feat(benchmark): Add an option to resuse existing workload identity pool via data (#130)

* Add an option to resuse existing workload identity pool via data

* docs: add terrascan to contribute

* docs: add terrascan to contribute

* ci: lint

* Remove unused data and improve description

* ci: lint

* docs: clarify varible desc

* docs: give alternative to 409 bench

* ci: lint

* ci: lint

---------

Co-authored-by: iru <[email protected]>

Author: airadier

CONTRIBUTE.md

@@ -48,7 +48,7 @@
 
 ## 1. Check::Pre-Commit
 
-Technical validation for terraform **lint**, **validation**, and **documentation**
+Technical validation for terraform **lint**, **validation**, **documentation** and **security scan**.
 
 We're using **pre-commit** |  https://pre-commit.com
 - Defined in `/.pre-commit-config.yaml`
@@ -58,6 +58,7 @@ We're using **pre-commit** |  https://pre-commit.com
   <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
   <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
   ```
+- pre-requirement download, see [Makefile](./Makefile)
 
 ## 2. Check::Integration tests
 

README.md

@@ -193,7 +193,13 @@ A: Currently Sysdig Backend does not support dynamic WorkloadPool and it's name
 https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#delete-pool
 > You can undelete a pool for up to 30 days after deletion. After 30 days, deletion is permanent. Until a pool is permanently deleted, you cannot reuse its   name when creating a new workload identity pool.<br/>
 
-<br/>S: For the moment, federation workload identity pool+provider have fixed name. In case you want to reuse it, you can reactivate and import it, into your terraform state manually.
+<br/>S: For the moment, federation workload identity pool+provider have fixed name.
+Therea are several options here
+
+In case you want to reuse it, you can make use of the `reuse_workload_identity_pool` attribute available in some
+examples.
+
+Alternatively, you can reactivate and import it, into your terraform state manually.
 ```bash
 # re-activate pool and provider
 $ gcloud iam workload-identity-pools undelete sysdigcloud  --location=global

examples/single-project-k8s/README.md

@@ -117,6 +117,7 @@ See [inputs summary](#inputs) or module module [`variables.tf`](./variables.tf)
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | true/false whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Suffix to be assigned to all created resources. Modify this value in case of conflict / 409 error to bypass Google soft delete issues | `string` | `"sfc"` | no |
+| <a name="input_reuse_workload_identity_pool"></a> [reuse\_workload\_identity\_pool](#input\_reuse\_workload\_identity\_pool) | Reuse existing workload identity pool, from previous deployment, with name 'sysdigcloud'. <br/> Will help overcome <a href='https://github.com/sysdiglabs/terraform-google-secure-for-cloud#q-getting-error-creating-workloadidentitypool-googleapi-error-409-requested-entity-already-exists'>redeploying error due to GCP softdelete</a><br/> | `bool` | `false` | no |
 
 ## Outputs
 

examples/single-project-k8s/benchmark.tf

@@ -2,8 +2,9 @@ module "cloud_bench" {
   count  = var.deploy_benchmark ? 1 : 0
   source = "../../modules/services/cloud-bench"
 
-  is_organizational = false
-  role_name         = "${var.name}${var.benchmark_role_name}"
-  project_id        = data.google_client_config.current.project
-  regions           = var.benchmark_regions
+  is_organizational            = false
+  role_name                    = "${var.name}${var.benchmark_role_name}"
+  project_id                   = data.google_client_config.current.project
+  regions                      = var.benchmark_regions
+  reuse_workload_identity_pool = var.reuse_workload_identity_pool
 }

examples/single-project-k8s/variables.tf

@@ -28,6 +28,12 @@ variable "benchmark_role_name" {
   default     = "sysdigcloudbench"
 }
 
+variable "reuse_workload_identity_pool" {
+  type        = bool
+  description = "Reuse existing workload identity pool, from previous deployment, with name 'sysdigcloud'. <br/> Will help overcome <a href='https://github.com/sysdiglabs/terraform-google-secure-for-cloud#q-getting-error-creating-workloadidentitypool-googleapi-error-409-requested-entity-already-exists'>redeploying error due to GCP softdelete</a><br/>"
+  default     = false
+}
+
 
