Skip to content

Commit

Permalink
SSPROD-49726 - add(oracle): initial modules onboarding/config-posture (
Browse files Browse the repository at this point in the history 
…#2)

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture

* add(oracle): initial modules onboarding/config-posture
  • Loading branch information
@jose-pablo-camacho
jose-pablo-camacho authored Dec 10, 2024
1 parent 1933c29 commit 3a25e15
Show file tree
Hide file tree
Showing 13 changed files with 466 additions and 0 deletions.
66 changes: 66 additions & 0 deletions modules/config-posture/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Oracle Cloud Config Posture Module

This module will deploy Config Posture resources in Oracle for a compartment or root tenancy.

The following resources will be created in each instrumented compartment/tenancy:

- An Admit Policy on the target tenant that will allow sysdig tenant to `read` all-resources in the specified
compartment/tenancy.
- A cloud account component in the Sysdig Backend, associated with the specified compartment/tenant and with the
required metadata to serve the Config Posture functions.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Requirements

| Name | Version |
|---------------------------------------------------------------------------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | >= 6.19.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.42 |

## Providers

| Name | Version |
|------------------------------------------------------------|---------|
| <a name="provider_oci"></a> [oci](#provider\_oci) | 6.19.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |

## Modules

No modules.

## Resources

| [oci_identity_compartment.compartment](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_compartment) |
data source |
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [oci_identity_policy.admit_cspm_policy](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_policy) |
resource |
| [sysdig_secure_cloud_auth_account_component.oracle_service_principal](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) |
resource |

## Inputs

| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------|------------------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) True/False whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | (Required) Customer tenant OCID | `string` | n/a | yes |
| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | (Optional) Customer compartment OCID | `string` | `""` | no |
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |

## Outputs

| Name | Description |
|----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
| <a name="output_service_principal_component_id"></a> [sysdig\_service\_principal\_component\_id](#output\_service\_principal\_component\_id) | Component identifier of Service Principal created in Sysdig Backend for Config Posture |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors

Module is maintained by [Sysdig](https://sysdig.com).

## License

Apache 2 Licensed. See LICENSE for full details.
60 changes: 60 additions & 0 deletions modules/config-posture/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
#-----------------------------------------------------------------------------------------
# Fetch the data sources
#-----------------------------------------------------------------------------------------

data "sysdig_secure_trusted_oracle_app" "config_posture" {
name = "config_posture"
}

// compartment data to populate policies if onboarding a compartment
data "oci_identity_compartment" "compartment" {
count = var.compartment_ocid != "" ? 1 : 0
id = var.compartment_ocid
}


// random suffix for policy name
resource "random_id" "suffix" {
byte_length = 3
}

#-----------------------------------------------------------------------------------------
# Admit policy to allow Sysdig Tenant to read resources
#-----------------------------------------------------------------------------------------

resource "oci_identity_policy" "admit_cspm_policy" {
name = "AdmitSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
description = "Config Posture policy to allow read all resources in tenant/compartment"
compartment_id = var.tenancy_ocid
statements = [
"Define tenancy sysdigTenancy as ${data.sysdig_secure_trusted_oracle_app.config_posture.tenancy_ocid}",
"Define group configPostureGroup as ${data.sysdig_secure_trusted_oracle_app.config_posture.group_ocid}",
var.compartment_ocid != "" ?
"Admit group configPostureGroup of tenancy sysdigTenancy to read all-resources in compartment ${data.oci_identity_compartment.compartment[0].name}"
:
"Admit group configPostureGroup of tenancy sysdigTenancy to read all-resources in tenancy",
]
}

