feat: Event triggering module (#91)

hayk99 · web-flow · commit 0f0972db6905 · 2022-02-10T16:59:57.000+01:00
* feat: trigger gcp event module

* docs: add readme

* chore: remove project_id

* chore: fix docu

* fix: change terraform-docs version
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -91,7 +91,7 @@ jobs:
       - name: Install pre-commit dependencies
         run: |
           pip install pre-commit
-          curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.13.0/terraform-docs-v0.13.0-$(uname)-amd64.tar.gz && tar -xzf terraform-docs.tar.gz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+          curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz && tar -xzf terraform-docs.tar.gz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
           curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
       - name: Execute pre-commit
         # Run all pre-commit checks on max version supported
diff --git a/README.md b/README.md
@@ -110,7 +110,9 @@ Notice that:
 
 **Threat Detection**
 
-Choose one of the rules contained in the `GCP Best Practices` policy and execute it in your GCP account.
+Terraform example module to trigger **GCP Update, Disable or Delete Sink** event can be found on [examples/trigger-events ](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/examples/trigger-events)
+
+In another case, you can do it manually. Choose one of the rules contained in the `GCP Best Practices` policy and execute it in your GCP account.
 ex.: Create an alert (Monitoring > Alerting > Create policy). Delete it to prompt the event.
 
 Remember that in case you add new rules to the policy you need to give it time to propagate the changes.
diff --git a/examples/organization/README.md b/examples/organization/README.md
@@ -69,17 +69,17 @@ module "secure-for-cloud_example_organization" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
-| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
-| <a name="module_connector_organization_sink"></a> [connector\_organization\_sink](#module\_connector\_organization\_sink) | ../../modules/infrastructure/organization_sink |  |
-| <a name="module_pubsub_http_subscription"></a> [pubsub\_http\_subscription](#module\_pubsub\_http\_subscription) | ../../modules/infrastructure/pubsub_push_http_subscription |  |
-| <a name="module_secure_secrets"></a> [secure\_secrets](#module\_secure\_secrets) | ../../modules/infrastructure/secrets |  |
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
+| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
+| <a name="module_connector_organization_sink"></a> [connector\_organization\_sink](#module\_connector\_organization\_sink) | ../../modules/infrastructure/organization_sink | n/a |
+| <a name="module_pubsub_http_subscription"></a> [pubsub\_http\_subscription](#module\_pubsub\_http\_subscription) | ../../modules/infrastructure/pubsub_push_http_subscription | n/a |
+| <a name="module_secure_secrets"></a> [secure\_secrets](#module\_secure\_secrets) | ../../modules/infrastructure/secrets | n/a |
 
 ## Resources
 
diff --git a/examples/single-project-k8s/README.md b/examples/single-project-k8s/README.md
@@ -63,15 +63,15 @@ Notice that:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | >=2.3.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.4.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
-| <a name="module_connector_project_sink"></a> [connector\_project\_sink](#module\_connector\_project\_sink) | ../../modules/infrastructure/project_sink |  |
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
+| <a name="module_connector_project_sink"></a> [connector\_project\_sink](#module\_connector\_project\_sink) | ../../modules/infrastructure/project_sink | n/a |
 
 ## Resources
 
diff --git a/examples/single-project/README.md b/examples/single-project/README.md
@@ -67,17 +67,17 @@ module "secure-for-cloud_example_single-project" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
-| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
-| <a name="module_connector_project_sink"></a> [connector\_project\_sink](#module\_connector\_project\_sink) | ../../modules/infrastructure/project_sink |  |
-| <a name="module_pubsub_http_subscription"></a> [pubsub\_http\_subscription](#module\_pubsub\_http\_subscription) | ../../modules/infrastructure/pubsub_push_http_subscription |  |
-| <a name="module_secure_secrets"></a> [secure\_secrets](#module\_secure\_secrets) | ../../modules/infrastructure/secrets |  |
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
+| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
+| <a name="module_connector_project_sink"></a> [connector\_project\_sink](#module\_connector\_project\_sink) | ../../modules/infrastructure/project_sink | n/a |
+| <a name="module_pubsub_http_subscription"></a> [pubsub\_http\_subscription](#module\_pubsub\_http\_subscription) | ../../modules/infrastructure/pubsub_push_http_subscription | n/a |
+| <a name="module_secure_secrets"></a> [secure\_secrets](#module\_secure\_secrets) | ../../modules/infrastructure/secrets | n/a |
 
