Created
May 21, 2022 19:18
-
-
Save Nogbit/5c0e90261170e1f7dceb9a22d5bf5138 to your computer and use it in GitHub Desktop.
SCC Article Full TF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### | |
# Service account that will be the identity of our GCF | |
# | |
resource "google_service_account" "sa_gcf" { | |
account_id = "gcf-golden-image-scanner" | |
display_name = "Google Cloud Function that runs the golden image scanner" | |
} | |
resource "google_organization_iam_member" "org_scc_findings" { | |
org_id = var.org_id | |
role = "roles/securitycenter.findingsEditor" | |
member = "serviceAccount:${google_service_account.sa_gcf.email}" | |
} | |
resource "google_organization_iam_member" "org_scc_assets" { | |
org_id = var.org_id | |
role = "roles/securitycenter.assetsViewer" | |
member = "serviceAccount:${google_service_account.sa_gcf.email}" | |
} | |
### | |
# Security Command Center Source | |
# | |
resource "google_scc_source" "custom_source" { | |
display_name = "Golden Image Scanner" | |
organization = var.org_id | |
description = "Creates findings when disks are not using the latest golden image within a family" | |
} | |
### | |
# Google Cloud Function | |
# | |
resource "google_cloudfunctions_function" "scanner" { | |
name = "Golden-Image-Scanner" | |
description = "GCF to run daily that scans for disks using out of date golden images" | |
runtime = "python39" | |
region = var.region | |
available_memory_mb = 128 | |
trigger_http = true | |
timeout = 60 | |
ingress_settings = "ALLOW_ALL" | |
entry_point = "scan" | |
service_account_email = google_service_account.sa_gcf.email | |
source_repository { | |
url = var.gcf_git_url | |
} | |
} | |
### | |
# Cloud Scheduler | |
# | |
data "google_compute_default_service_account" "default" { | |
} | |
resource "google_cloud_scheduler_job" "job" { | |
name = "Golden-Image-Scanner" | |
description = "A job that scans the image family ${var.image_family}" | |
region = var.region | |
schedule = "0 1 * * *" # daily at 1am | |
time_zone = "America/Los_Angeles" | |
attempt_deadline = "320s" | |
retry_config { | |
retry_count = 1 | |
} | |
http_target { | |
http_method = "POST" | |
uri = google_cloudfunctions_function.scanner.https_trigger_url | |
body = base64encode("{\"org_id\":\"${var.org_id}\",\"scc_source_name\":\"${google_scc_source.custom_source.name}\",\"image_family\":\"${var.image_family}\"}") | |
headers = tomap({ | |
Content-Type = "application/json" | |
}) | |
oidc_token { | |
service_account_email = data.google_compute_default_service_account.default.email | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment