diff --git a/examples/organization/README.md b/examples/organization/README.md
index accecf6..2e4981d 100644
--- a/examples/organization/README.md
+++ b/examples/organization/README.md
@@ -46,7 +46,7 @@ module "secure-for-cloud_example_organization" {
source = "sysdiglabs/secure-for-cloud/google//examples/organization"
project_id = "your-project-id"
- project_scan_ids = ["project-to-scan-1", "project-to-scan-2"]
+ repository_project_ids = ["project-to-scan-1", "project-to-scan-2"]
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
organization_domain = "your-domain.com"
}
@@ -96,15 +96,16 @@ module "secure-for-cloud_example_organization" {
|------|-------------|------|---------|:--------:|
| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | n/a | yes |
| [project\_id](#input\_project\_id) | Organization member project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
-| [project\_scan\_ids](#input\_project\_scan\_ids) | Projects where a subscription must be created to pull events from their GCR topics. Warning, the topic called `gcr` must already exist in each provided project. | `list(string)` | n/a | yes |
| [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
-| [benchmark\_project\_ids](#input\_benchmark\_project\_ids) | Google cloud project IDs to run Benchmarks on | `list(string)` | `[]` | no |
+| [benchmark\_project\_ids](#input\_benchmark\_project\_ids) | Google cloud project IDs to run Benchmarks on. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
| [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
| [benchmark\_role\_name](#input\_benchmark\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
+| [create\_gcr\_topic](#input\_create\_gcr\_topic) | Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic). | `bool` | `true` | no |
| [deploy\_bench](#input\_deploy\_bench) | whether benchmark module is to be deployed | `bool` | `true` | no |
| [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
| [max\_instances](#input\_max\_instances) | Max number of instances for the workloads | `number` | `1` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
+| [repository\_project\_ids](#input\_repository\_project\_ids) | Projects were a `gcr`-named topic will be to subscribe to its repository events. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
| [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
## Outputs
diff --git a/examples/organization/main.tf b/examples/organization/main.tf
index 0a88258..9813598 100644
--- a/examples/organization/main.tf
+++ b/examples/organization/main.tf
@@ -123,6 +123,15 @@ module "secure_secrets" {
name = var.name
}
+
+#--------------------
+# scanning
+#--------------------
+locals {
+ repository_project_ids = length(var.repository_project_ids) == 0 ? [for p in data.google_projects.all_projects.projects : p.project_id] : var.repository_project_ids
+}
+
+
module "cloud_scanning" {
source = "../../modules/services/cloud-scanning"
@@ -135,15 +144,15 @@ module "cloud_scanning" {
cloud_scanning_sa_email = google_service_account.scanning_sa.email
scanning_pubsub_topic_id = module.connector_organization_sink.pubsub_topic_id
project_id = var.project_id
- create_gcr_topic = false # We assume all the project_scan_ids have a topic created called gcr
- project_scan_ids = var.project_scan_ids
+ create_gcr_topic = var.create_gcr_topic
+ repository_project_ids = local.repository_project_ids
max_instances = var.max_instances
}
-#######################
-# BENCHMARKS #
-#######################
+#--------------------
+# benchmark
+#--------------------
locals {
benchmark_projects_ids = length(var.benchmark_project_ids) == 0 ? [for p in data.google_projects.all_projects.projects : p.project_id] : var.benchmark_project_ids
diff --git a/examples/organization/variables.tf b/examples/organization/variables.tf
index 81802e6..cafd3e0 100644
--- a/examples/organization/variables.tf
+++ b/examples/organization/variables.tf
@@ -14,11 +14,6 @@ variable "project_id" {
description = "Organization member project ID where the secure-for-cloud workload is going to be deployed"
}
-variable "project_scan_ids" {
- type = list(string)
- description = "Projects where a subscription must be created to pull events from their GCR topics. Warning, the topic called `gcr` must already exist in each provided project."