#--------------------------------------------------------------------------------------------------------------
# Call Sysdig Backend to add the service-principal integration for Config Posture to the Sysdig Cloud Account
#--------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "oracle_service_principal" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_SERVICE_PRINCIPAL"
instance = "secure-posture"
version = "v0.1.0"
service_principal_metadata = jsonencode({
oci = {
api_key = {
user_id = data.sysdig_secure_trusted_oracle_app.config_posture.user_ocid
}
policy = {
policy_id = oci_identity_policy.admit_cspm_policy.id
}
}
})
depends_on = [
oci_identity_policy.admit_cspm_policy
]
}
5 changes: 5 additions & 0 deletions modules/config-posture/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
output "service_principal_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.oracle_service_principal.type}/${sysdig_secure_cloud_auth_account_component.oracle_service_principal.instance}"
description = "Component identifier of Service Principal created in Sysdig Backend for Config Posture"
depends_on = [sysdig_secure_cloud_auth_account_component.oracle_service_principal]
}
21 changes: 21 additions & 0 deletions modules/config-posture/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
variable "is_organizational" {
type = bool
default = false
description = "(Optional) True/False whether secure-for-cloud should be deployed in an organizational setup"
}

variable "tenancy_ocid" {
type = string
description = "(Required) Customer tenant OCID"
}

variable "compartment_ocid" {
type = string
default = ""
description = "(Optional) Customer compartment OCID"
}

variable "sysdig_secure_account_id" {
type = string
description = "(Required) ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account)"
}
12 changes: 12 additions & 0 deletions modules/config-posture/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
terraform {
required_version = ">= 1.0.0"
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.42"
}
oci = {
source = "hashicorp/oci"
}
}
}
77 changes: 77 additions & 0 deletions modules/onboarding/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Oracle Cloud Onboarding Module

This module will deploy foundational onboarding resources in Oracle for a compartment or root tenancy.

The following resources will be created in each instrumented compartment/tenancy:

- An Admit Policy on the target tenant that will allow sysdig tenant to `inspect` compartments in the specified
compartment/tenancy.
- A cloud account in the Sysdig Backend, associated with the specified compartment/tenant and with the required
component to serve the foundational functions.
- A cloud organization in the Sysdig Backend, associated with the specified compartment/tenant to fetch the organization
structure(compartment tree) to install Sysdig Secure for Cloud.

Note:

- The outputs from the foundational module, such as `sysdig_secure_account_id` are needed as inputs to the other
features/integrations modules for subsequent modular installations.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Requirements

| Name | Version |
|---------------------------------------------------------------------------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | >= 6.19.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.42 |

## Providers

| Name | Version |
|------------------------------------------------------------|---------|
| <a name="provider_oci"></a> [oci](#provider\_oci) | 6.19.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |

## Modules

No modules.

## Resources

| [oci_identity_compartment.compartment](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_compartment) |
data source |
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [oci_identity_policy.admit_onboarding_policy](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_policy) |
resource |
| [sysdig_secure_cloud_auth_account.oracle_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) |
resource |
| [sysdig_secure_organization.oracle_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) |
resource |

## Inputs

| Name | Description | Type | Default | Required |
|-----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|----------|------------------|:--------:|
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) True/False whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | (Required) Customer tenant OCID | `string` | n/a | yes |
| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | (Optional) Customer compartment OCID | `string` | `""` | no |

## Outputs

| Name | Description |
|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
| <a name="output_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created |
| <a name="output_is_organizational"></a> [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed as an organization |
| <a name="output_tenancy_ocid"></a> [tenancy\_ocid](#output\_tenancy\_ocid) | Customer tenant OCID |
| <a name="output_compartment_ocid"></a> [compartment\_ocid](#output_compartment\_ocid) | Customer compartment OCID |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors

Module is maintained by [Sysdig](https://sysdig.com).

## License

Apache 2 Licensed. See LICENSE for full details.
78 changes: 78 additions & 0 deletions modules/onboarding/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#-----------------------------------------------------------------------------------------
# Fetch the data sources
#-----------------------------------------------------------------------------------------

data "sysdig_secure_trusted_oracle_app" "onboarding" {
name = "onboarding"
}

// compartment data to populate policies if onboarding a compartment
data "oci_identity_compartment" "compartment" {
count = var.compartment_ocid != "" ? 1 : 0
id = var.compartment_ocid
}


// random suffix for policy name
resource "random_id" "suffix" {
byte_length = 3
}

