From 615bf041d2a7ff2be36b3d0f9e85b1ee6f2178c0 Mon Sep 17 00:00:00 2001
From: Paolo Polidori <paolo.polidori@sysdig.com>
Date: Tue, 31 Dec 2024 17:10:21 +0100
Subject: [PATCH] fix(cdr) - support empty audit logs block (#54)

* fix(cdr) - support empty audit logs block

* Makefile fix
---
 modules/Makefile                              |  2 +-
 modules/integrations/pub-sub/main.tf          |  6 ++--
 .../pub-sub-admin-write-only1.tf              | 36 +++++++++++++++++++
 .../pub-sub-admin-write-only2.tf              | 31 ++++++++++++++++
 test/examples/modular_organization/pub-sub.tf | 36 ++++++++++++++++++-
 .../pub-sub-admin-write-only1.tf              | 34 ++++++++++++++++++
 .../pub-sub-admin-write-only2.tf              | 29 +++++++++++++++
 .../modular_single_project/pub-sub.tf         | 36 ++++++++++++++++++-
 8 files changed, 205 insertions(+), 5 deletions(-)
 create mode 100644 test/examples/modular_organization/pub-sub-admin-write-only1.tf
 create mode 100644 test/examples/modular_organization/pub-sub-admin-write-only2.tf
 create mode 100644 test/examples/modular_single_project/pub-sub-admin-write-only1.tf
 create mode 100644 test/examples/modular_single_project/pub-sub-admin-write-only2.tf

diff --git a/modules/Makefile b/modules/Makefile
index 78f66b3..7437f25 100644
--- a/modules/Makefile
+++ b/modules/Makefile
@@ -1,2 +1,2 @@
 lint:
-	tflint --recursive --module
+	tflint --recursive --call-module-type=all
diff --git a/modules/integrations/pub-sub/main.tf b/modules/integrations/pub-sub/main.tf
index e92b50a..fd028f3 100644
--- a/modules/integrations/pub-sub/main.tf
+++ b/modules/integrations/pub-sub/main.tf
@@ -54,10 +54,12 @@ resource "random_uuid" "routing_key" {}
 #-----------------------------------------------------------------------------------------
 locals {
   # Data structure will be a map for each service, that can have multiple audit_log_config
-  audit_log_config = { for audit in var.audit_log_config :
+  audit_log_config = {
+    for audit in var.audit_log_config :
     audit["service"] => {
       log_config = audit["log_config"]
     }
+    if length(audit["log_config"]) > 0 # Include only if log_config is not empty
   }
 }
 