-}
-
# --------------------------
# optionals, with defaults
# --------------------------
@@ -51,6 +46,30 @@ variable "max_instances" {
default = 1
}
+
+# scanning
+
+variable "repository_project_ids" {
+ default = []
+ type = list(string)
+ description = "Projects were a `gcr`-named topic will be to subscribe to its repository events. If empty, all organization projects will be defaulted."
+}
+
+variable "create_gcr_topic" {
+ type = bool
+ description = "Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic)."
+ default = true
+}
+
+
+# benchmark
+
+variable "deploy_bench" {
+ type = bool
+ description = "whether benchmark module is to be deployed"
+ default = true
+}
+
variable "benchmark_regions" {
type = list(string)
description = "List of regions in which to run the benchmark. If empty, the task will contain all regions by default."
@@ -60,7 +79,7 @@ variable "benchmark_regions" {
variable "benchmark_project_ids" {
default = []
type = list(string)
- description = "Google cloud project IDs to run Benchmarks on"
+ description = "Google cloud project IDs to run Benchmarks on. If empty, all organization projects will be defaulted."
}
variable "benchmark_role_name" {
@@ -68,9 +87,3 @@ variable "benchmark_role_name" {
description = "The name of the Service Account that will be created."
default = "sysdigcloudbench"
}
-
-variable "deploy_bench" {
- type = bool
- description = "whether benchmark module is to be deployed"
- default = true
-}
diff --git a/examples/single-project/main.tf b/examples/single-project/main.tf
index 93785e3..cd0e880 100644
--- a/examples/single-project/main.tf
+++ b/examples/single-project/main.tf
@@ -87,7 +87,7 @@ module "cloud_scanning" {
scanning_pubsub_topic_id = module.scanning_project_sink.pubsub_topic_id
create_gcr_topic = var.create_gcr_topic
project_id = var.project_id
- project_scan_ids = [var.project_id]
+ repository_project_ids = [var.project_id]
secure_api_token_secret_id = module.secure_secrets.secure_api_token_secret_name
sysdig_secure_api_token = var.sysdig_secure_api_token
diff --git a/modules/services/cloud-bench/README.md b/modules/services/cloud-bench/README.md
index 3bda383..cf8ab98 100644
--- a/modules/services/cloud-bench/README.md
+++ b/modules/services/cloud-bench/README.md
@@ -43,7 +43,7 @@ No resources.
| [is\_organizational](#input\_is\_organizational) | Whether this task is being created at the org or project level | `bool` | `false` | no |
| [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
| [project\_id](#input\_project\_id) | ID of project to run the benchmark on | `string` | `""` | no |
-| [project\_ids](#input\_project\_ids) | IDs of projects to run the benchmark on | `list(string)` | `[]` | no |
+| [project\_ids](#input\_project\_ids) | IDs of projects to run the benchmark on. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
| [regions](#input\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
| [role\_name](#input\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
diff --git a/modules/services/cloud-bench/variables.tf b/modules/services/cloud-bench/variables.tf
index 8b54dd2..0348c40 100644
--- a/modules/services/cloud-bench/variables.tf
+++ b/modules/services/cloud-bench/variables.tf
@@ -20,7 +20,7 @@ variable "project_id" {
# For organizational
variable "project_ids" {
type = list(string)
- description = "IDs of projects to run the benchmark on"
+ description = "IDs of projects to run the benchmark on. If empty, all organization projects will be defaulted."