#-----------------------------------------------------------------------------------------
# Admit policy to allow Sysdig Tenant to read resources
#-----------------------------------------------------------------------------------------

resource "oci_identity_policy" "admit_onboarding_policy" {
name = "AdmitSysdigSecureTenantOnboarding-${random_id.suffix.hex}"
description = "Onboarding policy to allow inspect compartments in tenant/compartment"
compartment_id = var.tenancy_ocid
statements = [
"Define tenancy sysdigTenancy as ${data.sysdig_secure_trusted_oracle_app.onboarding.tenancy_ocid}",
"Define group onboardingGroup as ${data.sysdig_secure_trusted_oracle_app.onboarding.group_ocid}",
"Admit group onboardingGroup of tenancy sysdigTenancy to inspect tenancies in tenancy",
var.compartment_ocid != "" ?
"Admit group onboardingGroup of tenancy sysdigTenancy to inspect compartments in compartment ${data.oci_identity_compartment.compartment[0].name}"
:
"Admit group onboardingGroup of tenancy sysdigTenancy to inspect compartments in tenancy",
]
}


#---------------------------------------------------------------------------------------------
# Call Sysdig Backend to create account with foundational onboarding
# (ensure it is called after all above cloud resources are created using explicit depends_on)
#---------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account" "oracle_account" {
enabled = true
provider_tenant_id = var.tenancy_ocid // tenancy ocid
// when compartmentID is not specified, default to the rootCompartmentOCID which is the same value as tenancyOCID
provider_id = var.compartment_ocid == "" ? var.tenancy_ocid : var.compartment_ocid
provider_type = "PROVIDER_ORACLECLOUD"

component {
type = "COMPONENT_SERVICE_PRINCIPAL"
instance = "secure-onboarding"
version = "v0.1.0"
service_principal_metadata = jsonencode({
oci = {
api_key = {
user_id = data.sysdig_secure_trusted_oracle_app.onboarding.user_ocid
}
policy = {
policy_id = oci_identity_policy.admit_onboarding_policy.id
}
}
})
}

lifecycle {
# features and components are managed outside this module
ignore_changes = [
component,
feature
]
}
depends_on = [
oci_identity_policy.admit_onboarding_policy
]
}
12 changes: 12 additions & 0 deletions modules/onboarding/organizational.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#---------------------------------------------------------------------------------------------
# Call Sysdig Backend to create organization with foundational onboarding
# (ensure it is called after all above cloud resources are created)
#---------------------------------------------------------------------------------------------
resource "sysdig_secure_organization" "oracle_organization" {
count = var.is_organizational ? 1 : 0
management_account_id = sysdig_secure_cloud_auth_account.oracle_account.id
depends_on = [
oci_identity_policy.admit_onboarding_policy,
sysdig_secure_cloud_auth_account.oracle_account
]
}
19 changes: 19 additions & 0 deletions modules/onboarding/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "tenancy_ocid" {
value = var.tenancy_ocid
description = "Customer tenancy OCID"
}

output "compartment_ocid" {
value = var.compartment_ocid
description = "Customer compartment OCID"
}

output "sysdig_secure_account_id" {
value = sysdig_secure_cloud_auth_account.oracle_account.id
description = "ID of the Sysdig Cloud Account created"
}

output "is_organizational" {
value = var.is_organizational
description = "Boolean value to indicate if secure-for-cloud is deployed to an entire Oracle organization or not"
}
17 changes: 17 additions & 0 deletions modules/onboarding/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
variable "is_organizational" {
type = bool
default = false
description = "(Optional) True/False whether secure-for-cloud should be deployed in an organizational setup"
}

variable "tenancy_ocid" {
type = string
description = "(Required) Customer tenant OCID"
}

variable "compartment_ocid" {
type = string
default = ""
description = "(Optional) Customer compartment OCID"
}

12 changes: 12 additions & 0 deletions modules/onboarding/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
terraform {
required_version = ">= 1.0.0"
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.42"
}
oci = {
source = "hashicorp/oci"
}
}
}
Loading

0 comments on commit 3a25e15

Please sign in to comment.