deepfence/ThreatMapper#1074 Multiple project infra

deepfence · May 9, 2023 · ee8d2ad · ee8d2ad
1 parent 5b03da6
commit ee8d2ad
Show file tree

Hide file tree

Showing 8 changed files with 212 additions and 4 deletions.
diff --git a/examples/multi-project/README.md b/examples/multi-project/README.md
@@ -0,0 +1,82 @@
+# Cloud Scanner in Google Cloud<br/>[ Example :: Single-Account ] 
+
+Deploy Cloud Scanner for Google Cloud in a single project.<br/>
+
+### Notice
+**Deployment cost** - This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+## Prerequisites
+
+1. Configure [Terraform **GCP** Provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs)
+2. Following **roles** are required in your GCP organization/project credentials
+   * _Owner_
+3. Besides, the following GCP **APIs must be enabled** to deploy resources correctly:
+
+* [Identity and access management API](https://console.cloud.google.com/marketplace/product/google/iam.googleapis.com)
+* [Cloud Run API](https://console.cloud.google.com/marketplace/product/google/run.googleapis.com)
+
+## Usage
+Copy the code below and paste it into a .tf file on your local machine.
+
+```terraform
+
+provider "google" {
+   project = "<PROJECT_ID>; ex. dev1-123456"
+   region  = "<REGION_ID>; ex. asia-east1"
+}
+
+provider "google-beta" {
+   project = "<PROJECT_ID> ex. dev1-123456"
+   region  = "<REGION_ID>; ex. asia-east1"
+}
+
+module "cloud-scanner_example_single-project" {
+  source              = "deepfence/cloud-scanner/gcp//examples/single-project"
+  version             = "0.1.0"
+  mgmt-console-url    = "<Console URL> eg. XXX.XXX.XX.XXX"
+  mgmt-console-port   = "443"
+  deepfence-key       = "<Deepfence-key> eg. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
+  image_name          = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:latest"
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.21.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 4.21.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.21.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_container"></a> [container](#module\_container) | ../../modules/services/container | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_service_account.container_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_deepfence-key"></a> [deepfence-key](#input\_deepfence-key) | deepfence-key | `string` | `""` | no |
+| <a name="input_mgmt-console-port"></a> [mgmt-console-port](#input\_mgmt-console-port) | mgmt-console-port | `string` | `"443"` | no |
+| <a name="input_mgmt-console-url"></a> [mgmt-console-url](#input\_mgmt-console-url) | mgmt-console-url | `string` | `""` | no |
+| <a name="input_mode"></a> [mode](#input\_mode) | mode | `string` | `"service"` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"deepfence-cloud-scanner"` | no |
+
+## Outputs
+
+No outputs.
diff --git a/examples/multi-project/data.tf b/examples/multi-project/data.tf
@@ -0,0 +1,15 @@
+# importing google cloud current config
+
+data "google_organization" "org" {}
+
+data "google_client_config" "current" {}
+
+data "google_project" "all_projects" {
+  count = length(data.google_organization.org.projects)
+
+  project_id = data.google_organization.org.projects[count.index].project_id
+}
+
+output "projects" {
+  value = [for project in data.google_project.all_projects : project.project_id]
+}
diff --git a/examples/multi-project/main.tf b/examples/multi-project/main.tf
@@ -0,0 +1,26 @@
+# provider "google" {
+#   project = var.project
+#   region  = var.region
+# }
+
+# creates service account with read only access for resources
+resource "google_service_account" "container_sa" {
+  account_id   = "${var.name}-sa"
+  display_name = "Service account for container"
+}
+
+# deploys application image in cloud run container with required access
+module "container" {
+  source             = "../../modules/services/container"
+  name               = "${var.name}-container"
+  mode               = var.mode
+  mgmt-console-url   = var.mgmt-console-url
+  mgmt-console-port  = var.mgmt-console-port
+  deepfence-key      = var.deepfence-key
+  image_name         = var.image_name
+  project_id         = data.google_client_config.current.project
+  container_sa_email = google_service_account.container_sa.email
+  cpu                = 2
+  multi-project-ids = [for project in data.google_project.all_projects : project.project_id]
+  org-acc-id        = data.google_organization.org.id
+}
diff --git a/examples/multi-project/variables.tf b/examples/multi-project/variables.tf
@@ -0,0 +1,52 @@
+# general
+
+variable "name" {
+  type        = string
+  description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
+  default     = "deepfence-cloud-scanner"
+}
+
+# container variables
+
+variable "mode" {
+  type        = string
+  description = "mode"
+  default     = "service"
+}
+
+variable "mgmt-console-url" {
+  type        = string
+  description = "mgmt-console-url"
+  default     = ""
+}
+
+variable "mgmt-console-port" {
+  type        = string
+  description = "mgmt-console-port"
+  default     = "443"
+}
+
+variable "deepfence-key" {
+  type        = string
+  description = "deepfence-key"
+  default     = ""
+}
+
+variable "image_name" {
+  type        = string
+  description = "Cloud Scanner docker image"
+  default     = "docker.io/deepfenceiowfds/cloud-scanner:v2"
+}
+
+variable "multi-project-id" {
+  type        = string
+  description = "List of all project "
+}
+
+# variable "project" {
+#   type = string
+# }
+
+# variable "region" {
+#   type = string
+# }
diff --git a/examples/multi-project/versions.tf b/examples/multi-project/versions.tf
@@ -0,0 +1,16 @@
+# version requirement
+
+terraform {
+  required_version = ">= 0.15.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.21.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 4.21.0"
+    }
+  }
+}
diff --git a/modules/services/container/data.tf b/modules/services/container/data.tf
@@ -2,6 +2,14 @@
 
