SSPROD-51715 - fix(oci): add cspm user in customer tenant to support identity resources (#9)

* fix(oci): add cspm user in customer tenant to support identity resources

* fix(oci): add cspm user in customer tenant to support identity resources

* fix(oci): add cspm user in customer tenant to support identity resources

* fix(oci): add cspm user in customer tenant to support identity resources

* fix(oci): add cspm user in customer tenant to support identity resources

* fix(oci): add cspm user in customer tenant to support identity resources

Author: jose-pablo-camacho

modules/config-posture/README.md

@@ -4,7 +4,12 @@ This module will deploy Config Posture resources in Oracle for a compartment or
 
 The following resources will be created in each instrumented compartment/tenancy:
 
-- An Admit Policy on the target tenant that will allow sysdig tenant to `read` all-resources in the specified
+- A User on the target tenant.
+- A Group on the target tenant.
+- A Group Membership between the User and Group created on the target tenant.
+- If customer wants, a private and public RSA key will be generated for the user. Customer can opt to pass files for
+  public and private keys.
+- An Allow Policy on the target tenant that will allow the User to `read` all-resources in the specified
   compartment/tenancy.
 - A cloud account component in the Sysdig Backend, associated with the specified compartment/tenant and with the
   required metadata to serve the Config Posture functions.
@@ -48,6 +53,8 @@ resource |
 | <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid)                                         | (Required) Customer tenant OCID                                                                                                       | `string` | n/a     |   yes    |
 | <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid)                             | (Optional) Customer compartment OCID                                                                                                  | `string` | `""`    |    no    |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | `string` | n/a     |   yes    |
+| <a name="input_private_key_file_path"></a> [private\_key\_file\_path](#input\_private\_key\_file\_path)          | (Optional) Path to the private key file                                                                                               | `string` | n/a     |    no    |
+| <a name="input_public_key_file_path"></a> [public\_key\_file\_path](#input\_public\_key\_file\_path)             | (Optional) Path to the public key file                                                                                                | `string` | n/a     |    no    |
 
 ## Outputs
 

modules/config-posture/main.tf

@@ -2,10 +2,6 @@
 # Fetch the data sources
 #-----------------------------------------------------------------------------------------
 
-data "sysdig_secure_trusted_oracle_app" "config_posture" {
-  name = "config_posture"
-}
-
 // compartment data to populate policies if onboarding a compartment
 data "oci_identity_compartment" "compartment" {
   count = var.compartment_ocid != "" ? 1 : 0
@@ -19,17 +15,51 @@ resource "random_id" "suffix" {
 }
 
 #-----------------------------------------------------------------------------------------
-# Admit policy to allow Sysdig Tenant to read resources
+# Create Group, User and Group Membership
+#-----------------------------------------------------------------------------------------
+resource "oci_identity_group" "cspm_group" {
+  name           = "SysdigSecureConfigPostureGroup-${random_id.suffix.hex}"
+  description    = "Sysdig Secure CSPM Group"
+  compartment_id = var.tenancy_ocid
+}
+
+resource "oci_identity_user" "cspm_user" {
+  name           = "SysdigSecureConfigPostureUser-${random_id.suffix.hex}"
+  description    = "Sysdig Secure CSPM User"
+  compartment_id = var.tenancy_ocid
+  email          = var.email
+}
+
+resource "oci_identity_user_group_membership" "cspm_user_to_group" {
+  user_id  = oci_identity_user.cspm_user.id
+  group_id = oci_identity_group.cspm_group.id
+}
+
+#-----------------------------------------------------------------------------------------
+# Create RSA key for user
+#-----------------------------------------------------------------------------------------
+
+resource "tls_private_key" "rsa_key" {
+  count     = var.private_key_file_path == "" && var.public_key_file_path == "" ? 1 : 0
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "oci_identity_api_key" "cspm_user_api_key" {
+  user_id   = oci_identity_user.cspm_user.id
+  key_value = (var.public_key_file_path == "" && var.private_key_file_path == "") ? tls_private_key.rsa_key[0].public_key_pem : file(var.public_key_file_path)
+}
+
+#-----------------------------------------------------------------------------------------
+# Allow policy to allow user to read resources
 #-----------------------------------------------------------------------------------------
 
