From b48408d766218f0e9538563622e4bfb674e13b8f Mon Sep 17 00:00:00 2001 From: Grzegorz Rygielski Date: Thu, 26 Feb 2026 16:54:27 +0100 Subject: [PATCH 1/2] Add role for the GCP VM Scanner. Refresh docs. --- terraform/modules/aws-policies/README.md | 10 +- terraform/modules/azure-entra/README.md | 38 +++++++- terraform/modules/azure-permission/README.md | 49 +++++++++- terraform/modules/gcp-billing/README.md | 6 +- terraform/modules/gcp-log-export/README.md | 11 ++- terraform/modules/gcp-org/README.md | 8 +- terraform/modules/gcp-org/main.tf | 11 +++ terraform/modules/gcp-org/outputs.tf | 5 + terraform/modules/gcp-permission/README.md | 6 +- terraform/modules/gcp-vm-scanner/README.md | 96 +++++++++++++++++++ terraform/modules/gcp-vm-scanner/folder.tf | 11 +++ terraform/modules/gcp-vm-scanner/locals.tf | 10 ++ terraform/modules/gcp-vm-scanner/main.tf | 1 + terraform/modules/gcp-vm-scanner/org.tf | 11 +++ terraform/modules/gcp-vm-scanner/provider.tf | 8 ++ terraform/modules/gcp-vm-scanner/variable.tf | 21 ++++ .../modules/kubernetes-scanner/README.md | 24 +++-- 17 files changed, 298 insertions(+), 28 deletions(-) create mode 100644 terraform/modules/gcp-vm-scanner/README.md create mode 100644 terraform/modules/gcp-vm-scanner/folder.tf create mode 100644 terraform/modules/gcp-vm-scanner/locals.tf create mode 100644 terraform/modules/gcp-vm-scanner/main.tf create mode 100644 terraform/modules/gcp-vm-scanner/org.tf create mode 100644 terraform/modules/gcp-vm-scanner/provider.tf create mode 100644 terraform/modules/gcp-vm-scanner/variable.tf diff --git a/terraform/modules/aws-policies/README.md b/terraform/modules/aws-policies/README.md index 6bf18b0..e87fb4d 100644 --- a/terraform/modules/aws-policies/README.md +++ b/terraform/modules/aws-policies/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.6 | -| [aws](#requirement\_aws) | ~> 5.0 | +| [terraform](#requirement\_terraform) | >= 1.7 | +| [aws](#requirement\_aws) | ~> 6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 5.0 | +| [aws](#provider\_aws) | ~> 6.0 | ## Modules @@ -24,9 +24,13 @@ No modules. | [aws_iam_policy.pantheon_full_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.pantheon_full_policy2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.pantheon_full_policy3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.pantheon_full_policy4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.pantheon_full_policy5](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_attachment.attach_PantheonDenyActionsPolicy1_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_policy_attachment.attach_PantheonFullPolicy2_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_policy_attachment.attach_PantheonFullPolicy3_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.attach_PantheonFullPolicy4_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.attach_PantheonFullPolicy5_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_policy_attachment.attach_PantheonFullPolicy_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_role.gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.attach_SecurityAudit_to_gcp_federation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | diff --git a/terraform/modules/azure-entra/README.md b/terraform/modules/azure-entra/README.md index 485a647..a3684d1 100644 --- a/terraform/modules/azure-entra/README.md +++ b/terraform/modules/azure-entra/README.md @@ -31,4 +31,40 @@ module "azure_entra_permission" { - Assigns the specified Azure AD directory role to the given service principal. ## Notes -- The service principal will be able to perform actions allowed by the assigned directory role (e.g., list users and groups if "Directory Readers" is assigned). \ No newline at end of file +- The service principal will be able to perform actions allowed by the assigned directory role (e.g., list users and groups if "Directory Readers" is assigned). + +## Requirements + +| Name | Version | +|------|---------| +| [azuread](#requirement\_azuread) | ~> 3.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azuread](#provider\_azuread) | ~> 3.