 data "google_client_config" "current" {}
 
-data "google_project" "project" {
-  project_id = var.project_id
+data "google_organization" "org" {}
+
+data "google_project" "all_projects" {
+  count = length(data.google_organization.org.projects)
+
+  project_id = data.google_organization.org.projects[count.index].project_id
+}
+
+output "projects" {
+  value = [for project in data.google_project.all_projects : project.project_id]
 }
diff --git a/modules/services/container/main.tf b/modules/services/container/main.tf
@@ -60,7 +60,7 @@ resource "google_cloud_run_service" "container" {
     spec {
       containers {
         image   = var.image_name
-        command = ["/usr/local/bin/cloud_compliance_scan", "-mode", var.mode, "-mgmt-console-url", var.mgmt-console-url, "-mgmt-console-port", var.mgmt-console-port, "-deepfence-key", var.deepfence-key, "-http-server-required"]
+        command = ["/usr/local/bin/cloud_compliance_scan", "-mode", var.mode, "-mgmt-console-url", var.mgmt-console-url, "-mgmt-console-port", var.mgmt-console-port, "-deepfence-key", var.deepfence-key, "-http-server-required", "-multiple-acc-ids", var.multi-project-ids, "-org-acc-id", var.org-acc-id]
         resources {
           limits = {
             cpu    = var.cpu,

diff --git a/modules/services/container/variables.tf b/modules/services/container/variables.tf
@@ -55,7 +55,7 @@ variable "min_instances" {
 
 variable "image_name" {
   type        = string
-  default     = "us-east1-docker.pkg.dev/deepfenceio/deepfence/cloud-scanner:latest"
+  default     = "docker.io/deepfenceio/cloud-scanner:v2"
   description = "Deepfence cloud scanner image. GCP only allows the deployment of images that are registered in gcr.io"
 }
 
@@ -77,6 +77,15 @@ variable "cloud_provider" {
   description = "Cloud provider name"
 }
 
+variable "multi-project-ids" {
+  type        = string
+  description = "These account ids are those where scanning will be done"
+}
+
+variable "org-acc-id" {
+  type        = string
+  description = "This account id is the management account id which is there in an organizational setup"
+}