Merge remote-tracking branch 'origin/master'

Author: iru

.github/workflows/pre-commit.yaml

@@ -60,6 +60,7 @@ jobs:
         run: |
           pip install pre-commit
           go install github.com/hashicorp/terraform-config-inspect@latest
+          make deps
       - name: Initialize terraform modules
         if: ${{ matrix.directory !=  '.' }}
         run: |
@@ -112,9 +113,7 @@ jobs:
       - name: Install pre-commit dependencies
         run: |
           pip install pre-commit
-          go install github.com/terraform-docs/[email protected]
-          go install github.com/hashicorp/terraform-config-inspect@latest
-          curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+          make deps
       - name: Execute pre-commit
         # Run all pre-commit checks on max version supported
         if: ${{ matrix.version ==  needs.getBaseVersion.outputs.maxVersion }}

.pre-commit-config.yaml

@@ -38,6 +38,7 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
+      - id: terrascan
   - repo: local
     hooks:
       - id: terraform_init

CODEOWNERS

@@ -1 +1,4 @@
 * @sysdiglabs/cloud-native
+
+# compliance
+/modules/services/cloud-bench/ @haresh-suresh  @nkraemer-sysdig @sysdiglabs/cloud-native

Makefile

@@ -5,6 +5,11 @@ deps:
 		unzip tflint.zip && \
 		rm tflint.zip && \
 		mv tflint "`go env GOPATH`/bin"
+	curl -L https://github.com/tenable/terrascan/releases/download/v1.9.0/terrascan_1.9.0_Linux_x86_64.tar.gz -o terrascan.tar.gz && \
+		tar -xf terrascan.tar.gz terrascan && \
+		rm terrascan.tar.gz && \
+		install terrascan "`go env GOPATH`/bin" && \
+		rm terrascan
 
 clean:
 	find -name ".terraform" -type d | xargs rm -rf

README.md

@@ -135,9 +135,9 @@ A: On your Google Cloud account, search for "APIs & Services > Enabled APIs & Se
 $ gcloud services list --enabled
 ```
 
-### Q: Getting  "googleapi: 403 Permission *** denied for resource"
+### Q: Getting  "googleapi: 403 ***"
 A: This may happen because permissions are not enough, API services were not correctly enabled, or you're not correctly authenticated for terraform google prolvider.
-<br/>S: Verify [permissions](#prerequisites), [api-services](apis), and that the [Terraform Google Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider) authentication has been correctly setup.
+<br/>S: Verify [permissions](#prerequisites), [api-services](#apis), and that the [Terraform Google Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider) authentication has been correctly setup.
 You can also launch the following terraform manifest to check whether you're authenticated with what you expect
 