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azuread_directory_role.directory_reader](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role) | resource | +| [azuread_directory_role_assignment.pantheon_engine_directory_reader](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/directory_role_assignment) | resource | +| [azuread_service_principal.pantheon-service-principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [pantheon\_service\_principal](#input\_pantheon\_service\_principal) | The email address of the Google service account | `string` | n/a | yes | +| [role](#input\_role) | The role to be assigned to the service account | `string` | `"Directory Readers"` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/terraform/modules/azure-permission/README.md b/terraform/modules/azure-permission/README.md index 8b1cac8..09645ca 100644 --- a/terraform/modules/azure-permission/README.md +++ b/terraform/modules/azure-permission/README.md @@ -73,4 +73,51 @@ module "azure_permission_sub2" { - Role assignment at the resource group level ## Notes -- All role assignments are optional; if you leave a variable empty, no assignment is created for that scope. \ No newline at end of file +- All role assignments are optional; if you leave a variable empty, no assignment is created for that scope. + +## Requirements + +| Name | Version | +|------|---------| +| [azurerm](#requirement\_azurerm) | ~> 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [azuread](#provider\_azuread) | n/a | +| [azurerm](#provider\_azurerm) | ~> 4.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_role_assignment.pantheon_engine_security_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.pantheon_engine_security_admin_management_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.pantheon_engine_security_admin_resource_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azuread_service_principal.pantheon-service-principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | +| [azurerm_management_group.management_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source | +| [azurerm_resource_group.resource_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_role_definition.management_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | +| [azurerm_role_definition.resource_groups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | +| [azurerm_role_definition.subscription_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source | +| [azurerm_subscription.subscriptions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [management\_groups](#input\_management\_groups) | A list of specific resource IDs to which the IAM binding should be applied | `list(string)` | `[]` | no | +| [pantheon\_service\_principal](#input\_pantheon\_service\_principal) | The email address of the Google service account | `string` | n/a | yes | +| [resource\_groups](#input\_resource\_groups) | A list of resource group names to which the IAM binding should be applied | `list(string)` | `[]` | no | +| [role](#input\_role) | The role to be assigned to the service account | `string` | `"Security Reader"` | no | +| [subscriptions](#input\_subscriptions) | A list of subscription IDs to which the IAM binding should be applied | `list(string)` | `[]` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/terraform/modules/gcp-billing/README.md b/terraform/modules/gcp-billing/README.md index 3a08511..3aaef9d 100644 --- a/terraform/modules/gcp-billing/README.md +++ b/terraform/modules/gcp-billing/README.md @@ -42,14 +42,14 @@ No outputs. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.6 | -| [google](#requirement\_google) | >= 5 | +| [terraform](#requirement\_terraform) | >= 1.7 | +| [google](#requirement\_google) | >= 6, >= 7 | ## Providers | Name | Version | |------|---------| -| [google](#provider\_google) | >= 5 | +| [google](#provider\_google) | >= 6, >= 7 | ## Modules diff --git a/terraform/modules/gcp-log-export/README.md b/terraform/modules/gcp-log-export/README.md index da22b0c..90e53b8 100644 --- a/terraform/modules/gcp-log-export/README.md +++ b/terraform/modules/gcp-log-export/README.md @@ -56,16 +56,16 @@ No modules. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.6 | -| [google](#requirement\_google) | >= 5 | -| [random](#requirement\_random) | >= 3.6.0 | +| [terraform](#requirement\_terraform) | >= 1.7 | +| [google](#requirement\_google) | >= 6, >= 7 | +| [random](#requirement\_random) | >= 3.8.0 | ## Providers | Name | Version | |------|---------| -| [google](#provider\_google) | >= 5 | -| [random](#provider\_random) | >= 3.6.0 | +| [google](#provider\_google) | >= 6, >= 7 | +| [random](#provider\_random) | >= 3.8.0 | ## Modules @@ -84,6 +84,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [destination\_uri](#input\_destination\_uri) | The full qualified destination URI of the PubSub topic the logging sink should write to in the form 'pubsub.googleapis.com/projects//topics/'. Will be provided by the team. | `string` | n/a | yes | +| [ignore\_principal\_emails](#input\_ignore\_principal\_emails) | Audit logs from these principal emails will be ignored. | `list(string)` | n/a | yes | | [pantheon\_service\_account](#input\_pantheon\_service\_account) | The service account used to scan resources. Will be provided by the team. | `string` | n/a | yes | | [parent\_resource\_id](#input\_parent\_resource\_id) | The folder resp. organization number, e.g. 123456789. Needs to be set by user. | `string` | n/a | yes | | [parent\_resource\_type](#input\_parent\_resource\_type) | Either 'folder' or 'organization'. Needs to be set by user. | `string` | n/a | yes | diff --git a/terraform/modules/gcp-org/README.md b/terraform/modules/gcp-org/README.md index bccad1a..4ad2834 100644 --- a/terraform/modules/gcp-org/README.md +++ b/terraform/modules/gcp-org/README.md @@ -43,14 +43,14 @@ No modules. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.6 | -| [google](#requirement\_google) | >= 5 | +| [terraform](#requirement\_terraform) | >= 1.7 | +| [google](#requirement\_google) | >= 6, >= 7 | ## Providers | Name | Version | |------|---------| -| [google](#provider\_google) | >= 5 | +| [google](#provider\_google) | >= 6, >= 7 | ## Modules @@ -61,6 +61,7 @@ No modules. | Name | Type | |------|------| | [google_organization_iam_custom_role.pantheon_engine_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource | +| [google_organization_iam_custom_role.pantheon_vmscanner_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource | ## Inputs @@ -73,4 +74,5 @@ No modules. | Name | Description | |------|-------------| | [pantheon\_engine\_role\_id](#output\_pantheon\_engine\_role\_id) | The identifier of the created custom role with the format organizations/{{org\_id}}/roles/{{role\_id}}. | +| [pantheon\_vmscanner\_role\_id](#output\_pantheon\_vmscanner\_role\_id) | The identifier of the created custom role with the format organizations/{{org\_id}}/roles/{{role\_id}}. | \ No newline at end of file diff --git a/terraform/modules/gcp-org/main.tf b/terraform/modules/gcp-org/main.tf index 845b6cf..2373969 100644 --- a/terraform/modules/gcp-org/main.tf +++ b/terraform/modules/gcp-org/main.tf @@ -14,3 +14,14 @@ resource "google_organization_iam_custom_role" "pantheon_engine_permissions" { "clientauthconfig.clients.listWithSecrets", ] } + +resource "google_organization_iam_custom_role" "pantheon_vmscanner_permissions" { + org_id = var.org_id + role_id = "pantheon.vmscanner" + title = "Pantheon VM Scanner" + description = "Permissions for Pantheon VM Scanner to be able scan VM snapshots and list instances." + permissions = [ + "compute.snapshots.create", + "compute.instances.list" + ] +} diff --git a/terraform/modules/gcp-org/outputs.tf b/terraform/modules/gcp-org/outputs.tf index 7f88b2c..dc2c4c8 100644 --- a/terraform/modules/gcp-org/outputs.tf +++ b/terraform/modules/gcp-org/outputs.tf @@ -2,3 +2,8 @@ output "pantheon_engine_role_id" { value = google_organization_iam_custom_role.pantheon_engine_permissions.id description = "The identifier of the created custom role with the format organizations/{{org_id}}/roles/{{role_id}}." } + +output "pantheon_vmscanner_role_id" { + value = google_organization_iam_custom_role.pantheon_vmscanner_permissions.id + description = "The identifier of the created custom role with the format organizations/{{org_id}}/roles/{{role_id}}." +} diff --git a/terraform/modules/gcp-permission/README.md b/terraform/modules/gcp-permission/README.md index 1f3d21d..ca15a5e 100644 --- a/terraform/modules/gcp-permission/README.md +++ b/terraform/modules/gcp-permission/README.md @@ -48,14 +48,14 @@ No outputs. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.6 | -| [google](#requirement\_google) | >= 5 | +| [terraform](#requirement\_terraform) | >= 1.7 | +| [google](#requirement\_google) | >= 6, >= 7 | ## Providers | Name | Version | |------|---------| -| [google](#provider\_google) | >= 5 | +| [google](#provider\_google) | >= 6, >= 7 | ## Modules diff --git a/terraform/modules/gcp-vm-scanner/README.md b/terraform/modules/gcp-vm-scanner/README.md new file mode 100644 index 0000000..e14161d --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/README.md @@ -0,0 +1,96 @@ +## Pantheon gcp-org terraform module + +Provides IAM bindings on folder or organization level. + +This module is optional. + +Example usage +```hcl + +# needed to prepare Pantheon VM Scanner role + +module "gcp-org" { + source = "github.com/ottogroup/pantheon//terraform/modules/gcp-org?ref=VERSION" + org_id = "1234567890", # Organization1 +} + +module "gcp-o[]()rg" { + source = "github.com/ottogroup/pantheon//terraform/modules/[]()gcp-org?ref=VERSION" + +} + + +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1 | +| [google](#requirement\_google) | >= 4 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | >= 4 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [gcp-roles](#module\_gcp-roles) | ./../gcp-roles | n/a | + +## Resources + +| Name | Type | +|------|------| +| [google_folder_iam_member.folder_level_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_member) | resource | +| [google_organization_iam_member.org_level_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [folder\_ids](#input\_folder\_ids) | Optional: The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder\_id}. Needs to be set by user. | `list(string)` | `[]` | no | +| [org\_id](#input\_org\_id) | The ID of the organization that owns the resources that you want to scan. Needs to be set by user. | `string` | `null` | no | +| [pantheon\_engine\_role\_id](#input\_pantheon\_engine\_role\_id) | The ID of org level custom role of Pantheon Engine. Will be provided by output of gcp-org module. | `string` | n/a | yes | +| [pantheon\_gcp\_roles](#input\_pantheon\_gcp\_roles) | The roles that will be applied to all folders or the organization. The default are the recommended roles. | `list(string)` | `null` | no | +| [pantheon\_service\_account](#input\_pantheon\_service\_account) | The service account used to scan resources. Will be provided by the team. | `string` | n/a | yes | + +## Outputs + +No outputs. + +## Requirements + +| Name | Version | +|------|---------| +| [google](#requirement\_google) | ~> 7.0 | + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [folder\_ids](#input\_folder\_ids) | Optional: The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder\_id}. Needs to be set by user. | `list(string)` | `[]` | no | +| [org\_id](#input\_org\_id) | The ID of the organization that owns the resources that you want to scan. Needs to be set by user. | `string` | `null` | no | +| [pantheon\_gcp\_roles](#input\_pantheon\_gcp\_roles) | The roles that will be applied to all folders or the organization. The default are the recommended roles. | `list(string)` | `null` | no | +| [pantheon\_service\_account](#input\_pantheon\_service\_account) | The service account used to scan resources. Will be provided by the team. | `string` | n/a | yes | +| [pantheon\_vmscanner\_role\_id](#input\_pantheon\_vmscanner\_role\_id) | The ID of org level custom role of Pantheon VM Scanner. Will be provided by output of gcp-org module. | `string` | n/a | yes | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/terraform/modules/gcp-vm-scanner/folder.tf b/terraform/modules/gcp-vm-scanner/folder.tf new file mode 100644 index 0000000..7449ce6 --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/folder.tf @@ -0,0 +1,11 @@ +# +# This file contains role bindings required for Pantheon on the folder level. +# + +# Iterate over the permutation of all roles and folderIds +resource "google_folder_iam_member" "folder_level_permissions" { + for_each = { for entry in local.folder_roles : "${entry.role}.${entry.folderId}" => entry } + folder = each.value.folderId + member = "serviceAccount:${var.pantheon_service_account}" + role = each.value.role +} diff --git a/terraform/modules/gcp-vm-scanner/locals.tf b/terraform/modules/gcp-vm-scanner/locals.tf new file mode 100644 index 0000000..57f8085 --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/locals.tf @@ -0,0 +1,10 @@ +locals { + folder_roles = flatten( + [ + for folderId in var.folder_ids : { + role = var.pantheon_vmscanner_role_id + folderId = folderId + } + ] + ) +} \ No newline at end of file diff --git a/terraform/modules/gcp-vm-scanner/main.tf b/terraform/modules/gcp-vm-scanner/main.tf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/main.tf @@ -0,0 +1 @@ + diff --git a/terraform/modules/gcp-vm-scanner/org.tf b/terraform/modules/gcp-vm-scanner/org.tf new file mode 100644 index 0000000..c614f9a --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/org.tf @@ -0,0 +1,11 @@ +# +# This file contains role bindings required for Pantheon on the org level. +# + +# Only iterate over roles, if the configuration is on org level, else iterate over empty list (create not resources) +resource "google_organization_iam_member" "org_level_permissions" { + for_each = local.is_org_level ? toset(var.pantheon_vmscanner_role_id) : [] + org_id = var.org_id + member = "serviceAccount:${var.pantheon_service_account}" + role = each.key +} diff --git a/terraform/modules/gcp-vm-scanner/provider.tf b/terraform/modules/gcp-vm-scanner/provider.tf new file mode 100644 index 0000000..d17478a --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/provider.