sysdiglabs · nestorsalceda · Sep 9, 2021 · Sep 9, 2021 · Sep 9, 2021 · Sep 9, 2021
@@ -22,19 +22,26 @@ This example deploys Cloud Connector into a GCP organizational GCP account.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
+| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_connector_organization_sink"></a> [connector\_organization\_sink](#module\_connector\_organization\_sink) | ../../modules/infrastructure/organization_sink |  |
+| <a name="module_scanning_organization_sink"></a> [scanning\_organization\_sink](#module\_scanning\_organization\_sink) | ../../modules/infrastructure/organization_sink |  |
+| <a name="module_secure_secrets"></a> [secure\_secrets](#module\_secure\_secrets) | ../../modules/infrastructure/secrets |  |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [google_organization_iam_custom_role.org_gcr_image_puller](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
+| [google_organization_iam_member.organization_image_puller](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
 | [google_service_account.connector_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account.scanning_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create_gcr_topic"></a> [create\_gcr\_topic](#input\_create\_gcr\_topic) | Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic). | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the workloads | `number` | `1` | no |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Naming prefix for all the resources created | `string` | `"sfc"` | no |

@@ -3,6 +3,14 @@ locals {
   connector_filter = <<EOT
   logName=~"/logs/cloudaudit.googleapis.com%2Factivity$" AND -resource.type="k8s_cluster"
 EOT
+  scanning_filter  = <<EOT
+  protoPayload.methodName = "google.cloud.run.v1.Services.CreateService" OR protoPayload.methodName = "google.cloud.run.v1.Services.ReplaceService"
+EOT
+}
+
+provider "google" {
+  project = var.org_project_name
+  region  = var.location
 }
 
 data "google_project" "project" {
@@ -12,11 +20,6 @@ data "google_project" "project" {
 #######################
 #      CONNECTOR      #
 #######################
-provider "google" {
-  project = var.org_project_name
-  region  = var.location
-}
-
 resource "google_service_account" "connector_sa" {
   account_id   = "${var.naming_prefix}-cloud-connector"
   display_name = "Service account for cloud-connector"
@@ -26,9 +29,8 @@ module "connector_organization_sink" {
   source = "../../modules/infrastructure/organization_sink"
 
   organization_id = data.google_project.project.org_id
-  naming_prefix   = var.naming_prefix
+  naming_prefix   = "${var.naming_prefix}-cloud-connector"
   filter          = local.connector_filter
-  service         = "connector"
 }
 
 module "cloud_connector" {
@@ -44,3 +46,60 @@ module "cloud_connector" {
   naming_prefix = var.naming_prefix
   verify_ssl    = local.verify_ssl
 }
+
+#######################
+#       SCANNING      #
+#######################
+resource "google_service_account" "scanning_sa" {
+  account_id   = "${var.naming_prefix}-cloud-connector"
+  display_name = "Service account for cloud-connector"
+}
+
+
+resource "google_organization_iam_custom_role" "org_gcr_image_puller" {
+  org_id = data.google_project.project.org_id
+
+  role_id     = "sysdig_gcr_image_puller"
+  title       = "Sysdig GCR Image Puller"
+  description = "Allows pulling GCR images from all accounts in the organization"
+  permissions = ["storage.objects.get", "storage.objects.list"]
+}
+
+resource "google_organization_iam_member" "organization_image_puller" {
+  org_id = data.google_project.project.org_id
+
+  role   = google_organization_iam_custom_role.org_gcr_image_puller.id
+  member = "serviceAccount:${google_service_account.scanning_sa.email}"
+}
+
+module "scanning_organization_sink" {
+  source = "../../modules/infrastructure/organization_sink"
+
+  organization_id = data.google_project.project.org_id
+  naming_prefix   = "${var.naming_prefix}-cloud-scanning"
+  filter          = local.scanning_filter
+}
+
+module "secure_secrets" {
+  source = "../../modules/infrastructure/secrets"
+
+  cloud_scanning_sa_email = google_service_account.scanning_sa.email
+  sysdig_secure_api_token = var.sysdig_secure_api_token
+  naming_prefix           = var.naming_prefix
+}
+
+module "cloud_scanning" {
+  source = "../../modules/services/cloud-scanning"
+
+  naming_prefix              = var.naming_prefix
+  secure_api_token_secret_id = module.secure_secrets.secure_api_token_secret_name
+  sysdig_secure_api_token    = var.sysdig_secure_api_token
+  sysdig_secure_endpoint     = var.sysdig_secure_endpoint
+  verify_ssl                 = local.verify_ssl
+
+  cloud_scanning_sa_email  = google_service_account.scanning_sa.email
+  create_gcr_topic         = var.create_gcr_topic
+  scanning_pubsub_topic_id = module.connector_organization_sink.pubsub_topic_id
+
+  max_instances = var.max_instances
+}
@@ -33,3 +33,9 @@ variable "max_instances" {
   description = "Max number of instances for the workloads"
   default     = 1
 }
+
+variable "create_gcr_topic" {
+  type        = bool
+  description = "Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic)."
+  default     = true
+}
@@ -28,9 +28,8 @@ resource "google_service_account" "connector_sa" {
 