default = []
}
diff --git a/modules/services/cloud-scanning/README.md b/modules/services/cloud-scanning/README.md
index 23796bc..5ad18a3 100644
--- a/modules/services/cloud-scanning/README.md
+++ b/modules/services/cloud-scanning/README.md
@@ -11,7 +11,7 @@ module "cloud_scanning_gcp" {
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
sysdig_secure_endpoint = "https://secure.sysdig.com"
- project_scan_ids = ["project-id-to-scan"]
+ repository_project_ids = ["project-id-to-scan"]
# Set to "false" if there's an existing PubSub topic called "gcr"
create_gcr_topic = true
@@ -56,18 +56,18 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cloud\_scanning\_sa\_email](#input\_cloud\_scanning\_sa\_email) | Cloud Connector service account email | `string` | n/a | yes |
-| [create\_gcr\_topic](#input\_create\_gcr\_topic) | Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic). | `bool` | n/a | yes |
| [project\_id](#input\_project\_id) | organizational member project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
| [scanning\_pubsub\_topic\_id](#input\_scanning\_pubsub\_topic\_id) | Cloud Scanning PubSub single account topic id | `string` | n/a | yes |
| [secure\_api\_token\_secret\_id](#input\_secure\_api\_token\_secret\_id) | Sysdig Secure API token secret id | `string` | n/a | yes |
| [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
| [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig's Secure API URL | `string` | n/a | yes |
+| [create\_gcr\_topic](#input\_create\_gcr\_topic) | true / false whether a `gcr`-named pubsub topic will be created. Needed for GCR scanning. If this topic does not exist nor is created, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic). | `bool` | `true` | no |
| [extra\_envs](#input\_extra\_envs) | Extra environment variables for the Cloud Scanning instance | `map(string)` | `{}` | no |
| [image\_name](#input\_image\_name) | Cloud scanning image to deploy | `string` | `"gcr.io/mateo-burillo-ns/cloud-scanning:latest"` | no |
| [location](#input\_location) | Zone where the cloud scanning will be deployed | `string` | `"us-central1"` | no |
| [max\_instances](#input\_max\_instances) | Max number of instances for the Cloud Scanning | `number` | `1` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudscanning"` | no |
-| [project\_scan\_ids](#input\_project\_scan\_ids) | Projects where a subscription must be created to pull events from their GCR topics to scan their images. Warning, a topic called `gcr` must already exist in each provided project. | `list(string)` | `[]` | no |
+| [repository\_project\_ids](#input\_repository\_project\_ids) | Projects were a `gcr`-named topic will be to subscribe to its repository events. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
| [verify\_ssl](#input\_verify\_ssl) | Verify the SSL certificate of the Secure endpoint | `bool` | `true` | no |
## Outputs
diff --git a/modules/services/cloud-scanning/gcr.tf b/modules/services/cloud-scanning/gcr.tf
index 4f51983..120befc 100644
--- a/modules/services/cloud-scanning/gcr.tf
+++ b/modules/services/cloud-scanning/gcr.tf
@@ -5,6 +5,9 @@ locals {
# https://cloud.google.com/container-registry/docs/configuring-notifications
# https://cloud.google.com/artifact-registry/docs/configure-notifications
gcr_topic_name = "gcr"
+
+ # currently all projects are subject to a single `create_gcr_topic` variable
+ repository_project_ids_create_topic = var.create_gcr_topic ? var.repository_project_ids : []
}
@@ -21,13 +24,14 @@ resource "google_project_iam_member" "builder" {
}
resource "google_pubsub_topic" "gcr" {
- count = var.create_gcr_topic ? 1 : 0
- name = local.gcr_topic_name
+ for_each = toset(local.repository_project_ids_create_topic)
+ name = local.gcr_topic_name
+ project = each.key
}
resource "google_pubsub_subscription" "gcr" {
- for_each = toset(var.project_scan_ids)
+ for_each = toset(var.repository_project_ids)
name = "${var.name}-gcr-${each.key}"
topic = "projects/${each.key}/topics/${local.gcr_topic_name}"
diff --git a/modules/services/cloud-scanning/variables.tf b/modules/services/cloud-scanning/variables.tf
index 140443e..e2edff3 100644
--- a/modules/services/cloud-scanning/variables.tf
+++ b/modules/services/cloud-scanning/variables.tf
@@ -4,11 +4,6 @@ variable "cloud_scanning_sa_email" {
description = "Cloud Connector service account email"
}
-variable "create_gcr_topic" {
- type = bool
- description = "Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic)."