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "~> 7.0" + } + } +} diff --git a/terraform/modules/gcp-vm-scanner/variable.tf b/terraform/modules/gcp-vm-scanner/variable.tf new file mode 100644 index 0000000..7867837 --- /dev/null +++ b/terraform/modules/gcp-vm-scanner/variable.tf @@ -0,0 +1,21 @@ +variable "org_id" { + type = string + default = null + description = "The ID of the organization that owns the resources that you want to scan. Needs to be set by user." +} + +variable "folder_ids" { + type = list(string) + default = [] + description = "Optional: The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder_id}. Needs to be set by user." +} + +variable "pantheon_vmscanner_role_id" { + type = string + description = "The ID of org level custom role of Pantheon VM Scanner. Will be provided by output of gcp-org module." +} + +variable "pantheon_service_account" { + type = string + description = "The service account used to scan resources. Will be provided by the team." +} diff --git a/terraform/modules/kubernetes-scanner/README.md b/terraform/modules/kubernetes-scanner/README.md index 19bece8..79d01b5 100644 --- a/terraform/modules/kubernetes-scanner/README.md +++ b/terraform/modules/kubernetes-scanner/README.md @@ -3,13 +3,13 @@ | Name | Version | |------|---------| -| [kubernetes](#requirement\_kubernetes) | 2.31.0 | +| [kubernetes](#requirement\_kubernetes) | 2.38.0 | ## Providers | Name | Version | |------|---------| -| [kubernetes](#provider\_kubernetes) | 2.31.0 | +| [kubernetes](#provider\_kubernetes) | 2.38.0 | ## Modules @@ -19,19 +19,25 @@ No modules. | Name | Type | |------|------| -| [kubernetes_cluster_role_binding_v1.pantheon_scanner_crb](https://registry.terraform.io/providers/hashicorp/kubernetes/2.31.0/docs/resources/cluster_role_binding_v1) | resource | -| [kubernetes_cluster_role_v1.pantheon_scanner_cr](https://registry.terraform.io/providers/hashicorp/kubernetes/2.31.0/docs/resources/cluster_role_v1) | resource | -| [kubernetes_config_map_v1.pantheon_scanner_cm](https://registry.terraform.io/providers/hashicorp/kubernetes/2.31.0/docs/resources/config_map_v1) | resource | -| [kubernetes_cron_job_v1.scanner](https://registry.terraform.io/providers/hashicorp/kubernetes/2.31.0/docs/resources/cron_job_v1) | resource | -| [kubernetes_namespace_v1.pantheon_scanner](https://registry.terraform.io/providers/hashicorp/kubernetes/2.31.0/docs/resources/namespace_v1) | resource | -| [kubernetes_service_account_v1.pantheon_scanner](https://registry.terraform.io/providers/hashicorp/kubernetes/2.31.0/docs/resources/service_account_v1) | resource | +| [kubernetes_cluster_role_binding_v1.pantheon_scanner_crb](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/cluster_role_binding_v1) | resource | +| [kubernetes_cluster_role_v1.pantheon_scanner_cr](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/cluster_role_v1) | resource | +| [kubernetes_config_map_v1.pantheon_scanner_cm](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/config_map_v1) | resource | +| [kubernetes_cron_job_v1.scanner](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/cron_job_v1) | resource | +| [kubernetes_namespace_v1.pantheon_scanner](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/namespace_v1) | resource | +| [kubernetes_priority_class_v1.pantheon-high-priority](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/priority_class_v1) | resource | +| [kubernetes_service_account_v1.pantheon_scanner](https://registry.terraform.io/providers/hashicorp/kubernetes/2.38.0/docs/resources/service_account_v1) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [pantheon\_kubernetes\_scanner\_config\_file](#input\_pantheon\_kubernetes\_scanner\_config\_file) | The path to the config file to use for the pantheon kubernetes scanner | `any` | n/a | yes | +| [pantheon\_kubernetes\_cluster\_asset\_class](#input\_pantheon\_kubernetes\_cluster\_asset\_class) | The asset class of the cluster | `any` | n/a | yes | +| [pantheon\_kubernetes\_cluster\_canonical\_asset\_type](#input\_pantheon\_kubernetes\_cluster\_canonical\_asset\_type) | The canonical asset type of the cluster | `any` | n/a | yes | +| [pantheon\_kubernetes\_cluster\_canonical\_resource\_id](#input\_pantheon\_kubernetes\_cluster\_canonical\_resource\_id) | The canonical resource id of the cluster | `any` | n/a | yes | +| [pantheon\_kubernetes\_cluster\_service\_id](#input\_pantheon\_kubernetes\_cluster\_service\_id) | The service id cluster | `any` | n/a | yes | +| [pantheon\_kubernetes\_node\_architecture](#input\_pantheon\_kubernetes\_node\_architecture) | The target node architecture for the scanner | `string` | `"amd64"` | no | | [pantheon\_kubernetes\_scanner\_image](#input\_pantheon\_kubernetes\_scanner\_image) | The docker image to use for the pantheon kubernetes scanner | `any` | n/a | yes | +| [pantheon\_kubernetes\_sink\_message\_broker](#input\_pantheon\_kubernetes\_sink\_message\_broker) | The sink message broker | `any` | n/a | yes | ## Outputs From 7857b49cb352287175f56dabf89cf93f84005923 Mon Sep 17 00:00:00 2001 From: Grzegorz Rygielski Date: Mon, 9 Mar 2026 13:09:59 +0100 Subject: [PATCH 2/2] ar --- .../README.md | 35 +++++++++++++------ .../folder.tf | 0 .../locals.tf | 3 +- .../modules/gcp-machine-scanning/main.tf | 9 +++++ .../org.tf | 2 +- .../provider.tf | 4 +++ .../variable.tf | 6 ++-- terraform/modules/gcp-org/README.md | 4 +-- terraform/modules/gcp-org/main.tf | 8 ++--- terraform/modules/gcp-org/outputs.tf | 4 +-- terraform/modules/gcp-vm-scanner/main.tf | 1 - 11 files changed, 52 insertions(+), 24 deletions(-) rename terraform/modules/{gcp-vm-scanner => gcp-machine-scanning}/README.md (62%) rename terraform/modules/{gcp-vm-scanner => gcp-machine-scanning}/folder.tf (100%) rename terraform/modules/{gcp-vm-scanner => gcp-machine-scanning}/locals.tf (55%) create mode 100644 terraform/modules/gcp-machine-scanning/main.tf rename terraform/modules/{gcp-vm-scanner => gcp-machine-scanning}/org.tf (81%) rename terraform/modules/{gcp-vm-scanner => gcp-machine-scanning}/provider.tf (61%) rename terraform/modules/{gcp-vm-scanner => gcp-machine-scanning}/variable.tf (56%) delete mode 100644 terraform/modules/gcp-vm-scanner/main.tf diff --git a/terraform/modules/gcp-vm-scanner/README.md b/terraform/modules/gcp-machine-scanning/README.md similarity index 62% rename from terraform/modules/gcp-vm-scanner/README.md rename to terraform/modules/gcp-machine-scanning/README.md index e14161d..a0ab313 100644 --- a/terraform/modules/gcp-vm-scanner/README.md +++ b/terraform/modules/gcp-machine-scanning/README.md @@ -10,13 +10,21 @@ Example usage # needed to prepare Pantheon VM Scanner role module "gcp-org" { - source = "github.com/ottogroup/pantheon//terraform/modules/gcp-org?ref=VERSION" + source = "github.com/ottogroup/pantheon//terraform/modules/gcp-org?ref=VERSION" org_id = "1234567890", # Organization1 } -module "gcp-o[]()rg" { - source = "github.com/ottogroup/pantheon//terraform/modules/[]()gcp-org?ref=VERSION" - +module "gcp-machine-scanning" { + source = "github.com/ottogroup/pantheon//terraform/modules/gcp-machine-scanning?ref=VERSION" + + # either org_id or folder_ids MUST be set + org_id = "1234567890", # Organization1 + folder_ids = [ + "folders/112233445566" # Department2 + ] + + pantheon_machine_scanning_role_id = module.gcp-org.pantheon_machine_scanning_role_id + pantheon_service_account = "engine@.iam.gserviceaccount.com" } @@ -67,10 +75,14 @@ No outputs. | Name | Version | |------|---------| | [google](#requirement\_google) | ~> 7.0 | +| [null](#requirement\_null) | 3.2.4 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [google](#provider\_google) | ~> 7.0 | +| [null](#provider\_null) | 3.2.4 | ## Modules @@ -78,17 +90,20 @@ No modules. ## Resources -No resources. +| Name | Type | +|------|------| +| [google_folder_iam_member.folder_level_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_member) | resource | +| [google_organization_iam_member.org_level_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource | +| [null_resource.assert_org_or_folder_ids_are_set](https://registry.terraform.io/providers/hashicorp/null/3.2.4/docs/resources/resource) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [folder\_ids](#input\_folder\_ids) | Optional: The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder\_id}. Needs to be set by user. | `list(string)` | `[]` | no | -| [org\_id](#input\_org\_id) | The ID of the organization that owns the resources that you want to scan. Needs to be set by user. | `string` | `null` | no | -| [pantheon\_gcp\_roles](#input\_pantheon\_gcp\_roles) | The roles that will be applied to all folders or the organization. The default are the recommended roles. | `list(string)` | `null` | no | +| [folder\_ids](#input\_folder\_ids) | The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder\_id}. Needs to be set by user. Either org\_id or folder\_ids must be set. | `list(string)` | `[]` | no | +| [org\_id](#input\_org\_id) | The ID of the organization that owns the resources that you want to scan. Needs to be set by user. Either org\_id or folder\_ids must be set. | `string` | `null` | no | +| [pantheon\_machine\_scanning\_role\_id](#input\_pantheon\_machine\_scanning\_role\_id) | The ID of org level custom role of Pantheon VM Scanner. Will be provided by output of gcp-org module. | `string` | n/a | yes | | [pantheon\_service\_account](#input\_pantheon\_service\_account) | The service account used to scan resources. Will be provided by the team. | `string` | n/a | yes | -| [pantheon\_vmscanner\_role\_id](#input\_pantheon\_vmscanner\_role\_id) | The ID of org level custom role of Pantheon VM Scanner. Will be provided by output of gcp-org module. | `string` | n/a | yes | ## Outputs diff --git a/terraform/modules/gcp-vm-scanner/folder.tf b/terraform/modules/gcp-machine-scanning/folder.tf similarity index 100% rename from terraform/modules/gcp-vm-scanner/folder.tf rename to terraform/modules/gcp-machine-scanning/folder.tf diff --git a/terraform/modules/gcp-vm-scanner/locals.tf b/terraform/modules/gcp-machine-scanning/locals.tf similarity index 55% rename from terraform/modules/gcp-vm-scanner/locals.tf rename to terraform/modules/gcp-machine-scanning/locals.tf index 57f8085..ac83918 100644 --- a/terraform/modules/gcp-vm-scanner/locals.tf +++ b/terraform/modules/gcp-machine-scanning/locals.tf @@ -2,9 +2,10 @@ locals { folder_roles = flatten( [ for folderId in var.folder_ids : { - role = var.pantheon_vmscanner_role_id + role = var.pantheon_machine_scanning_role_id folderId = folderId } ] ) + is_org_level = length(var.folder_ids) == 0 } \ No newline at end of file diff --git a/terraform/modules/gcp-machine-scanning/main.tf b/terraform/modules/gcp-machine-scanning/main.tf new file mode 100644 index 0000000..fbfc7ea --- /dev/null +++ b/terraform/modules/gcp-machine-scanning/main.tf @@ -0,0 +1,9 @@ + +resource "null_resource" "assert_org_or_folder_ids_are_set" { + lifecycle { + precondition { + condition = (var.org_id == null && length(var.folder_ids) > 0) || (var.org_id != null && length(var.folder_ids) > 0) + error_message = "Either org_id or folder_ids must be set. Please provide either an org_id or at least one folder_id." + } + } +} diff --git a/terraform/modules/gcp-vm-scanner/org.tf b/terraform/modules/gcp-machine-scanning/org.tf similarity index 81% rename from terraform/modules/gcp-vm-scanner/org.tf rename to terraform/modules/gcp-machine-scanning/org.tf index c614f9a..6d084d8 100644 --- a/terraform/modules/gcp-vm-scanner/org.tf +++ b/terraform/modules/gcp-machine-scanning/org.tf @@ -4,7 +4,7 @@ # Only iterate over roles, if the configuration is on org level, else iterate over empty list (create not resources) resource "google_organization_iam_member" "org_level_permissions" { - for_each = local.is_org_level ? toset(var.pantheon_vmscanner_role_id) : [] + for_each = local.is_org_level ? toset(var.pantheon_machine_scanning_role_id) : [] org_id = var.org_id member = "serviceAccount:${var.pantheon_service_account}" role = each.key diff --git a/terraform/modules/gcp-vm-scanner/provider.tf b/terraform/modules/gcp-machine-scanning/provider.tf similarity index 61% rename from terraform/modules/gcp-vm-scanner/provider.tf rename to terraform/modules/gcp-machine-scanning/provider.tf index d17478a..d831993 100644 --- a/terraform/modules/gcp-vm-scanner/provider.tf +++ b/terraform/modules/gcp-machine-scanning/provider.tf @@ -4,5 +4,9 @@ terraform { source = "hashicorp/google" version = "~> 7.0" } + null = { + source = "hashicorp/null" + version = "3.2.4" + } } } diff --git a/terraform/modules/gcp-vm-scanner/variable.tf b/terraform/modules/gcp-machine-scanning/variable.tf