 module "connector_project_sink" {
   source        = "../../modules/infrastructure/project_sink"
-  naming_prefix = var.naming_prefix
+  naming_prefix = "${var.naming_prefix}-cloud-connector"
   filter        = local.connector_filter
-  service       = "connector"
 }
 
 module "cloud_connector" {
@@ -67,9 +66,8 @@ module "secure_secrets" {
 
 module "scanning_project_sink" {
   source        = "../../modules/infrastructure/project_sink"
-  naming_prefix = var.naming_prefix
+  naming_prefix = "${var.naming_prefix}-cloud-scanning"
   filter        = local.scanning_filter
-  service       = "scanning"
 }
 
 # disable for testing purpose

@@ -33,7 +33,6 @@ No modules.
 | <a name="input_filter"></a> [filter](#input\_filter) | Filter for project sink | `string` | n/a | yes |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Naming prefix for all the resources created | `string` | `"sfc"` | no |
 | <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | Numeric ID of the organization to be exported to the sink | `string` | n/a | yes |
-| <a name="input_service"></a> [service](#input\_service) | This string must contains 'scanning' or 'connector' depending on the service you want to deploy | `string` | n/a | yes |
 
 ## Outputs
 

@@ -1,9 +1,9 @@
 resource "google_pubsub_topic" "topic" {
-  name = "${var.naming_prefix}-cloud-${var.service}-topic"
+  name = "${var.naming_prefix}-topic"
 }
 
 resource "google_logging_organization_sink" "organization_sink" {
-  name             = "${var.naming_prefix}-cloud-${var.service}-organization-sink"
+  name             = "${var.naming_prefix}-organization-sink"
   org_id           = var.organization_id
   destination      = "pubsub.googleapis.com/${google_pubsub_topic.topic.id}"
   include_children = true

@@ -9,17 +9,6 @@ variable "organization_id" {
   description = "Numeric ID of the organization to be exported to the sink"
 }
 
-variable "service" {
-  type        = string
-  description = "This string must contains 'scanning' or 'connector' depending on the service you want to deploy"
-
-  validation {
-    condition = contains([
-      "connector",
-    "scanning"], var.service)
-    error_message = "Valid values for var: service are (connector, scanning)."
-  }
-}
 # Vars with defaults
 variable "naming_prefix" {
   type        = string

@@ -32,7 +32,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_filter"></a> [filter](#input\_filter) | Filter for project sink | `string` | n/a | yes |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Naming prefix for all the resources created | `string` | `"sfc"` | no |
-| <a name="input_service"></a> [service](#input\_service) | This string must contains 'scanning' or 'connector' depending on the service you want to deploy | `string` | n/a | yes |
 
 ## Outputs
 

@@ -1,9 +1,9 @@
 resource "google_pubsub_topic" "topic" {
-  name = "${var.naming_prefix}-cloud-${var.service}-topic"
+  name = "${var.naming_prefix}-topic"
 }
 
 resource "google_logging_project_sink" "project_sink" {
-  name                   = "${var.naming_prefix}-cloud-${var.service}-project-sink"
+  name                   = "${var.naming_prefix}-project-sink"
   destination            = "pubsub.googleapis.com/${google_pubsub_topic.topic.id}"
   unique_writer_identity = true
   filter                 = var.filter

@@ -4,17 +4,6 @@ variable "filter" {
   description = "Filter for project sink"
 }
 
-variable "service" {
-  type        = string
-  description = "This string must contains 'scanning' or 'connector' depending on the service you want to deploy"
-
-  validation {
-    condition = contains([
-      "connector",
-    "scanning"], var.service)
-    error_message = "Valid values for var: service are (connector, scanning)."
-  }
-}
 # Vars with defaults
 variable "naming_prefix" {
   type        = string