-}
-
variable "secure_api_token_secret_id" {
type = string
description = "Sysdig Secure API token secret id"
@@ -40,6 +35,21 @@ variable "project_id" {
# optionals, with defaults
# --------------------------
+variable "create_gcr_topic" {
+ type = bool
+ description = "true / false whether a `gcr`-named pubsub topic will be created. Needed for GCR scanning. If this topic does not exist nor is created, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic)."
+ default = true
+}
+
+
+variable "repository_project_ids" {
+ type = list(string)
+ description = "Projects were a `gcr`-named topic will be to subscribe to its repository events. If empty, all organization projects will be defaulted."
+ default = []
+}
+
+
+
variable "verify_ssl" {
type = bool
description = "Verify the SSL certificate of the Secure endpoint"
@@ -75,9 +85,3 @@ variable "max_instances" {
description = "Max number of instances for the Cloud Scanning"
default = 1
}
-
-variable "project_scan_ids" {
- type = list(string)
- description = "Projects where a subscription must be created to pull events from their GCR topics to scan their images. Warning, a topic called `gcr` must already exist in each provided project."
- default = []
-}
diff --git a/test/fixtures/organization/main.tf b/test/fixtures/organization/main.tf
index 398db68..1c2d0ca 100644
--- a/test/fixtures/organization/main.tf
+++ b/test/fixtures/organization/main.tf
@@ -4,18 +4,15 @@ resource "random_string" "random" {
upper = false
}
-resource "google_pubsub_topic" "gcr" {
- project = var.project_id
- name = "gcr"
-}
-
module "sfc_example_organization" {
source = "../../../examples/organization"
- organization_domain = var.organization_domain
sysdig_secure_api_token = var.sysdig_secure_api_token
- name = "sfc${random_string.random.result}"
- project_id = var.project_id
- project_scan_ids = [var.project_id]
- deploy_bench = false
+ sysdig_secure_endpoint = var.sysdig_secure_endpoint
+
+ organization_domain = var.organization_domain
+ name = "sfc${random_string.random.result}"
+ project_id = var.project_id
+ repository_project_ids = [var.project_id]
+ deploy_bench = false
}
diff --git a/test/fixtures/organization/variables.tf b/test/fixtures/organization/variables.tf
index cecb689..911ae6f 100644
--- a/test/fixtures/organization/variables.tf
+++ b/test/fixtures/organization/variables.tf
@@ -1,3 +1,9 @@
+variable "sysdig_secure_endpoint" {
+ type = string
+ default = "https://secure.sysdig.com"
+ description = "Sysdig Secure API endpoint"
+}
+
variable "sysdig_secure_api_token" {
type = string
description = "Sysdig secure api token"
diff --git a/test/fixtures/single-project/main.tf b/test/fixtures/single-project/main.tf
index 3a5ca87..ed434f1 100644
--- a/test/fixtures/single-project/main.tf
+++ b/test/fixtures/single-project/main.tf
@@ -8,8 +8,8 @@ module "sfc_example_single_project" {
source = "../../../examples/single-project"
sysdig_secure_api_token = var.sysdig_secure_api_token
+ sysdig_secure_endpoint = var.sysdig_secure_endpoint
name = "sfc${random_string.random.result}"
- create_gcr_topic = true
project_id = var.project_id
deploy_bench = false
}
diff --git a/test/fixtures/single-project/variables.tf b/test/fixtures/single-project/variables.tf
index 69e8285..5c78db2 100644
--- a/test/fixtures/single-project/variables.tf
+++ b/test/fixtures/single-project/variables.tf
@@ -4,6 +4,12 @@ variable "sysdig_secure_api_token" {
sensitive = true
}
+variable "sysdig_secure_endpoint" {
+ type = string
+ default = "https://secure.sysdig.com"
+ description = "Sysdig Secure API endpoint"
+}
+
variable "project_id" {
type = string
description = "Project ID where the secure-for-cloud workload is going to be deployed"