@@ -266,4 +268,4 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" {
       }
     }
   })
-}
\ No newline at end of file
+}
diff --git a/test/examples/modular_organization/pub-sub-admin-write-only1.tf b/test/examples/modular_organization/pub-sub-admin-write-only1.tf
new file mode 100644
index 0000000..bf702d6
--- /dev/null
+++ b/test/examples/modular_organization/pub-sub-admin-write-only1.tf
@@ -0,0 +1,36 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source              = "../../../modules/integrations/pub-sub"
+  project_id          = module.onboarding.project_id
+  is_organizational   = module.onboarding.is_organizational
+  organization_domain = module.onboarding.organization_domain
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = [
+    {
+      service = "allServices"
+      log_config = []
+    }
+  ]
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_organization/pub-sub-admin-write-only2.tf b/test/examples/modular_organization/pub-sub-admin-write-only2.tf
new file mode 100644
index 0000000..7dec324
--- /dev/null
+++ b/test/examples/modular_organization/pub-sub-admin-write-only2.tf
@@ -0,0 +1,31 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source              = "../../../modules/integrations/pub-sub"
+  project_id          = module.onboarding.project_id
+  is_organizational   = module.onboarding.is_organizational
+  organization_domain = module.onboarding.organization_domain
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = []
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_organization/pub-sub.tf b/test/examples/modular_organization/pub-sub.tf
index 7cbaad9..eb9fd34 100644
--- a/test/examples/modular_organization/pub-sub.tf
+++ b/test/examples/modular_organization/pub-sub.tf
@@ -9,6 +9,40 @@ module "pub-sub" {
   is_organizational   = module.onboarding.is_organizational
   organization_domain = module.onboarding.organization_domain
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
+  audit_log_config = [
+    {
+      service = "cloudsql.googleapis.com"
+      log_config = [{ log_type = "DATA_READ",
+        exempted_members = [
+          "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+        ]
+        },
+        { log_type = "DATA_WRITE" }
+      ]
+    },
+    {
+      service = "storage.googleapis.com"
+      log_config = [{ log_type = "DATA_WRITE"
+      }]
+    },
+    {
+      service    = "container.googleapis.com"
+      log_config = [{ log_type = "DATA_READ" }]
+    }
+  ]
+  exclude_logs_filter = [
+    {
+      name        = "nsexcllusion2"
+      description = "Exclude logs from namespace-2 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
+    },
+    {
+      name        = "nsexcllusion1"
+      description = "Exclude logs from namespace-1 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
+    }
+  ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
@@ -25,4 +59,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   enabled    = true
   components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
-}
\ No newline at end of file
+}
diff --git a/test/examples/modular_single_project/pub-sub-admin-write-only1.tf b/test/examples/modular_single_project/pub-sub-admin-write-only1.tf
new file mode 100644
index 0000000..c237c03
--- /dev/null
+++ b/test/examples/modular_single_project/pub-sub-admin-write-only1.tf
@@ -0,0 +1,34 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source        = "../../../modules/integrations/pub-sub"
+  project_id    = module.onboarding.project_id
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = [
+    {
+      service = "allServices"
+      log_config = []
+    }
+  ]
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_single_project/pub-sub-admin-write-only2.tf b/test/examples/modular_single_project/pub-sub-admin-write-only2.tf
new file mode 100644
index 0000000..4f4bd82
--- /dev/null
+++ b/test/examples/modular_single_project/pub-sub-admin-write-only2.tf
@@ -0,0 +1,29 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "pub-sub" {
+  source        = "../../../modules/integrations/pub-sub"
+  project_id    = module.onboarding.project_id
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = ""
+  audit_log_config = []
+  exclude_logs_filter = []
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [ module.pub-sub.pubsub_datasource_component_id ]
+  depends_on = [ module.pub-sub ]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.pub-sub.pubsub_datasource_component_id]
+  depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
+}
diff --git a/test/examples/modular_single_project/pub-sub.tf b/test/examples/modular_single_project/pub-sub.tf
index dbe4c43..03b3bc9 100644
--- a/test/examples/modular_single_project/pub-sub.tf
+++ b/test/examples/modular_single_project/pub-sub.tf
@@ -7,6 +7,40 @@ module "pub-sub" {
   source        = "../../../modules/integrations/pub-sub"
   project_id    = module.onboarding.project_id
   sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  ingestion_sink_filter = "protoPayload.@type = \"type.googleapis.com/google.cloud.audit.AuditLog\" (protoPayload.methodName!~ \"\\.(get|list)$\" OR protoPayload.serviceName != (\"k8s.io\" and \"storage.googleapis.com\"))"
+  audit_log_config = [
+    {
+      service = "cloudsql.googleapis.com"
+      log_config = [{ log_type = "DATA_READ",
+        exempted_members = [
+          "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+        ]
+        },
+        { log_type = "DATA_WRITE" }
+      ]
+    },
+    {
+      service = "storage.googleapis.com"
+      log_config = [{ log_type = "DATA_WRITE"
+      }]
+    },
+    {
+      service    = "container.googleapis.com"
+      log_config = [{ log_type = "DATA_READ" }]
+    }
+  ]
+  exclude_logs_filter = [
+    {
+      name        = "nsexcllusion2"
+      description = "Exclude logs from namespace-2 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
+    },
+    {
+      name        = "nsexcllusion1"
+      description = "Exclude logs from namespace-1 in k8s"
+      filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
+    }
+  ]
 }
 
 resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
@@ -23,4 +57,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
   enabled    = true
   components = [module.pub-sub.pubsub_datasource_component_id]
   depends_on = [sysdig_secure_cloud_auth_account_feature.config_posture, module.pub-sub]
-}
\ No newline at end of file
+}