diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml
index 9b5f78d..6aef73b 100644
--- a/.github/workflows/ci-pull-request.yaml
+++ b/.github/workflows/ci-pull-request.yaml
@@ -40,6 +40,7 @@ jobs:
- "secure_config_posture_identity_access/organization/main.tf"
- "secure_threat_detection/single/main.tf"
- "secure_threat_detection/organization/main.tf"
+ - "agentless-scan/single/main.tf"
- "agentless-scan/organization/main.tf"
steps:
- name: Set up Go
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..5444631
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,32 @@
+repos:
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.5.0
+ hooks:
+ - id: check-merge-conflict
+ - id: end-of-file-fixer
+ - id: trailing-whitespace
+
+
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.86.0
+ hooks:
+ - id: terraform_fmt
+ - id: terraform_docs
+ args:
+ - '--args=--sort-by required'
+ - id: terraform_tflint
+ args:
+ - '--args=--only=terraform_deprecated_interpolation'
+ - '--args=--only=terraform_deprecated_index'
+ - '--args=--only=terraform_unused_declarations'
+ - '--args=--only=terraform_comment_syntax'
+ - '--args=--only=terraform_documented_outputs'
+ - '--args=--only=terraform_documented_variables'
+ - '--args=--only=terraform_typed_variables'
+ - '--args=--only=terraform_module_pinned_source'
+ - '--args=--only=terraform_naming_convention'
+ - '--args=--only=terraform_required_version'
+ - '--args=--only=terraform_required_providers'
+ - '--args=--only=terraform_standard_module_structure'
+ - '--args=--only=terraform_workspace_remote'
+ - id: terrascan
diff --git a/modules/services/agentless-scan/README.md b/modules/services/agentless-scan/README.md
index efe23cf..76e197c 100644
--- a/modules/services/agentless-scan/README.md
+++ b/modules/services/agentless-scan/README.md
@@ -7,9 +7,9 @@ This module will deploy required resources for Sysdig to be able to scan hosts o
The following resources will be created on each instrumented project:
-- For the **Resource Discovery**: Enable Sysdig to authenticate through a Workload Identity Pool (requires provider,
+- For the **Resource Discovery**: Enable Sysdig to authenticate through a Workload Identity Pool (requires provider,
service account, role, and related bindings) in order to be able to discover the VPC/Instance/Volumes
-- For the **Host Data Extraction**: Enable Sysdig to create a disk copy on our SaaS platform, to be able to extract
+- For the **Host Data Extraction**: Enable Sysdig to create a disk copy on our SaaS platform, to be able to extract
the data required for security assessment.
@@ -103,4 +103,4 @@ Module is maintained by [Sysdig](https://sysdig.com).
## License
-Apache 2 Licensed. See LICENSE for full details.
\ No newline at end of file
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/services/agentless-scan/controller_org.tf b/modules/services/agentless-scan/controller_org.tf
index e8c6336..c44f71f 100644
--- a/modules/services/agentless-scan/controller_org.tf
+++ b/modules/services/agentless-scan/controller_org.tf
@@ -15,4 +15,4 @@ resource "google_organization_iam_binding" "controller_custom" {
members = [
"serviceAccount:${google_service_account.controller.email}",
]
-}
\ No newline at end of file
+}
diff --git a/modules/services/agentless-scan/controller_single.tf b/modules/services/agentless-scan/controller_single.tf
index b91eb16..d6a9ce7 100644
--- a/modules/services/agentless-scan/controller_single.tf
+++ b/modules/services/agentless-scan/controller_single.tf
@@ -15,4 +15,4 @@ resource "google_project_iam_binding" "controller_custom" {
members = [
"serviceAccount:${google_service_account.controller.email}",
]
-}
\ No newline at end of file
+}
diff --git a/modules/services/agentless-scan/data.tf b/modules/services/agentless-scan/data.tf
index de45ac7..5193edc 100644
--- a/modules/services/agentless-scan/data.tf
+++ b/modules/services/agentless-scan/data.tf
@@ -5,4 +5,4 @@ data "google_project" "project" {
data "google_organization" "org" {
count = local.is_organizational ? 1 : 0
domain = var.organization_domain
-}
\ No newline at end of file
