/examples/organization/main.tf
@@ -3,6 +3,14 @@ locals {
   connector_filter = <<EOT
   logName=~"/logs/cloudaudit.googleapis.com%2Factivity$" AND -resource.type="k8s_cluster"
 EOT
+  scanning_filter  = <<EOT
+  protoPayload.methodName = "google.cloud.run.v1.Services.CreateService" OR protoPayload.methodName = "google.cloud.run.v1.Services.ReplaceService"
+EOT
+}
+
+provider "google" {
+  project = var.org_project_name
+  region  = var.location
 }
 
 data "google_project" "project" {
@@ -12,11 +20,6 @@ data "google_project" "project" {
 #######################
 #      CONNECTOR      #
 #######################
-provider "google" {
-  project = var.org_project_name
-  region  = var.location
-}
-
 resource "google_service_account" "connector_sa" {
   account_id   = "${var.naming_prefix}-cloud-connector"
   display_name = "Service account for cloud-connector"
@@ -26,7 +29,7 @@ module "connector_organization_sink" {
   source = "../../modules/infrastructure/organization_sink"
 
   organization_id = data.google_project.project.org_id
-  naming_prefix   = var.naming_prefix
+  naming_prefix   = "${var.naming_prefix}-cloud-connector"
   filter          = local.connector_filter
   service         = "connector"
 }
@@ -44,3 +47,61 @@ module "cloud_connector" {
   naming_prefix = var.naming_prefix
   verify_ssl    = local.verify_ssl
 }
+
+#######################
+#       SCANNING      #
+#######################
+resource "google_service_account" "scanning_sa" {
+  account_id   = "${var.naming_prefix}-cloud-connector"
+  display_name = "Service account for cloud-connector"
+}
+
+
+resource "google_organization_iam_custom_role" "org_gcr_image_puller" {
+  org_id = data.google_project.project.org_id
+
+  role_id     = "sysdig_gcr_image_puller"
+  title       = "Sysdig GCR Image Puller"
+  description = "Allows pulling GCR images from all accounts in the organization"
+  permissions = ["storage.objects.get", "storage.objects.list"]
+}
+
+resource "google_organization_iam_member" "organization_image_puller" {
+  org_id = data.google_project.project.org_id
+
+  role   = google_organization_iam_custom_role.org_gcr_image_puller.id
+  member = "serviceAccount:${google_service_account.scanning_sa.email}"
+}
+
+module "scanning_organization_sink" {
+  source = "../../modules/infrastructure/organization_sink"
+
+  organization_id = data.google_project.project.org_id
+  naming_prefix   = "${var.naming_prefix}-cloud-scanning"
+  filter          = local.scanning_filter
+  service         = "connector"
+}
+
+module "secure_secrets" {
+  source = "../../modules/infrastructure/secrets"
+
+  cloud_scanning_sa_email = google_service_account.scanning_sa.email
+  sysdig_secure_api_token = var.sysdig_secure_api_token
+  naming_prefix           = var.naming_prefix
+}
+
+module "cloud_scanning" {
+  source = "../../modules/services/cloud-scanning"
+
+  naming_prefix              = var.naming_prefix
+  secure_api_token_secret_id = module.secure_secrets.secure_api_token_secret_name
+  sysdig_secure_api_token    = var.sysdig_secure_api_token
+  sysdig_secure_endpoint     = var.sysdig_secure_endpoint
+  verify_ssl                 = local.verify_ssl
+
+  cloud_scanning_sa_email  = google_service_account.scanning_sa.email
+  create_gcr_topic         = var.create_gcr_topic
+  scanning_pubsub_topic_id = module.connector_organization_sink.pubsub_topic_id
+
+  max_instances = var.max_instances
+}
diff --git a/examples/organization/variables.tf b/examples/organization/variables.tf
index e5e6599..28ca7d5 100644
--- a/examples/organization/variables.tf
+++ b/examples/organization/variables.tf
@@ -33,3 +33,9 @@ variable "max_instances" {
   description = "Max number of instances for the workloads"
   default     = 1
 }
+
+variable "create_gcr_topic" {
+  type        = bool
+  description = "Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic)."
+  default     = true
+}