-resource "oci_identity_policy" "admit_cspm_policy" {
-  name           = "AdmitSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
-  description    = "Config Posture admit policy to read all resources in tenant"
+resource "oci_identity_policy" "allow_cspm_policy" {
+  name           = "AllowSysdigSecureTenantConfigPosture-${random_id.suffix.hex}"
+  description    = "Config Posture allow policy to read all resources in tenant"
   compartment_id = var.tenancy_ocid
   statements = [
-    "Define tenancy sysdigTenancy as ${data.sysdig_secure_trusted_oracle_app.config_posture.tenancy_ocid}",
-    "Define group configPostureGroup as ${data.sysdig_secure_trusted_oracle_app.config_posture.group_ocid}",
-    "Admit group configPostureGroup of tenancy sysdigTenancy to read all-resources in tenancy",
+    "Allow group ${oci_identity_group.cspm_group.name} to read all-resources in tenancy",
   ]
 }
 
@@ -44,15 +74,17 @@ resource "sysdig_secure_cloud_auth_account_component" "oracle_service_principal"
   service_principal_metadata = jsonencode({
     oci = {
       api_key = {
-        user_id = data.sysdig_secure_trusted_oracle_app.config_posture.user_ocid
-        region = var.region
+        user_id     = oci_identity_user.cspm_user.id
+        region      = var.region
+        fingerprint = oci_identity_api_key.cspm_user_api_key.fingerprint
+        private_key = (var.public_key_file_path == "" && var.private_key_file_path == "") ? base64encode(tls_private_key.rsa_key[0].private_key_pem) : base64encode(file(var.private_key_file_path))
       }
       policy = {
-        policy_id = oci_identity_policy.admit_cspm_policy.id
+        policy_id = oci_identity_policy.allow_cspm_policy.id
       }
     }
   })
   depends_on = [
-    oci_identity_policy.admit_cspm_policy
+    oci_identity_policy.allow_cspm_policy
   ]
-}
+}

modules/config-posture/variables.tf

@@ -21,6 +21,24 @@ variable "sysdig_secure_account_id" {
 }
 
 variable "region" {
-  type = string
+  type        = string
   description = "(Required) Customer home region"
+}
+
+variable "private_key_file_path" {
+  description = "Path to the private key file"
+  type        = string
+  default     = ""
+}
+
+variable "public_key_file_path" {
+  description = "Path to the public key file"
+  type        = string
+  default     = ""
+}
+
+variable "email" {
+  description = "Email for user created on customer tenant"
+  type        = string
+  default     = "[email protected]"
 }

modules/config-posture/versions.tf

@@ -3,10 +3,13 @@ terraform {
   required_providers {
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.43"
+      version = "~> 1.46"
     }
     oci = {
-      source  = "oracle/oci"
+      source = "oracle/oci"
+    }
+    tls = {
+      source = "hashicorp/tls"
     }
   }
 }

modules/onboarding/main.tf

@@ -1,6 +1,6 @@
 locals {
   home_region = [
-    for subscription in data.oci_identity_region_subscriptions.test_region_subscriptions.region_subscriptions :
+    for subscription in data.oci_identity_region_subscriptions.region_subscriptions.region_subscriptions :
     subscription.region_name
     if subscription.is_home_region == true
   ]
@@ -27,7 +27,7 @@ data "oci_identity_tenancy" "tenancy" {
 }
 
 // tenancy region data
-data "oci_identity_region_subscriptions" "test_region_subscriptions" {
+data "oci_identity_region_subscriptions" "region_subscriptions" {
   tenancy_id = var.tenancy_ocid
 }
 

modules/onboarding/versions.tf

@@ -3,10 +3,10 @@ terraform {
   required_providers {
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.43"
+      version = "~> 1.46"
     }
     oci = {
-      source  = "oracle/oci"
+      source = "oracle/oci"
     }
   }
 }

tests/examples/modular_organization/onboarding_cspm_compartment.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.43.0"
+      version = "~> 1.46.0"
     }
     oci = {
       source = "oracle/oci"
@@ -17,9 +17,7 @@ provider "sysdig" {
 
 provider "oci" {
   tenancy_ocid     = "<TENANCY_OCID>"
-  user_ocid        = "<USER_OCID>"
-  fingerprint      = "<FINGERPRINT>"
-  private_key_path = "<PRIVATE_KEY_PATH>"
+  config_file_profile = "DEFAULT"
   region           = "<REGION>"
 }
 

tests/examples/modular_organization/onboarding_cspm_tenancy.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.43.0"
+      version = "~> 1.46.0"
     }
     oci = {
       source = "oracle/oci"
@@ -17,9 +17,7 @@ provider "sysdig" {
 
 provider "oci" {
   tenancy_ocid     = "<TENANCY_OCID>"
-  user_ocid        = "<USER_OCID>"
-  fingerprint      = "<FINGERPRINT>"
-  private_key_path = "<PRIVATE_KEY_PATH>"
+  config_file_profile = "DEFAULT"
   region           = "<REGION>"
 }