 # general
 variable "name" {

examples/single-project/README.md

@@ -114,6 +114,7 @@ module "secure-for-cloud_example_single-project" {
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | true/false whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Suffix to be assigned to all created resources. Modify this value in case of conflict / 409 error to bypass Google soft delete issues | `string` | `"sfc"` | no |
+| <a name="input_reuse_workload_identity_pool"></a> [reuse\_workload\_identity\_pool](#input\_reuse\_workload\_identity\_pool) | Reuse existing workload identity pool, from previous deployment, with name 'sysdigcloud'. <br/> Will help overcome <a href='https://github.com/sysdiglabs/terraform-google-secure-for-cloud#q-getting-error-creating-workloadidentitypool-googleapi-error-409-requested-entity-already-exists'>redeploying error due to GCP softdelete</a><br/> | `bool` | `false` | no |
 
 ## Outputs
 

examples/single-project/benchmark.tf

@@ -2,8 +2,9 @@ module "cloud_bench" {
   count  = var.deploy_benchmark ? 1 : 0
   source = "../../modules/services/cloud-bench"
 
-  is_organizational = false
-  role_name         = "${var.name}${var.benchmark_role_name}"
-  project_id        = data.google_client_config.current.project
-  regions           = var.benchmark_regions
+  is_organizational            = false
+  role_name                    = "${var.name}${var.benchmark_role_name}"
+  project_id                   = data.google_client_config.current.project
+  regions                      = var.benchmark_regions
+  reuse_workload_identity_pool = var.reuse_workload_identity_pool
 }

examples/single-project/variables.tf

@@ -31,12 +31,18 @@ variable "benchmark_role_name" {
   default     = "sysdigcloudbench"
 }
 
+
 variable "cloud_connector_image" {
   type        = string
   description = "The image to use for the Cloud Connector."
   default     = "us-docker.pkg.dev/sysdig-public-registry/secure-for-cloud/cloud-connector:latest"
 }
 
+variable "reuse_workload_identity_pool" {
+  type        = bool
+  description = "Reuse existing workload identity pool, from previous deployment, with name 'sysdigcloud'. <br/> Will help overcome <a href='https://github.com/sysdiglabs/terraform-google-secure-for-cloud#q-getting-error-creating-workloadidentitypool-googleapi-error-409-requested-entity-already-exists'>redeploying error due to GCP softdelete</a><br/>"
+  default     = false
+}
 
 #
 # general

modules/services/cloud-bench/README.md

@@ -7,14 +7,14 @@ Deployed on **Sysdig Backend**
 - An `gcp_foundations_bench-1.2.0` benchmark task schedule on a random hour of the day `rand rand * * *`
 - coped to the configured `gcp.projectId` and `gcp.region`
 
-<!-- BEGIN_TF_DOCS -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.0 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 3.67.0 |
-| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 3.67.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.21.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 4.21.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
 
@@ -39,12 +39,13 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | Whether this task is being created at the org or project level | `bool` | `false` | no |
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | `""` | no |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | ID of project to run the benchmark on | `string` | `""` | no |
-| <a name="input_project_ids"></a> [project\_ids](#input\_project\_ids) | IDs of projects to run the benchmark on. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Google cloud project ID to run Benchmarks on. It will create a trust-relationship, to allow Sysdig usage. | `string` | `""` | no |
+| <a name="input_project_ids"></a> [project\_ids](#input\_project\_ids) | Google cloud project IDs to run Benchmarks on. It will create a trust-relationship on each, to allow Sysdig usage. If empty, all organization projects will be defaulted. | `list(string)` | `[]` | no |
 | <a name="input_regions"></a> [regions](#input\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
-| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
+| <a name="input_reuse_workload_identity_pool"></a> [reuse\_workload\_identity\_pool](#input\_reuse\_workload\_identity\_pool) | Reuse existing workload identity pool, from previous deployment, with name 'sysdigcloud'. <br/> Will help overcome <a href='https://github.com/sysdiglabs/terraform-google-secure-for-cloud#q-getting-error-creating-workloadidentitypool-googleapi-error-409-requested-entity-already-exists'>redeploying error due to GCP softdelete</a><br/> | `bool` | `false` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the Service Account/Role that will be created. Modify this value in case of conflict / 409 error to bypass Google soft delete | `string` | `"sysdigcloudbench"` | no |
 
 ## Outputs
 
 No outputs.
-<!-- END_TF_DOCS -->
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/services/cloud-bench/main.tf

@@ -6,8 +6,9 @@ module "trust_relationship" {
   for_each = toset(local.project_ids)
   source   = "./trust_relationship"
 
-  project_id = each.key
-  role_name  = var.role_name
+  project_id                   = each.key
+  role_name                    = var.role_name
+  reuse_workload_identity_pool = var.reuse_workload_identity_pool
 }
 
 module "task" {