refactor!: remove provider (#74)

remove provider from examples
added to example snippets

Author: iru

.pre-commit-config.yaml

@@ -8,6 +8,7 @@ repos:
         args:
           - '--args=--sort-by required'
       - id: terraform_tflint
+        exclude: (test)|(examples-internal)\/.*$
         args:
           - '--args=--only=terraform_deprecated_interpolation'
           - '--args=--only=terraform_deprecated_index'

README.md

@@ -138,7 +138,7 @@ Notice that:
   A3: Do as the error says and activate CloudBuild API. Check the list of all the required APIs that need to be activated per feature module.
 
 
-<br/><br/>
+<br/><br/><br/>
 ## Authors
 
 Module is maintained and supported by [Sysdig](https://sysdig.com).

examples/organization/README.md

@@ -8,12 +8,11 @@ Sysdig workload will be deployed in the `project_id` defined in the required inp
 
 ## Prerequisites
 
-You **must** have following **roles** in your GCP organization/project credentials
-
-* _Owner_
-* _Organization Admin_
-
-Besides, the following GCP **APIs must be enabled** to deploy resources correctly for:
+1. Configure [Terraform **GCP** Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)
+2. Following **roles** are required in your GCP organization/project credentials
+   * _Owner_
+   * _Organization Admin_
+3. Besides, the following GCP **APIs must be enabled** to deploy resources correctly for:
 
 ### Cloud Connector
 
@@ -42,13 +41,17 @@ Besides, the following GCP **APIs must be enabled** to deploy resources correctl
 For quick testing, use this snippet on your terraform files
 
 ```terraform
+provider "google" {
+   project = "<PROJECT_ID>"
+   region  = "<REGION_ID>; ex. us-central-1"
+}
+
 module "secure-for-cloud_example_organization" {
   source = "sysdiglabs/secure-for-cloud/google//examples/organization"
 
-  project_id              = "your-project-id"
-  repository_project_ids        = ["project-to-scan-1", "project-to-scan-2"]
-  sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
-  organization_domain     = "your-domain.com"
+  repository_project_ids    = ["<PROJECT_SCAN_ID1>", "<PROJECT_SCAN_ID2>"]
+  sysdig_secure_api_token   = "00000000-1111-2222-3333-444444444444"
+  organization_domain       = "<ORG_DOMAIN>"
 }
 ```
 
@@ -85,6 +88,7 @@ module "secure-for-cloud_example_organization" {
 | [google_organization_iam_custom_role.org_gcr_image_puller](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
 | [google_organization_iam_member.organization_image_puller](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
 | [google_service_account.connector_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_organization.org](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/organization) | data source |
 | [google_projects.all_projects](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source |
 
@@ -93,13 +97,11 @@ module "secure-for-cloud_example_organization" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | n/a | yes |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Organization member project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
 | <a name="input_benchmark_project_ids"></a> [benchmark\_project\_ids](#input\_benchmark\_project\_ids) | Google cloud project IDs to run Benchmarks on. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
 | <a name="input_benchmark_role_name"></a> [benchmark\_role\_name](#input\_benchmark\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
 | <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | whether benchmark module is to be deployed | `bool` | `true` | no |
-| <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the workloads | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_repository_project_ids"></a> [repository\_project\_ids](#input\_repository\_project\_ids) | Projects were a `gcr`-named topic will be to subscribe to its repository events. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |

examples/organization/data.tf

@@ -0,0 +1,2 @@
+data "google_client_config" "current" {
+}

examples/organization/main.tf

@@ -6,25 +6,18 @@ EOT
   repository_project_ids = length(var.repository_project_ids) == 0 ? [for p in data.google_projects.all_projects.projects : p.project_id] : var.repository_project_ids
 }
 
-# This provider is project specific, and can only be used to provision resources in the
-# specified project. Primarily used for Cloud Connector and Cloud Scanning
-provider "google" {
-  project = var.project_id
-  region  = var.location
-}
-
 # This provider is project agnostic, and can be used to provision resources in any project,
 # provided the project is specified on the resource. Primarily used for Benchmarks
 provider "google" {
   alias  = "multiproject"
-  region = var.location
+  region = data.google_client_config.current.region
 }
 
 # This provider is project agnostic, and can be used to provision resources in any project,
 # provided the project is specified on the resource. Primarily used for Benchmarks
 provider "google-beta" {
   alias  = "multiproject"
-  region = var.location
+  region = data.google_client_config.current.region
 }
 
 provider "sysdig" {
@@ -98,7 +91,7 @@ module "cloud_connector" {
   connector_pubsub_topic_id  = module.connector_organization_sink.pubsub_topic_id
   secure_api_token_secret_id = module.secure_secrets.secure_api_token_secret_name
   max_instances              = var.max_instances
-  project_id                 = var.project_id
+  project_id                 = data.google_client_config.current.project
 
