fix: region to cloud-connector (#80)

* fix: region to cloud-connector
* chore(tests): force region change
* docs: add forcing events section

Author: iru

README.md

@@ -1,21 +1,19 @@
 # Sysdig Secure for Cloud in GCP
 
-Terraform module that deploys the **Sysdig Secure for Cloud** stack in **Google Cloud**.
+Terraform module that deploys the [**Sysdig Secure for Cloud** stack in **Google Cloud**](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-gcp/).
 <br/>It provides unified threat detection, compliance, forensics and analysis.
 
 There are three major components:
 
-* **Cloud Threat Detection**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-connector).
-<br/><br/>
 * **CSPM/Compliance**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through [cloud-bench module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-bench).
   <br/><br/>
-* **Cloud Scanning**: Automatically scans all container images pushed to the registry or as soon a new task which involves a container is spawned in your account.Managed through [cloud-scanning module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-scanning).
+* **Cloud Threat Detection**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-connector).
+<br/><br/>
+* **Cloud Scanning**: Automatically scans all container images pushed to the registry or as soon a new task which involves a container is spawned in your account. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-connector).
   <br/><br/>
 
 For other Cloud providers check: [AWS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud), [Azure](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud)
 
-<br/>
-
 ## Prerequisites
 
 You **must** have following **roles** in your GCP credentials
@@ -106,6 +104,33 @@ Notice that:
 
 
 <br/><br/>
+
+
+## Forcing Events
+
+**Threat Detection**
+
+Choose one of the rules contained in the `GCP Best Practices` policy and execute it in your GCP account.
+ex.: Create an alert (Monitoring > Alerting > Create policy). Delete it to prompt the event.
+
+Remember that in case you add new rules to the policy you need to give it time to propagate the changes.
+
+In the `cloud-connector` logs you should see similar logs to these
+> An alert has been deleted (requesting user=..., requesting IP=..., resource name=projects/test/alertPolicies/3771445340801051512)
+
+**Image Scanning**
+
+Upload an image to a new Repository in a Artifact Registry. Follow repository `Setup Instructions` provided by GCP
+```bash
+$ docker tag REPO_REGION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:latest
+$ docker push REPO_REGION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:latest
+````
+
+In the `cloud-connector` logs you should see similar logs to these
+> An image has been pushed to GCR registry (project=..., tag=europe-west2-docker.pkg.dev/test-repo/alpine/alpine:latest, digest=europe-west2-docker.pkg.dev/test-repo/alpine/alpine@sha256:be9bdc0ef8e96dbc428dc189b31e2e3b05523d96d12ed627c37aa2936653258c)
+
+> Starting GCR scanning for 'europe-west2-docker.pkg.dev/test-repo/alpine/alpine:latest
+
 ## Troubleshooting
 
 - Q1: Getting "Error creating WorkloadIdentityPool: googleapi: Error 409: Requested entity already exists"<br/>
@@ -127,7 +152,7 @@ Notice that:
 
 - Q2: Scanning does not seem to work<br/>
   A2: Verify that `gcr` topic exists. If `create_gcr_topic` is set to false and `gcr` topic is not found, the GCR scanning is ommited and won't be deployed. For more info see GCR PubSub topic.
-
+<br/><br/>
 - Q3: Scanning, I get an error saying:
   ```
   error starting scan runner for image ****: rpc error: code = PermissionDenied desc = Cloud Build API has not been used in project *** before or it is disabled.
@@ -136,9 +161,7 @@ Notice that:
   If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry
   ```
   A3: Do as the error says and activate CloudBuild API. Check the list of all the required APIs that need to be activated per feature module.
-
-
-<br/><br/><br/>
+<br/><br/>
 ## Authors
 
 Module is maintained and supported by [Sysdig](https://sysdig.com).

modules/services/cloud-connector/README.md

@@ -5,13 +5,17 @@ A **Cloud Run** deployment that will detect events in your infrastructure.
 ## Usage
 
 ```hcl
+provider "google" {
+  project = "<PROJECT_ID>"
+  region  = "<REGION_ID>; ex. us-central-1"
+}
+
 module "cloud_connector_gcp" {
   source = "sysdiglabs/secure-for-cloud/google/services/cloud-connector"
 
   sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
   sysdig_secure_endpoint  = "https://secure.sysdig.com"
   bucket_config_name      = "cloud-connector-config-bucket"
-  location                = "us-central1"
 }
 ```
 
@@ -51,6 +55,7 @@ No modules.
 | [google_storage_bucket_iam_member.read_access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_object.config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_object) | resource |
 | [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ## Inputs
@@ -68,7 +73,6 @@ No modules.
 | <a name="input_config_source"></a> [config\_source](#input\_config\_source) | Path to a file that contains the contents of the configuration file to be saved in the bucket | `string` | `null` | no |
 | <a name="input_extra_envs"></a> [extra\_envs](#input\_extra\_envs) | Extra environment variables for the Cloud Connector instance | `map(string)` | `{}` | no |
 | <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Cloud Connector image to deploy | `string` | `"gcr.io/mateo-burillo-ns/cloud-connector:latest"` | no |
-| <a name="input_location"></a> [location](#input\_location) | Zone where the cloud connector will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the Cloud Connector | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudconnector"` | no |
 | <a name="input_verify_ssl"></a> [verify\_ssl](#input\_verify\_ssl) | Verify the SSL certificate of the Secure endpoint | `bool` | `true` | no |

modules/services/cloud-connector/cloud_run.tf

@@ -25,7 +25,7 @@ locals {
     },
     {
       name  = "GCP_REGION"
-      value = var.location
+      value = data.google_client_config.current.region
     }
     ], [
     for env_key, env_value in var.extra_envs :
@@ -38,7 +38,7 @@ locals {
 }
 
 resource "google_cloud_run_service" "cloud_connector" {
-  location = var.location
+  location = data.google_client_config.current.region
   name     = var.name
 
   lifecycle {
@@ -95,7 +95,7 @@ resource "google_cloud_run_service" "cloud_connector" {
 
 resource "google_eventarc_trigger" "trigger" {
   name            = "${var.name}-trigger"
-  location        = var.location
+  location        = data.google_client_config.current.region
   service_account = var.cloud_connector_sa_email
   matching_criteria {
     attribute = "type"
@@ -104,7 +104,7 @@ resource "google_eventarc_trigger" "trigger" {
   destination {
     cloud_run_service {
       service = google_cloud_run_service.cloud_connector.name
-      region  = var.location
+      region  = data.google_client_config.current.region
       path    = "/audit"
     }
   }

modules/services/cloud-connector/data.tf

@@ -0,0 +1,2 @@
+data "google_client_config" "current" {
+}

modules/services/cloud-connector/variables.tf

@@ -40,12 +40,6 @@ variable "verify_ssl" {
   default     = true
 }
 
-variable "location" {
-  type        = string
-  default     = "us-central1"
-  description = "Zone where the cloud connector will be deployed"
-}
-
 variable "image_name" {
   type        = string
   default     = "gcr.io/mateo-burillo-ns/cloud-connector:latest"

test/fixtures/single-project/variables.tf

@@ -18,6 +18,6 @@ variable "sysdig_secure_endpoint" {
 
 variable "location" {
   type        = string
-  default     = "us-central1"
+  default     = "asia-northeast1"
   description = "Zone where the stack will be deployed"
 }