feat: Support use of Reader role in Trust Relationship module (#91)

* feat: Support using Reader CSPM role

* linting fixes

* linting fixes

examples/single-subscription/README.md

@@ -107,10 +107,12 @@ $ terraform apply
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | true/false, whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_existing_registries"></a> [existing\_registries](#input\_existing\_registries) | existing  Azure Container Registry names to be included to  scan by resource group { resource\_group\_1 =  ["registry\_name\_11","registry\_name\_12"],resource\_group\_2 =  ["registry\_name\_21","registry\_name\_22"]}. By default it will create a new ACR | `map(list(string))` | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |
+| <a name="input_logging"></a> [logging](#input\_logging) | log level: info or debug | `string` | `"info"` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | Number of CPU cores of the containers | `string` | `"1"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy secure for cloud stack | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 

examples/single-subscription/cloud-bench.tf

@@ -3,4 +3,5 @@ module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
 
   subscription_id = data.azurerm_subscription.current.subscription_id
+  use_reader_role = var.use_reader_role
 }

examples/single-subscription/variables.tf

@@ -59,6 +59,12 @@ variable "deploy_benchmark" {
   default     = true
 }
 
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}
+
 
 #
 # general

examples/tenant-subscriptions/README.md

@@ -123,6 +123,7 @@ $ terraform apply
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy secure for cloud stack | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_threat_detection_subscription_ids"></a> [threat\_detection\_subscription\_ids](#input\_threat\_detection\_subscription\_ids) | Azure subscription IDs to run threat detection on. If no subscriptions are specified, all of the tenant will be used. | `list(string)` | `[]` | no |
+| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 

examples/tenant-subscriptions/cloud-bench.tf

@@ -4,4 +4,5 @@ module "cloud_bench" {
 
   subscription_ids = var.benchmark_subscription_ids
   is_tenant        = true
+  use_reader_role  = var.use_reader_role
 }

examples/tenant-subscriptions/variables.tf

@@ -70,6 +70,11 @@ variable "benchmark_subscription_ids" {
   description = "Azure subscription IDs to run Benchmarks on. If no subscriptions are specified, all of the tenant will be used."
 }
 
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}
 
 #
 # general

modules/services/cloud-bench/main.tf

@@ -17,4 +17,5 @@ module "trust_relationship" {
   source   = "./trust_relationship"
 
   subscription_id = each.key
+  use_reader_role = var.use_reader_role
 }

modules/services/cloud-bench/trust_relationship/README.md

@@ -25,15 +25,15 @@ No modules.
 | [azurerm_lighthouse_assignment.lighthouse_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_assignment) | resource |
 | [azurerm_lighthouse_definition.lighthouse_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_definition) | resource |
 | [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
-| [azurerm_role_definition.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
 | [azurerm_subscription.subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | ID of subscription containing resources to run benchmarks on | `string` | n/a | yes |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create a Trust Relationship | `string` | n/a | yes |
+| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 

modules/services/cloud-bench/trust_relationship/main.tf

@@ -21,20 +21,18 @@ resource "sysdig_secure_cloud_account" "cloud_account" {
   role_enabled   = "true"
 }
 
-data "azurerm_role_definition" "contributor" {
-  role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
-}
-
 resource "azurerm_lighthouse_definition" "lighthouse_definition" {
-  name               = "Sysdig CloudBench Lighthouse Definition"
-  description        = "Lighthouse definition representing Sysdig CloudBench offer"
+  name               = "Sysdig Lighthouse Definition"
+  description        = "Lighthouse definition for Sysdig Secure for Cloud"
   managing_tenant_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.azure_tenant_id
   scope              = "/subscriptions/${var.subscription_id}"
 
   authorization {
     principal_id           = data.sysdig_secure_trusted_cloud_identity.trusted_identity.azure_service_principal_id
-    role_definition_id     = data.azurerm_role_definition.contributor.role_definition_id
-    principal_display_name = "Sysdig CloudBench Service Principal"
+    principal_display_name = "Sysdig Service Principal"
+
+    # Uses Contributor (default) or Reader roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+    role_definition_id = var.use_reader_role ? "acdd72a7-3385-48ef-bd42-f606fba81ae7" : "b24988ac-6180-42a0-ab88-20f7382dd24c"
   }
 }
 

modules/services/cloud-bench/trust_relationship/variables.tf

@@ -1,14 +1,14 @@
 variable "subscription_id" {
   type        = string
-  description = "ID of subscription containing resources to run benchmarks on"
+  description = "Subscription ID in which to create a Trust Relationship"
 }
 
 #---------------------------------
 # optionals - with default
 #---------------------------------
 
-#variable "region" {
-#  type        = string
-#  description = "Region in which to run the benchmark. Azure accepts one of [AzureCloud, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment]."
-#  default     = "AzureCloud"
-#}
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}

modules/services/cloud-bench/variables.tf

@@ -1,14 +1,14 @@
 # For single project
 variable "subscription_id" {
   type        = string
-  description = "ID of subscription containing resources to run benchmarks on"
+  description = "Subscription ID in which to create a Trust Relationship"
   default     = ""
 }
 
 # For tenant
 variable "subscription_ids" {
   type        = list(string)
-  description = "IDs of subscriptions containing resources to run benchmarks on"
+  description = "List of Subscription IDs in which to create a Trust Relationship"
   default     = []
 }
 
@@ -21,3 +21,9 @@ variable "is_tenant" {
   description = "Whether this task is being created at the tenant or subscription level"
   default     = false
 }
+
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}