From 8b97ca2e6d2cf98e1827d286dc5328422a986d33 Mon Sep 17 00:00:00 2001
From: Federico Barcelona <fede_rico_94@hotmail.com>
Date: Thu, 9 Sep 2021 10:30:07 +0200
Subject: [PATCH 2/3] refactor: Remove service variable from organization sink

---
 examples/organization/main.tf                         |  2 --
 modules/infrastructure/organization_sink/README.md    |  1 -
 modules/infrastructure/organization_sink/main.tf      |  4 ++--
 modules/infrastructure/organization_sink/variables.tf | 11 -----------
 4 files changed, 2 insertions(+), 16 deletions(-)

diff --git a/examples/organization/main.tf b/examples/organization/main.tf
index 13a6fd8..84cb5e2 100644
--- a/examples/organization/main.tf
+++ b/examples/organization/main.tf
@@ -31,7 +31,6 @@ module "connector_organization_sink" {
   organization_id = data.google_project.project.org_id
   naming_prefix   = "${var.naming_prefix}-cloud-connector"
   filter          = local.connector_filter
-  service         = "connector"
 }
 
 module "cloud_connector" {
@@ -79,7 +78,6 @@ module "scanning_organization_sink" {
   organization_id = data.google_project.project.org_id
   naming_prefix   = "${var.naming_prefix}-cloud-scanning"
   filter          = local.scanning_filter
-  service         = "connector"
 }
 
 module "secure_secrets" {
diff --git a/modules/infrastructure/organization_sink/README.md b/modules/infrastructure/organization_sink/README.md
index c237775..13df21e 100644
--- a/modules/infrastructure/organization_sink/README.md
+++ b/modules/infrastructure/organization_sink/README.md
@@ -33,7 +33,6 @@ No modules.
 | <a name="input_filter"></a> [filter](#input\_filter) | Filter for project sink | `string` | n/a | yes |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Naming prefix for all the resources created | `string` | `"sfc"` | no |
 | <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | Numeric ID of the organization to be exported to the sink | `string` | n/a | yes |
-| <a name="input_service"></a> [service](#input\_service) | This string must contains 'scanning' or 'connector' depending on the service you want to deploy | `string` | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/infrastructure/organization_sink/main.tf b/modules/infrastructure/organization_sink/main.tf
index c508c43..c4ff4a2 100644
--- a/modules/infrastructure/organization_sink/main.tf
+++ b/modules/infrastructure/organization_sink/main.tf
@@ -1,9 +1,9 @@
 resource "google_pubsub_topic" "topic" {
-  name = "${var.naming_prefix}-cloud-${var.service}-topic"
+  name = "${var.naming_prefix}-topic"
 }
 
 resource "google_logging_organization_sink" "organization_sink" {
-  name             = "${var.naming_prefix}-cloud-${var.service}-organization-sink"
+  name             = "${var.naming_prefix}-organization-sink"
   org_id           = var.organization_id
   destination      = "pubsub.googleapis.com/${google_pubsub_topic.topic.id}"
   include_children = true
diff --git a/modules/infrastructure/organization_sink/variables.tf b/modules/infrastructure/organization_sink/variables.tf
index 0f6c8a7..e5c52f7 100644
--- a/modules/infrastructure/organization_sink/variables.tf
+++ b/modules/infrastructure/organization_sink/variables.tf
@@ -9,17 +9,6 @@ variable "organization_id" {
   description = "Numeric ID of the organization to be exported to the sink"
 }
 
-variable "service" {
-  type        = string
-  description = "This string must contains 'scanning' or 'connector' depending on the service you want to deploy"
-
-  validation {
-    condition = contains([
-      "connector",
-    "scanning"], var.service)
-    error_message = "Valid values for var: service are (connector, scanning)."
-  }
-}
 # Vars with defaults
 variable "naming_prefix" {
   type        = string