+}
diff --git a/modules/services/agentless-scan/locals.tf b/modules/services/agentless-scan/locals.tf
index 366172b..03dd4b9 100644
--- a/modules/services/agentless-scan/locals.tf
+++ b/modules/services/agentless-scan/locals.tf
@@ -30,4 +30,4 @@ locals {
resource "random_id" "suffix" {
count = var.suffix == null ? 1 : 0
byte_length = 3
-}
\ No newline at end of file
+}
diff --git a/modules/services/agentless-scan/outputs.tf b/modules/services/agentless-scan/outputs.tf
index f2e10fa..c198d3e 100644
--- a/modules/services/agentless-scan/outputs.tf
+++ b/modules/services/agentless-scan/outputs.tf
@@ -1,13 +1,17 @@
output "project_id" {
- value = var.project_id
+ value = var.project_id
+ description = "Target project_id"
}
output "project_number" {
- value = data.google_project.project.number
+ value = data.google_project.project.number
+ description = "Target project_number"
}
output "controller_service_account" {
value = google_service_account.controller.email
+
+ description = "Service Account (email) for Sysdig host Discovery to use"
}
output "workload_identity_pool_provider" {
@@ -16,6 +20,8 @@ output "workload_identity_pool_provider" {
condition = (var.sysdig_backend != null && var.sysdig_account_id == null) || (var.sysdig_backend == null && var.sysdig_account_id != null)
error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
}
+
+ description = "Workload Identity Pool Provider URL for Sysdig host Discovery to use"
}
output "json_payload" {
@@ -29,4 +35,6 @@ output "json_payload" {
condition = (var.sysdig_backend != null && var.sysdig_account_id == null) || (var.sysdig_backend == null && var.sysdig_account_id != null)
error_message = "Cannot provide both sysdig_backend or sysdig_account_id"
}
+
+ description = "Deprecated. JSON Payload to internally provision customer on Sysdig VM Host scan on Sysdig"
}
diff --git a/modules/services/agentless-scan/provider.tf b/modules/services/agentless-scan/provider.tf
index fba49cf..8723d4e 100644
--- a/modules/services/agentless-scan/provider.tf
+++ b/modules/services/agentless-scan/provider.tf
@@ -11,4 +11,4 @@ terraform {
version = ">= 3.1, < 4.0"
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/services/agentless-scan/variables.tf b/modules/services/agentless-scan/variables.tf
index 081bfc6..f1925ed 100644
--- a/modules/services/agentless-scan/variables.tf
+++ b/modules/services/agentless-scan/variables.tf
@@ -9,6 +9,7 @@ variable "worker_identity" {
description = "Sysdig provided Identity for the Service Account in charge of performing the host disk analysis"
}
+# mandatory; one of `sysdig_backend` or `sysdig_account_id`
variable "sysdig_backend" {
type = string
description = "Sysdig provided AWS Account designated for the host scan.
One of `sysdig_backend` or `sysdig_account_id`must be provided"
@@ -29,6 +30,7 @@ variable "role_name" {
}
+
variable "suffix" {
type = string
description = "Optional. Suffix word to enable multiple deployments with different naming
(Workload Identity Pool and Providers have a soft deletion on Google Platform that will disallow name re-utilization)
By default a random value will be autogenerated."
diff --git a/test/examples/agentless-scan/README b/test/examples/agentless-scan/README
index 30a151a..3c3c35b 100644
--- a/test/examples/agentless-scan/README
+++ b/test/examples/agentless-scan/README
@@ -3,4 +3,4 @@ note;
- we test the cloud-scan module together with its dependencies on the minimal use-case
- cspm; for discovery + organizational setup (`secure-onboarding` component)
- - sysdig provider `sysdig_secure_cloud_auth_account`; for authentication
\ No newline at end of file
+ - sysdig provider `sysdig_secure_cloud_auth_account`; for authentication
diff --git a/test/examples/agentless-scan/organization/deps_scanning_org.tf b/test/examples/agentless-scan/organization/deps_scanning_org.tf
index b7419cc..e0eec9b 100644
--- a/test/examples/agentless-scan/organization/deps_scanning_org.tf
+++ b/test/examples/agentless-scan/organization/deps_scanning_org.tf
@@ -1,9 +1,9 @@
# this is required for organizational setup (+cloud-host vm)
-module "organization-posture" {