   #defaults
   name       = "${var.name}-cloudconnector"
@@ -110,7 +103,7 @@ module "pubsub_http_subscription" {
   source   = "../../modules/infrastructure/pubsub_push_http_subscription"
 
   topic_project_id        = each.key
-  subscription_project_id = var.project_id
+  subscription_project_id = data.google_client_config.current.project
   topic_name              = "gcr"
   name                    = "${var.name}-gcr"
   service_account_email   = google_service_account.connector_sa.email

examples/organization/variables.tf

@@ -9,20 +9,9 @@ variable "organization_domain" {
   description = "Organization domain. e.g. sysdig.com"
 }
 
-variable "project_id" {
-  type        = string
-  description = "Organization member project ID where the secure-for-cloud workload is going to be deployed"
-}
-
 # --------------------------
 # optionals, with defaults
 # --------------------------
-variable "location" {
-  type        = string
-  default     = "us-central1"
-  description = "Zone where the stack will be deployed"
-}
-
 variable "sysdig_secure_endpoint" {
   type        = string
   default     = "https://secure.sysdig.com"

examples/single-project-k8s/README.md

@@ -14,8 +14,8 @@ All the required resources and workloads will be run under the same GCP project.
 
 Minimum requirements:
 
-1. **GCP** profile credentials configuration
-2. **Kubernetes** cluster configured within your helm provider
+1. Configure [Terraform **GCP** Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)
+2. Configure [**Helm** Provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) for **Kubernetes** cluster
 3. **Sysdig** Secure requirements, as input variable value
     ```
     sysdig_secure_api_token=<SECURE_API_TOKEN>
@@ -26,11 +26,20 @@ Minimum requirements:
 For quick testing, use this snippet on your terraform files
 
 ```terraform
+provider "google" {
+  project = "<PROJECT_ID>"
+  region  = "<REGION_ID>; ex. us-central-1"
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = "~/.kube/config"
+  }
+}
+
 module "secure_for_cloud_gcp_single_project_k8s" {
   source = "sysdiglabs/secure-for-cloud/google//examples/single-project-k8s"
-
   sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
-  project_id              = "your-project-id"
 }
 ```
 
@@ -73,15 +82,14 @@ Notice that:
 | [google_service_account.connector_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account_key.connector_sa_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
 | <a name="input_cloud_connector_image"></a> [cloud\_connector\_image](#input\_cloud\_connector\_image) | Cloud-connector image to deploy | `string` | `"quay.io/sysdig/cloud-connector"` | no |
-| <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 

examples/single-project-k8s/cloud-connector.tf

@@ -65,7 +65,7 @@ resource "helm_release" "cloud_connector" {
 rules: []
 ingestors:
 - gcp-auditlog-pubsub:
-    project: ${var.project_id}
+    project: ${data.google_client_config.current.project}
     subscription: ${google_pubsub_subscription.subscription.name}
 notifiers: []
 gcpCredentials: |

examples/single-project-k8s/data.tf

@@ -0,0 +1,2 @@
+data "google_client_config" "current" {
+}

examples/single-project-k8s/main.tf

@@ -1,18 +1,6 @@
 locals {
   verify_ssl       = length(regexall("^https://.*?\\.sysdig.com/?", var.sysdig_secure_endpoint)) != 0
   connector_filter = <<EOT
-  logName=~"^projects/${var.project_id}/logs/cloudaudit.googleapis.com" AND -resource.type="k8s_cluster"
+  logName=~"^projects/${data.google_client_config.current.project}/logs/cloudaudit.googleapis.com" AND -resource.type="k8s_cluster"
 EOT
 }
-
-provider "google" {
-  project = var.project_id
-  region  = var.location
-}
-
-# TODO review ways to pass content as input var
-provider "helm" {
-  kubernetes {
-    config_path = "~/.kube/config"
-  }
-}

examples/single-project-k8s/variables.tf

@@ -4,20 +4,9 @@ variable "sysdig_secure_api_token" {
   description = "Sysdig's Secure API Token"
 }
 
-variable "project_id" {
-  type        = string
-  description = "Project ID where the secure-for-cloud workload is going to be deployed"
-}
-
 # --------------------------
 # optionals, with defaults
-# --------------------------
-variable "location" {
-  type        = string
-  default     = "us-central1"
-  description = "Zone where the stack will be deployed"
-}
-
+# -------------------------
 variable "sysdig_secure_endpoint" {
   type        = string
   default     = "https://secure.sysdig.com"

examples/single-project/README.md

@@ -7,10 +7,10 @@ All the resources will be run in a single project.
 
