fix(cdr) - support empty audit logs block (#54)

* fix(cdr) - support empty audit logs block

* Makefile fix

modules/Makefile

@@ -1,2 +1,2 @@
 lint:
-	tflint --recursive --module
+	tflint --recursive --call-module-type=all

modules/integrations/pub-sub/main.tf

@@ -54,10 +54,12 @@ resource "random_uuid" "routing_key" {}
 #-----------------------------------------------------------------------------------------
 locals {
   # Data structure will be a map for each service, that can have multiple audit_log_config
-  audit_log_config = { for audit in var.audit_log_config :
+  audit_log_config = {
+    for audit in var.audit_log_config :
     audit["service"] => {
       log_config = audit["log_config"]
     }
+    if length(audit["log_config"]) > 0 # Include only if log_config is not empty
   }
 }
 
@@ -266,4 +268,4 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" {
       }
     }
   })
-}
+}

test/examples/modular_organization/pub-sub-admin-write-only1.tf

@@ -0,0 +1,36 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source              = "../../../modules/integrations/pub-sub"
+  project_id          = module.onboarding.project_id
+  is_organizational   = module.onboarding.is_organizational
+  organization_domain = module.onboarding.organization_domain
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = [
+    {
+      service = "allServices"
+      log_config = []
+    }
+  ]
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}

test/examples/modular_organization/pub-sub-admin-write-only2.tf

@@ -0,0 +1,31 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source              = "../../../modules/integrations/pub-sub"
+  project_id          = module.onboarding.project_id
+  is_organizational   = module.onboarding.is_organizational
+  organization_domain = module.onboarding.organization_domain
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = []
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}

test/examples/modular_organization/pub-sub.tf

@@ -9,6 +9,40 @@ module "pub-sub" {
   is_organizational   = module.onboarding.is_organizational
   organization_domain = module.onboarding.organization_domain
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
+  audit_log_config = [
+    {
+      service = "cloudsql.googleapis.com"
+      log_config = [{ log_type = "DATA_READ",
+        exempted_members = [
+          "serviceAccount:[email protected]",
+        ]
+        },
+        { log_type = "DATA_WRITE" }
+      ]
+    },
+    {
+      service = "storage.googleapis.com"
+      log_config = [{ log_type = "DATA_WRITE"
+      }]
+    },
+    {
+      service    = "container.googleapis.com"
+      log_config = [{ log_type = "DATA_READ" }]
+    }
+  ]
+  exclude_logs_filter = [
+    {
+      name        = "nsexcllusion2"
+      description = "Exclude logs from namespace-2 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
+    },
+    {
+      name        = "nsexcllusion1"
+      description = "Exclude logs from namespace-1 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
+    }
+  ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
@@ -25,4 +59,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   enabled    = true
   components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
-}
+}

test/examples/modular_single_project/pub-sub-admin-write-only1.tf

@@ -0,0 +1,34 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source        = "../../../modules/integrations/pub-sub"
+  project_id    = module.onboarding.project_id
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = [
+    {
+      service = "allServices"
+      log_config = []
+    }
+  ]
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}

test/examples/modular_single_project/pub-sub-admin-write-only2.tf

@@ -0,0 +1,29 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source        = "../../../modules/integrations/pub-sub"
+  project_id    = module.onboarding.project_id
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = []
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}

test/examples/modular_single_project/pub-sub.tf

@@ -7,6 +7,40 @@ module "pub-sub" {
   source        = "../../../modules/integrations/pub-sub"
   project_id    = module.onboarding.project_id
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
+  audit_log_config = [
+    {
+      service = "cloudsql.googleapis.com"
+      log_config = [{ log_type = "DATA_READ",
+        exempted_members = [
+          "serviceAccount:[email protected]",
+        ]
+        },
+        { log_type = "DATA_WRITE" }
+      ]
+    },
+    {
+      service = "storage.googleapis.com"
+      log_config = [{ log_type = "DATA_WRITE"
+      }]
+    },
+    {
+      service    = "container.googleapis.com"
+      log_config = [{ log_type = "DATA_READ" }]
+    }
+  ]
+  exclude_logs_filter = [
+    {
+      name        = "nsexcllusion2"
+      description = "Exclude logs from namespace-2 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
+    },
+    {
+      name        = "nsexcllusion1"
+      description = "Exclude logs from namespace-1 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
+    }
+  ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
@@ -23,4 +57,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   enabled    = true
   components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
-}
+}