+module "organization_posture" {
source = "sysdiglabs/secure/google//modules/services/service-principal"
project_id = "org-child-project-1"
service_account_name = "sysdig-secure-igm6"
is_organizational = true
organization_domain = "draios.com"
-}
\ No newline at end of file
+}
diff --git a/test/examples/agentless-scan/organization/main.tf b/test/examples/agentless-scan/organization/main.tf
index a580f46..bec76ee 100644
--- a/test/examples/agentless-scan/organization/main.tf
+++ b/test/examples/agentless-scan/organization/main.tf
@@ -1,5 +1,5 @@
-provider "google"{
- project="mytestproject"
+provider "google" {
+ project = "mytestproject"
}
@@ -9,6 +9,6 @@ module "cloud_host" {
sysdig_account_id = "012345678"
worker_identity = "foo@bar.com"
- is_organizational = true
+ is_organizational = true
organization_domain = "myorg.com"
-}
\ No newline at end of file
+}
diff --git a/test/examples/agentless-scan/organization/sysdig_provider.tf b/test/examples/agentless-scan/organization/sysdig_provider.tf
index be3ecd9..7b9f7a6 100644
--- a/test/examples/agentless-scan/organization/sysdig_provider.tf
+++ b/test/examples/agentless-scan/organization/sysdig_provider.tf
@@ -21,7 +21,7 @@ resource "sysdig_secure_cloud_auth_account" "gcp_project" {
instance = "secure-onboarding"
service_principal_metadata = jsonencode({
gcp = {
- key = module.organization-posture.service_account_key
+ key = module.organization_posture.service_account_key
}
})
}
@@ -40,10 +40,10 @@ resource "sysdig_secure_cloud_auth_account" "gcp_project" {
})
}
- depends_on = [module.cloud_host, module.organization-posture]
+ depends_on = [module.cloud_host, module.organization_posture]
}
resource "sysdig_secure_organization" "gcp_organization_myproject" {
management_account_id = sysdig_secure_cloud_auth_account.gcp_project.id
- depends_on = [module.organization-posture]
-}
\ No newline at end of file
+ depends_on = [module.organization_posture]
+}
diff --git a/test/examples/agentless-scan/outputs.tf b/test/examples/agentless-scan/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/test/examples/agentless-scan/single/main.tf b/test/examples/agentless-scan/single/main.tf
new file mode 100644
index 0000000..d0a62d6
--- /dev/null
+++ b/test/examples/agentless-scan/single/main.tf
@@ -0,0 +1,11 @@
+provider "google" {
+ project = "mytestproject"
+ region = "us-west1"
+}
+
+module "agentless_scan" {
+ source = "../../../..//modules/services/agentless-scan"
+ project_id = "mytestproject"
+ sysdig_account_id = "012345678"
+ worker_identity = "foo@bar.com"
+}
diff --git a/test/examples/agentless-scan/single/provider.tf b/test/examples/agentless-scan/single/provider.tf
new file mode 100644
index 0000000..951e8f0
--- /dev/null
+++ b/test/examples/agentless-scan/single/provider.tf
@@ -0,0 +1,18 @@
+terraform {
+ required_version = ">=1.0"
+
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = ">= 4.1, < 5.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 3.1, < 4.0"
+ }
+ sysdig = {
+ source = "sysdiglabs/sysdig"
+ version = ">= 1.23.1"
+ }
+ }
+}
diff --git a/test/examples/agentless-scan/single/sysdig_provider.tf b/test/examples/agentless-scan/single/sysdig_provider.tf
new file mode 100644
index 0000000..5455560
--- /dev/null
+++ b/test/examples/agentless-scan/single/sysdig_provider.tf
@@ -0,0 +1,31 @@
+provider "sysdig" {
+ sysdig_secure_url = "https://secure-staging.sysdig.com"
+ sysdig_secure_api_token = "12124235"
+}
+
+resource "sysdig_secure_cloud_auth_account" "gcp_project" {
+ enabled = true
+ provider_id = "mytestproject"
+ provider_type = "PROVIDER_GCP"
+
+ feature {
+ secure_agentless_scanning {
+ enabled = true
+ components = ["COMPONENT_SERVICE_PRINCIPAL/secure-scanning"]
+ }
+ }
+
+ component {
+ type = "COMPONENT_SERVICE_PRINCIPAL"
+ instance = "secure-scanning"
+ service_principal_metadata = jsonencode({
+ gcp = {
+ workload_identity_federation = {
+ pool_provider_id = module.agentless_scan.workload_identity_pool_provider
+ }
+ email = module.agentless_scan.controller_service_account
+ }
+ })
+ }
+ depends_on = [module.agentless_scan]
+}