 ```
@@ -208,6 +208,8 @@ $ terraform import 'module.secure-for-cloud_example_organization.module.cloud_be
 $ terraform import 'module.secure-for-cloud_example_organization.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' sysdigcloud/sysdigcloud
  ```
 
+ Note: if you're using terragrunt, run `terragrunt import`
+
 ### Q: Getting "Error creating Topic: googleapi: Error 409: Resource already exists in the project (resource=gcr)"
 ```text
 │ Error: Error creating Topic: googleapi: Error 409: Resource already exists in the project (resource=gcr).
@@ -224,6 +226,7 @@ $ terraform import 'module.sfc_example_single_project.module.pubsub_http_subscri
 ```
 Contact us to develop a workaround for this, where the topic name is to be reused.
 
+Note: if you're using terragrunt, run `terragrunt import`
 
 ### Q: Getting "Cloud Run error: Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable."
 A: If cloud-connector cloud run module cannot start it will give this error. The error is given by the health-check system, it's not specific to its PORT per-se
@@ -253,19 +256,21 @@ A: Verify that `gcr` topic exists. If `create_gcr_topic` is set to false and `gc
 
 ## Upgrading
 
-- Uninstall previous deployment resources before upgrading
+1. Uninstall previous deployment resources before upgrading
   ```
   $ terraform destroy
   ```
 
-- Upgrade the full terraform example with
+2. Upgrade the full terraform example with
   ```
   $ terraform init -upgrade
   $ terraform plan
   $ terraform apply
   ```
 
-- If required, you can upgrade cloud-connector component by restarting the task (stop task). Because it's not pinned to an specific version, it will download the latest one.
+- If the event-source is created throuh SFC, some events may get lost while upgrading with this approach. however, if the cloudtrail is re-used (normal production setup) events will be recovered once the ingestion resumes.
+
+- If required, you can upgrade cloud-connector component by restarting the task (stop task). Because it's not pinned to an specific version, it will download the `latest` one.
 
 <br/>
 

examples/single-project-k8s/credentials.tf

@@ -14,6 +14,11 @@ resource "google_project_iam_member" "event_receiver" {
 }
 
 resource "google_project_iam_member" "token_creator" {
+  # AC_GCP_0006
+  # Why: Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
+  # How to avoid security issues: As in the next implementation scanning will be run from within cloudrun which has needed permissions and won't need a token.
+  # Warning: Organization users musn't be able to impersonate as the created service account.
+  #ts:skip=AC_GCP_0006 Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
   project = data.google_client_config.current.project
   member  = "serviceAccount:${google_service_account.connector_sa.email}"
   role    = "roles/iam.serviceAccountTokenCreator"

modules/infrastructure/cloud_build_permission/main.tf

@@ -1,5 +1,10 @@
 # Required to execute cloud build runs with this same service account
 resource "google_project_iam_member" "service_account_user_itself" {
+  # AC_GCP_0006
+  # Why: Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
+  # How to avoid security issues: As in the next implementation scanning will be run from within cloudrun which has needed permissions and won't need a token.
+  # Warning: Organization users musn't be able to impersonate as the created service account.
+  #ts:skip=AC_GCP_0006 Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
   project = var.project_id
   role    = "roles/iam.serviceAccountUser"
   member  = "serviceAccount:${var.cloud_connector_sa_email}"

modules/services/cloud-connector/README.md

@@ -64,7 +64,7 @@ No modules.
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | Amount of CPU to reserve for cloud-connector cloud run service | `string` | `"1"` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | true/false whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_extra_envs"></a> [extra\_envs](#input\_extra\_envs) | Extra environment variables for the Cloud Connector instance | `map(string)` | `{}` | no |
-| <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Sysdig Owned Cloud Connector public image. GCP only allows the deployment of images that are registered in gcr.io | `string` | `"gcr.io/mateo-burillo-ns/cloud-connector:latest"` | no |
+| <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Sysdig Owned Cloud Connector public image. GCP only allows the deployment of images that are registered in gcr.io | `string` | `"us-docker.pkg.dev/sysdig-public-registry/secure-for-cloud/cloud-connector:latest"` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the Cloud Connector | `number` | `1` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | Amount of memory to reserve for cloud-connector cloud run service | `string` | `"500Mi"` | no |

modules/services/cloud-connector/pubsub_permissions.tf

@@ -5,6 +5,11 @@ resource "google_project_iam_member" "event_receiver" {
 }
 
 resource "google_project_iam_member" "token_creator" {
+  # AC_GCP_0006
+  # Why: Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
+  # How to avoid security issues: As in the next implementation scanning will be run from within cloudrun which has needed permissions and won't need a token.
+  # Warning: Organization users musn't be able to impersonate as the created service account.
+  #ts:skip=AC_GCP_0006 Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
   project = var.project_id
   member  = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
   role    = "roles/iam.serviceAccountTokenCreator"

modules/services/cloud-connector/variables.tf

@@ -48,7 +48,7 @@ variable "verify_ssl" {
 
 variable "image_name" {
   type        = string
-  default     = "gcr.io/mateo-burillo-ns/cloud-connector:latest"
+  default     = "us-docker.pkg.dev/sysdig-public-registry/secure-for-cloud/cloud-connector:latest"
   description = "Sysdig Owned Cloud Connector public image. GCP only allows the deployment of images that are registered in gcr.io"
 }