[SSPROD-48725] Fixing to gcp workload onboarding (#52)

* Fixing to gcp workload onboarding * Removing unused variable * Adding codeowners
sysdiglabs · Dec 4, 2024 · 76e9fe9 · 76e9fe9
1 parent 433ad7f
commit 76e9fe9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,3 +1,4 @@
 * @sysdiglabs/team-secure-onboarding
 /modules/services/agentless-scan/* @sysdiglabs/team-agentless
 /modules/services/workload-scan/* @sysdiglabs/team-agentless
+/modules/vm-workload-scanning/* @sysdiglabs/team-agentless
diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf
@@ -14,8 +14,6 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
   cloud_provider = "gcp"
 }
 
-data "sysdig_secure_tenant_external_id" "external_id" {}
-
 resource "google_service_account" "controller" {
   project      = var.project_id
   account_id   = "sysdig-ws-${local.suffix}"
@@ -63,11 +61,13 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
   description                        = "AWS identity pool provider for Sysdig Secure Agentless Workload Scanning"
   disabled                           = false
 
-  attribute_condition = "attribute.aws_role==\"arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}\""
+  attribute_condition = "attribute.aws_account==\"${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}\""
 
   attribute_mapping = {
-    "google.subject"     = "assertion.arn",
-    "attribute.aws_role" = "assertion.arn"
+    "google.subject"        = "assertion.arn"
+    "attribute.aws_account" = "assertion.account"
+    "attribute.role"        = "assertion.arn.extract(\"/assumed-role/{role}/\")"
+    "attribute.session"     = "assertion.arn.extract(\"/assumed-role/{role_and_session}/\").extract(\"/{session}\")"
   }
 
   aws {
@@ -78,7 +78,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
 resource "google_service_account_iam_member" "controller_binding" {
   service_account_id = google_service_account.controller.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.agentless.workload_identity_pool_id}/attribute.aws_role/arn:aws:sts::${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}:assumed-role/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_role_name}/${data.sysdig_secure_tenant_external_id.external_id.external_id}"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.aws_account/${data.sysdig_secure_trusted_cloud_identity.trusted_identity.aws_account_id}"
 }
 
 
@@ -107,4 +107,4 @@ resource "sysdig_secure_cloud_auth_account_component" "google_service_principal"
     google_iam_workload_identity_pool.agentless,
     google_organization_iam_member.controller,
   ]
-}
+}