 ## Resources
 
diff --git a/examples/trigger-events/README.md b/examples/trigger-events/README.md
@@ -0,0 +1,71 @@
+# Sysdig Secure for Cloud in GCP<br/>[ Example :: Trigger-Events]
+This example helps to trigger GCP Events. Cloud connector stack is required to be able to generate events.
+After applying, this will create a new sink and assign it to a new pub/sub topic. **GCP Update, Disable or Delete Sink** event will prompt once the module is destroyed.
+
+## Prerequisites
+
+Minimum requirements:
+1. Deploy Cloud Connector Stack on GCP.
+2. Configure Terraform GCP Provider.
+
+## Usage
+
+For quick testing, use this snippet on your terraform files
+
+```terraform
+provider "google" {
+   project = "<PROJECT_ID>"
+   region  = "<REGION_ID>; ex. us-central-1"
+}
+
+module "secure-for-cloud_trigger_events" {
+  source = "sysdiglabs/secure-for-cloud/google//examples/trigger-events"
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 3.67.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 3.67.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_logging_project_sink.project_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
+| [google_pubsub_topic.trigger_topic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
+| [google_pubsub_topic_iam_member.writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam_member) | resource |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained and supported by [Sysdig](https://github.com/sysdiglabs/terraform-google-cloudvision).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/examples/trigger-events/main.tf b/examples/trigger-events/main.tf
@@ -0,0 +1,22 @@
+data "google_project" "project" {
+}
+
+resource "google_pubsub_topic" "trigger_topic" {
+  name    = "trigger-event-topic"
+  project = data.google_project.project.project_id
+}
+
+resource "google_logging_project_sink" "project_sink" {
+  project                = google_pubsub_topic.trigger_topic.project
+  name                   = "trigger-event-project-sink"
+  destination            = "pubsub.googleapis.com/${google_pubsub_topic.trigger_topic.id}"
+  unique_writer_identity = true
+  filter                 = "resource.type = gce_instance AND severity >= WARNING"
+}
+
+resource "google_pubsub_topic_iam_member" "writer" {
+  project = google_pubsub_topic.trigger_topic.project
+  topic   = google_pubsub_topic.trigger_topic.name
+  role    = "roles/pubsub.publisher"
+  member  = google_logging_project_sink.project_sink.writer_identity
+}
diff --git a/examples/trigger-events/outputs.tf b/examples/trigger-events/outputs.tf
diff --git a/examples/trigger-events/variables.tf b/examples/trigger-events/variables.tf
diff --git a/examples/trigger-events/versions.tf b/examples/trigger-events/versions.tf
@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 0.14.0"
+
+  required_providers {
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1.0"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 3.67.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 3.67.0"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 0.5.21"
+    }
+  }
+}
diff --git a/modules/infrastructure/organization_sink/README.md b/modules/infrastructure/organization_sink/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
 
 ## Modules
 
diff --git a/modules/infrastructure/project_sink/README.md b/modules/infrastructure/project_sink/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
 
 ## Modules
 
diff --git a/modules/infrastructure/pubsub_push_http_subscription/README.md b/modules/infrastructure/pubsub_push_http_subscription/README.md
@@ -15,7 +15,7 @@ already exists in the project. It will create the topic if it doesn't exist.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
 
 ## Modules
 
diff --git a/modules/infrastructure/secrets/README.md b/modules/infrastructure/secrets/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
 
 ## Modules
 
diff --git a/modules/services/cloud-connector/README.md b/modules/services/cloud-connector/README.md
@@ -32,8 +32,8 @@ module "cloud_connector_gcp" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.67.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 3.67.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 
diff --git a/test/fixtures/single-project/variables.tf b/test/fixtures/single-project/variables.tf
@@ -18,6 +18,6 @@ variable "sysdig_secure_endpoint" {
 
 variable "location" {
   type        = string
-  default     = "asia-northeast1"
+  default     = "us-central1"
   description = "Zone where the stack will be deployed"
 }

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,6 @@ variable "sysdig_secure_endpoint" {`
`18`	`18`
`19`	`19`	`variable "location" {`
`20`	`20`	`type = string`
`21`		`- default = "asia-northeast1"`
	`21`	`+ default = "us-central1"`
`22`	`22`	`description = "Zone where the stack will be deployed"`
`23`	`23`	`}`