diff --git a/modules/agentless-scan/README.md b/modules/agentless-scan/README.md
index 3c3cf22..acd02b5 100644
--- a/modules/agentless-scan/README.md
+++ b/modules/agentless-scan/README.md
@@ -76,7 +76,6 @@ No modules.
| [project\_id](#input\_project\_id) | GCP Project ID | `string` | n/a | yes |
| [is\_organizational](#input\_is\_organizational) | Optional. Determines whether module must scope whole organization. Otherwise single project will be scoped | `bool` | `false` | no |
| [organization\_domain](#input\_organization\_domain) | Optional. If `is_organizational=true` is set, its mandatory to specify this value, with the GCP Organization domain. e.g. sysdig.com | `string` | `null` | no |
-| [sysdig\_account\_id](#input\_sysdig\_account\_id) | Sysdig provided GCP Account designated for the host scan.
One of `sysdig_backend` or `sysdig_account_id`must be provided | `string` | `null` | no |
| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account) | `string` | `null` | no |
| [suffix](#input\_suffix) | Optional. Suffix word to enable multiple deployments with different naming
(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)
By default a random value will be autogenerated. | `string` | `null` | no |
diff --git a/modules/agentless-scan/main.tf b/modules/agentless-scan/main.tf
index b63511a..c8c1134 100644
--- a/modules/agentless-scan/main.tf
+++ b/modules/agentless-scan/main.tf
@@ -56,12 +56,12 @@ resource "google_iam_workload_identity_pool" "agentless" {
}
resource "google_iam_workload_identity_pool_provider" "agentless" {
- count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0
lifecycle {
precondition {
- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+ error_message = "Cannot provide empty sysdig backend cloud_id"
}
}
@@ -86,12 +86,12 @@ resource "google_iam_workload_identity_pool_provider" "agentless" {
}
resource "google_service_account_iam_member" "controller_custom" {
- count = data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null ? 1 : 0
+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? 1 : 0
lifecycle {
precondition {
- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null && var.sysdig_account_id == null)
- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+ error_message = "Cannot provide empty sysdig backend cloud_id"
}
}
@@ -101,12 +101,12 @@ resource "google_service_account_iam_member" "controller_custom" {
}
resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
- count = var.sysdig_account_id != null ? 1 : 0
+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0
lifecycle {
precondition {
- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+ error_message = "Cannot provide empty sysdig backend cloud_id"
}
}
@@ -116,7 +116,7 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
description = "GCP identity pool provider for Sysdig Secure Agentless Host Scanning"
disabled = false
- attribute_condition = "google.subject == \"${var.sysdig_account_id}\""
+ attribute_condition = "google.subject == \"${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}\""
attribute_mapping = {
"google.subject" = "assertion.sub"
@@ -129,18 +129,18 @@ resource "google_iam_workload_identity_pool_provider" "agentless_gcp" {
}
resource "google_service_account_iam_member" "controller_custom_gcp" {
- count = var.sysdig_account_id != null ? 1 : 0
+ count = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? 1 : 0
lifecycle {
precondition {
- condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id == null && var.sysdig_account_id != null)
- error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
+ condition = (data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id != null)
+ error_message = "Cannot provide empty sysdig backend cloud_id"
}
}
service_account_id = google_service_account.controller.name
role = "roles/iam.workloadIdentityUser"
- member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${var.sysdig_account_id}"
+ member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.agentless.name}/attribute.sa_id/${data.sysdig_secure_agentless_scanning_assets.assets.backend.cloud_id}"
}
#-----------------------------------------------------------------------------------------
@@ -200,7 +200,7 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_agentless_scan" {
service_principal_metadata = jsonencode({
gcp = {
workload_identity_federation = {
- pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.gcp.worker_identity != null ? google_iam_workload_identity_pool_provider.agentless[0].name : var.sysdig_account_id != null ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
+ pool_provider_id = data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "aws" ? google_iam_workload_identity_pool_provider.agentless[0].name : data.sysdig_secure_agentless_scanning_assets.assets.backend.type == "gcp" ? google_iam_workload_identity_pool_provider.agentless_gcp[0].name : null
}
email = google_service_account.controller.email
}
diff --git a/modules/agentless-scan/variables.tf b/modules/agentless-scan/variables.tf
index 8b2fb24..c8ef09d 100644
--- a/modules/agentless-scan/variables.tf
+++ b/modules/agentless-scan/variables.tf
@@ -15,12 +15,6 @@ variable "organization_domain" {
default = ""
}
-variable "sysdig_account_id" {
- type = string
- description = "Sysdig provided GCP Account designated for the host scan. One of sysdig_backend or sysdig_account_id must be provided"
- default = null
-}
-
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Agentless Scanning integration for (in case of organization, ID of the Sysdig management account)"