fix(vm-scanning): Fix conditionals for modular (#49)

* fix(vm-scanning): Fix conditionals for modular * Fix attribute name
sysdiglabs · Nov 6, 2024 · bb8b7c5 · bb8b7c5
1 parent 03359e9
commit bb8b7c5
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 22 deletions.
diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
@@ -76,7 +76,6 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id)                                                   | GCP Project ID                                                                                                                                                                                                                                            | `string`       | n/a                         |   yes    |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)                              | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped                                                                                                                                                | `bool`         | `false`                     |    no    |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain)                        | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com                                                                                                                      | `string`       | `null`                      |    no    |
-| <a name="input_sysdig_account_id"></a> [sysdig\_account\_id](#input\_sysdig\_account\_id)                            | Sysdig provided GCP Account designated for the host scan.<br/>One of `sysdig_backend` or `sysdig_account_id`must be provided                                                                                                                              | `string`       | `null`                      |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)     | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)                                                                                                                | `string`       | `null`                      |    no    |
 | <a name="input_suffix"></a> [suffix](#input\_suffix)                                                                 | Optional. Suffix word to enable multiple deployments with different naming<br/>(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)<br/>By default a random value will be autogenerated. | `string`       | `null`                      |    no    |
 

diff --git a/modules/agentless-scan/main.tf b/modules/agentless-scan/main.tf
@@ -56,12 +56,12 @@ resource "google_iam_workload_identity_pool" "agentless" {
 }
 
 resource "google_iam_workload_identity_pool_provider" "agentless" {
-  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
@@ -86,12 +86,12 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
 }
 
 resource "google_service_account_iam_member" "controller_custom" {
-  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
@@ -101,12 +101,12 @@ resource "google_service_account_iam_member" "controller_custom" {
 }
 
 resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
-  count = var.sysdig_account_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
@@ -116,7 +116,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
   description                        = "GCP identity pool provider for Sysdig Secure Agentless Host Scanning"
   disabled                           = false
 
-  attribute_condition = "google.subject == \"${var.sysdig_account_id}\""
+  attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\""
 
   attribute_mapping = {
     "google.subject"  = "assertion.sub"
@@ -129,18 +129,18 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
 }
 
 resource "google_service_account_iam_member" "controller_custom_gcp" {
-  count = var.sysdig_account_id != null ? 1 : 0
+  count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0
 
   lifecycle {
     precondition {
-      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
-      error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+      condition     = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+      error_message = "Cannot provide empty sysdig backend cloud_id"
     }
   }
 
   service_account_id = google_service_account.controller.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${var.sysdig_account_id}"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}"
 }
 
 #-----------------------------------------------------------------------------------------
@@ -200,7 +200,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_agentless_scan" {
   service_principal_metadata = jsonencode({
     gcp = {
       workload_identity_federation = {
-        pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.gcp.worker_identity != null ? google_iam_workload_identity_pool_provider.agentless[0].name : var.sysdig_account_id != null ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
+        pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].name : data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
       }
       email = google_service_account.controller.email
     }

diff --git a/modules/agentless-scan/variables.tf b/modules/agentless-scan/variables.tf
@@ -15,12 +15,6 @@ variable "organization_domain" {
   default     = ""
 }
 
-variable "sysdig_account_id" {
-  type        = string
-  description = "Sysdig provided GCP Account designated for the host scan. One of sysdig_backend or sysdig_account_id must be provided"
-  default     = null
-}
-
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)"