similarity index 56% rename from terraform/modules/gcp-vm-scanner/variable.tf rename to terraform/modules/gcp-machine-scanning/variable.tf index 7867837..1182e0c 100644 --- a/terraform/modules/gcp-vm-scanner/variable.tf +++ b/terraform/modules/gcp-machine-scanning/variable.tf @@ -1,16 +1,16 @@ variable "org_id" { type = string default = null - description = "The ID of the organization that owns the resources that you want to scan. Needs to be set by user." + description = "The ID of the organization that owns the resources that you want to scan. Needs to be set by user. Either org_id or folder_ids must be set." } variable "folder_ids" { type = list(string) default = [] - description = "Optional: The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder_id}. Needs to be set by user." + description = "The ID of a folder you want to attach the permissions to. Per default, the permissions will be granted on the org level. The format for each element is folders/{folder_id}. Needs to be set by user. Either org_id or folder_ids must be set." } -variable "pantheon_vmscanner_role_id" { +variable "pantheon_machine_scanning_role_id" { type = string description = "The ID of org level custom role of Pantheon VM Scanner. Will be provided by output of gcp-org module." } diff --git a/terraform/modules/gcp-org/README.md b/terraform/modules/gcp-org/README.md index 4ad2834..81a5a2c 100644 --- a/terraform/modules/gcp-org/README.md +++ b/terraform/modules/gcp-org/README.md @@ -61,7 +61,7 @@ No modules. | Name | Type | |------|------| | [google_organization_iam_custom_role.pantheon_engine_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource | -| [google_organization_iam_custom_role.pantheon_vmscanner_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource | +| [google_organization_iam_custom_role.pantheon_machine_scanning_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource | ## Inputs @@ -74,5 +74,5 @@ No modules. | Name | Description | |------|-------------| | [pantheon\_engine\_role\_id](#output\_pantheon\_engine\_role\_id) | The identifier of the created custom role with the format organizations/{{org\_id}}/roles/{{role\_id}}. | -| [pantheon\_vmscanner\_role\_id](#output\_pantheon\_vmscanner\_role\_id) | The identifier of the created custom role with the format organizations/{{org\_id}}/roles/{{role\_id}}. | +| [pantheon\_machine\_scanning\_role\_id](#output\_pantheon\_machine\_scanning\_role\_id) | The identifier of the created custom role with the format organizations/{{org\_id}}/roles/{{role\_id}}. | \ No newline at end of file diff --git a/terraform/modules/gcp-org/main.tf b/terraform/modules/gcp-org/main.tf index 2373969..3d55259 100644 --- a/terraform/modules/gcp-org/main.tf +++ b/terraform/modules/gcp-org/main.tf @@ -15,11 +15,11 @@ resource "google_organization_iam_custom_role" "pantheon_engine_permissions" { ] } -resource "google_organization_iam_custom_role" "pantheon_vmscanner_permissions" { +resource "google_organization_iam_custom_role" "pantheon_machine_scanning_permissions" { org_id = var.org_id - role_id = "pantheon.vmscanner" - title = "Pantheon VM Scanner" - description = "Permissions for Pantheon VM Scanner to be able scan VM snapshots and list instances." + role_id = "pantheon.machineScanning" + title = "Pantheon machine scanning" + description = "Permissions for Pantheon to be able scan machine snapshots and list instances." permissions = [ "compute.snapshots.create", "compute.instances.list" diff --git a/terraform/modules/gcp-org/outputs.tf b/terraform/modules/gcp-org/outputs.tf index dc2c4c8..039f332 100644 --- a/terraform/modules/gcp-org/outputs.tf +++ b/terraform/modules/gcp-org/outputs.tf @@ -3,7 +3,7 @@ output "pantheon_engine_role_id" { description = "The identifier of the created custom role with the format organizations/{{org_id}}/roles/{{role_id}}." } -output "pantheon_vmscanner_role_id" { - value = google_organization_iam_custom_role.pantheon_vmscanner_permissions.id +output "pantheon_machine_scanning_role_id" { + value = google_organization_iam_custom_role.pantheon_machine_scanning_permissions.id description = "The identifier of the created custom role with the format organizations/{{org_id}}/roles/{{role_id}}." } diff --git a/terraform/modules/gcp-vm-scanner/main.tf b/terraform/modules/gcp-vm-scanner/main.tf deleted file mode 100644 index 8b13789..0000000 --- a/terraform/modules/gcp-vm-scanner/main.tf +++ /dev/null @@ -1 +0,0 @@ -