 ## Prerequisites
 
-You **must** have following **roles** in your GCP organization/project credentials
-* _Owner_
-
-Besides, the following GCP **APIs must be enabled** to deploy resources correctly for:
+1. Configure [Terraform **GCP** Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)
+1. Following **roles** are required in your GCP organization/project credentials
+   * _Owner_
+1. Besides, the following GCP **APIs must be enabled** to deploy resources correctly for:
 
 ### Cloud Connector
 * [Cloud Pub/Sub API](https://console.cloud.google.com/marketplace/product/google/pubsub.googleapis.com)
@@ -37,12 +37,19 @@ Besides, the following GCP **APIs must be enabled** to deploy resources correctl
 For quick testing, use this snippet on your terraform files
 
 ```terraform
-module "secure-for-cloud_example_single-project" {
-  source = "sysdiglabs/secure-for-cloud/google//examples/single-project"
+provider "google" {
+   project = "<PROJECT_ID>"
+   region  = "<REGION_ID>; ex. us-central-1"
+}
 
+provider "google-beta" {
+   project = "<PROJECT_ID>"
+   region  = "<REGION_ID>; ex. us-central-1"
+}
 
+module "secure-for-cloud_example_single-project" {
+  source = "sysdiglabs/secure-for-cloud/google//examples/single-project"
   sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
-  project_id              = "your-project-id"
 }
 ```
 
@@ -77,17 +84,16 @@ module "secure-for-cloud_example_single-project" {
 | Name | Type |
 |------|------|
 | [google_service_account.connector_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
 | <a name="input_benchmark_role_name"></a> [benchmark\_role\_name](#input\_benchmark\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
 | <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | whether benchmark module is to be deployed | `bool` | `true` | no |
-| <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 

examples/single-project/data.tf

@@ -0,0 +1,2 @@
+data "google_client_config" "current" {
+}

examples/single-project/main.tf

@@ -1,13 +1,3 @@
-provider "google" {
-  project = var.project_id
-  region  = var.location
-}
-
-provider "google-beta" {
-  project = var.project_id
-  region  = var.location
-}
-
 provider "sysdig" {
   sysdig_secure_url          = var.sysdig_secure_endpoint
   sysdig_secure_api_token    = var.sysdig_secure_api_token
@@ -17,7 +7,7 @@ provider "sysdig" {
 locals {
   verify_ssl       = length(regexall("^https://.*?\\.sysdig.com/?", var.sysdig_secure_endpoint)) != 0
   connector_filter = <<EOT
-  logName=~"^projects/${var.project_id}/logs/cloudaudit.googleapis.com" AND -resource.type="k8s_cluster"
+  logName=~"^projects/${data.google_client_config.current.project}/logs/cloudaudit.googleapis.com" AND -resource.type="k8s_cluster"
 EOT
 }
 
@@ -55,7 +45,7 @@ module "cloud_connector" {
   sysdig_secure_endpoint     = var.sysdig_secure_endpoint
   connector_pubsub_topic_id  = module.connector_project_sink.pubsub_topic_id
   secure_api_token_secret_id = module.secure_secrets.secure_api_token_secret_name
-  project_id                 = var.project_id
+  project_id                 = data.google_client_config.current.project
 
   #defaults
   verify_ssl = local.verify_ssl
@@ -64,8 +54,8 @@ module "cloud_connector" {
 module "pubsub_http_subscription" {
   source = "../../modules/infrastructure/pubsub_push_http_subscription"
 
-  topic_project_id        = var.project_id
-  subscription_project_id = var.project_id
+  topic_project_id        = data.google_client_config.current.project
+  subscription_project_id = data.google_client_config.current.project
   topic_name              = "gcr"
   name                    = "${var.name}-gcr"
   service_account_email   = google_service_account.connector_sa.email
@@ -82,6 +72,6 @@ module "cloud_bench" {
 
   is_organizational = false
   role_name         = var.benchmark_role_name
-  project_id        = var.project_id
+  project_id        = data.google_client_config.current.project
   regions           = var.benchmark_regions
 }

examples/single-project/variables.tf

@@ -4,20 +4,9 @@ variable "sysdig_secure_api_token" {
   description = "Sysdig's Secure API Token"
 }
 
-variable "project_id" {
-  type        = string
-  description = "Project ID where the secure-for-cloud workload is going to be deployed"
-}
-
 # --------------------------
 # optionals, with defaults
 # --------------------------
-variable "location" {
-  type        = string
-  default     = "us-central1"
-  description = "Zone where the stack will be deployed"
-}
-
 variable "sysdig_secure_endpoint" {
   type        = string
   default     = "https://secure.sysdig.com"