From 272ce39281aac634c6f3593338319530b8193fb3 Mon Sep 17 00:00:00 2001
From: Federico Barcelona <fede_rico_94@hotmail.com>
Date: Thu, 9 Sep 2021 10:32:40 +0200
Subject: [PATCH 3/3] refactor: Remove service variable from project sink

---
 examples/single-project/main.tf                  |  6 ++----
 modules/infrastructure/project_sink/README.md    |  1 -
 modules/infrastructure/project_sink/main.tf      |  4 ++--
 modules/infrastructure/project_sink/variables.tf | 11 -----------
 4 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/examples/single-project/main.tf b/examples/single-project/main.tf
index 043b9c7..83768f4 100644
--- a/examples/single-project/main.tf
+++ b/examples/single-project/main.tf
@@ -28,9 +28,8 @@ resource "google_service_account" "connector_sa" {
 
 module "connector_project_sink" {
   source        = "../../modules/infrastructure/project_sink"
-  naming_prefix = var.naming_prefix
+  naming_prefix = "${var.naming_prefix}-cloud-connector"
   filter        = local.connector_filter
-  service       = "connector"
 }
 
 module "cloud_connector" {
@@ -67,9 +66,8 @@ module "secure_secrets" {
 
 module "scanning_project_sink" {
   source        = "../../modules/infrastructure/project_sink"
-  naming_prefix = var.naming_prefix
+  naming_prefix = "${var.naming_prefix}-cloud-scanning"
   filter        = local.scanning_filter
-  service       = "scanning"
 }
 
 # disable for testing purpose
diff --git a/modules/infrastructure/project_sink/README.md b/modules/infrastructure/project_sink/README.md
index 7eb60e3..6e1b1b2 100644
--- a/modules/infrastructure/project_sink/README.md
+++ b/modules/infrastructure/project_sink/README.md
@@ -32,7 +32,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_filter"></a> [filter](#input\_filter) | Filter for project sink | `string` | n/a | yes |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Naming prefix for all the resources created | `string` | `"sfc"` | no |
-| <a name="input_service"></a> [service](#input\_service) | This string must contains 'scanning' or 'connector' depending on the service you want to deploy | `string` | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/infrastructure/project_sink/main.tf b/modules/infrastructure/project_sink/main.tf
index f176ffd..862646a 100644
--- a/modules/infrastructure/project_sink/main.tf
+++ b/modules/infrastructure/project_sink/main.tf
@@ -1,9 +1,9 @@
 resource "google_pubsub_topic" "topic" {
-  name = "${var.naming_prefix}-cloud-${var.service}-topic"
+  name = "${var.naming_prefix}-topic"
 }
 
 resource "google_logging_project_sink" "project_sink" {
-  name                   = "${var.naming_prefix}-cloud-${var.service}-project-sink"
+  name                   = "${var.naming_prefix}-project-sink"
   destination            = "pubsub.googleapis.com/${google_pubsub_topic.topic.id}"
   unique_writer_identity = true
   filter                 = var.filter
diff --git a/modules/infrastructure/project_sink/variables.tf b/modules/infrastructure/project_sink/variables.tf
index b09a647..028f78b 100644
--- a/modules/infrastructure/project_sink/variables.tf
+++ b/modules/infrastructure/project_sink/variables.tf
@@ -4,17 +4,6 @@ variable "filter" {
   description = "Filter for project sink"
 }
 
-variable "service" {
-  type        = string
-  description = "This string must contains 'scanning' or 'connector' depending on the service you want to deploy"
-
-  validation {
-    condition = contains([
-      "connector",
-    "scanning"], var.service)
-    error_message = "Valid values for var: service are (connector, scanning)."
-  }
-}
 # Vars with defaults
 variable "naming_prefix" {
   type        = string