feat(onboarding): Datasource for regulatory trusted identity (#561)

* feat(onboarding): Datasource for regulatory trusted identity

Change summary:
-----------------
- Adding a new datasource secure_trusted_cloud_regulation_assets
  with identities for onboarding regulatory workloads such as aws
  gov workloads.
- added acc test and docs for the new datasource.

* Update test assertions

* Merge and use a single datasource

Author: ravinadhruve10

sysdig/data_source_sysdig_secure_onboarding.go

@@ -54,6 +54,18 @@ func dataSourceSysdigSecureTrustedCloudIdentity() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"gov_identity": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"aws_gov_account_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"aws_gov_role_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -65,18 +77,55 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche
 		return diag.FromErr(err)
 	}
 
+	// get trusted identity for commercial backend
 	identity, err := client.GetTrustedCloudIdentitySecure(ctx, d.Get("cloud_provider").(string))
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
+	// get trusted identity for regulatory backend, such as govcloud
+	// XXX: only supported for aws currently. update when supported for other providers
+	var trustedRegulation map[string]string
+	if d.Get("cloud_provider").(string) == "aws" {
+		trustedRegulation, err = client.GetTrustedCloudRegulationAssetsSecure(ctx, d.Get("cloud_provider").(string))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	d.SetId(identity)
-	_ = d.Set("identity", identity)
 
 	provider := d.Get("cloud_provider")
 	switch provider {
-	case "aws", "gcp":
-		// If identity is an ARN, attempt to extract certain fields
+	case "aws":
+		// set the commercial identity
+		_ = d.Set("identity", identity)
+		// if identity is an ARN, attempt to extract certain fields
+		parsedArn, err := arn.Parse(identity)
+		if err == nil {
+			_ = d.Set("aws_account_id", parsedArn.AccountID)
+			if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
+				_ = d.Set("aws_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
+			}
+		}
+
+		// set the gov regulation based identity (only supported for aws currently)
+		err = d.Set("gov_identity", trustedRegulation["trustedIdentityGov"])
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		// if identity is an ARN, attempt to extract certain fields
+		parsedArn, err = arn.Parse(trustedRegulation["trustedIdentityGov"])
+		if err == nil {
+			_ = d.Set("aws_gov_account_id", parsedArn.AccountID)
+			if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
+				_ = d.Set("aws_gov_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
+			}
+		}
+	case "gcp":
+		// set the commercial identity
+		_ = d.Set("identity", identity)
+		// if identity is an ARN, attempt to extract certain fields
 		parsedArn, err := arn.Parse(identity)
 		if err == nil {
 			_ = d.Set("aws_account_id", parsedArn.AccountID)
@@ -85,7 +134,9 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche
 			}
 		}
 	case "azure":
-		// If identity is an Azure tenantID/clientID, separate into each part
+		// set the commercial identity
+		_ = d.Set("identity", identity)
+		// if identity is an Azure tenantID/clientID, separate into each part
 		tenantID, spID, err := parseAzureCreds(identity)
 		if err == nil {
 			_ = d.Set("azure_tenant_id", tenantID)

sysdig/data_source_sysdig_secure_onboarding_test.go

@@ -26,12 +26,17 @@ func TestAccTrustedCloudIdentityDataSource(t *testing.T) {
 			},
 		},
 		Steps: []resource.TestStep{
+			{
+				Config:      `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {	cloud_provider = "invalid" }`,
+				ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`),
+			},
 			{
 				Config: `data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {	cloud_provider = "aws" }`,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "cloud_provider", "aws"),
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_account_id"),
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_trusted_cloud_identity.trusted_identity", "aws_role_name"),
+					// not asserting the gov exported fields because not every backend environment is gov supported and will have non-empty values returned
 				),
 			},
 			{

sysdig/internal/client/v2/onboarding.go

@@ -12,6 +12,7 @@ const (
 	onboardingTenantExternaIDPath         = "%s/api/secure/onboarding/v2/externalID"
 	onboardingAgentlessScanningAssetsPath = "%s/api/secure/onboarding/v2/agentlessScanningAssets"
 	onboardingCloudIngestionAssetsPath    = "%s/api/secure/onboarding/v2/cloudIngestionAssets"
+	onboardingTrustedRegulationAssetsPath = "%s/api/secure/onboarding/v2/trustedRegulationAssets?provider=%s"
 )
 
 type OnboardingSecureInterface interface {
@@ -21,6 +22,7 @@ type OnboardingSecureInterface interface {
 	GetTenantExternalIDSecure(ctx context.Context) (string, error)
 	GetAgentlessScanningAssetsSecure(ctx context.Context) (map[string]any, error)
 	GetCloudIngestionAssetsSecure(ctx context.Context) (map[string]any, error)
+	GetTrustedCloudRegulationAssetsSecure(ctx context.Context, provider string) (map[string]string, error)
 }
 
 func (client *Client) GetTrustedCloudIdentitySecure(ctx context.Context, provider string) (string, error) {
@@ -92,3 +94,17 @@ func (client *Client) GetCloudIngestionAssetsSecure(ctx context.Context) (map[st
 
 	return Unmarshal[map[string]interface{}](response.Body)
 }
+
+func (client *Client) GetTrustedCloudRegulationAssetsSecure(ctx context.Context, provider string) (map[string]string, error) {
+	response, err := client.requester.Request(ctx, http.MethodGet, fmt.Sprintf(onboardingTrustedRegulationAssetsPath, client.config.url, provider), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[map[string]string](response.Body)
+}

website/docs/d/secure_trusted_cloud_identity.md

@@ -39,3 +39,8 @@ In addition to all arguments above, the following attributes are exported:
 
 * `azure_service_principal_id` - If `identity` contains credentials for an Azure Service Principal, this attribute contains the service principal's ID. `cloud_provider` must be equal to `azure`.
 
+* `gov_identity` - Sysdig's identity for regulatory workloads (User/Role/etc) that should be used to create a trust relationship allowing Sysdig access to your regulated cloud account. Currently supported on `aws`.
+
+* `aws_gov_account_id` - If `gov_identity` is an AWS GOV IAM Role ARN, this attribute contains the AWS GOV Account ID to which the ARN belongs, otherwise it contains the empty string. Currently supported on `aws`.
+
+* `aws_gov_role_name` - If `gov_identity` is a AWS GOV IAM Role ARN, this attribute contains the name of the GOV role, otherwise it contains the empty string. Currently supported on `aws`.