Merge pull request #240 from DataDog/mohamed.challal/fix-gcp-terraform-plan

[K9VULN-8670] fix(gcp): fix gcp terraform plan

Author: mohamed-challal

gcp/examples/cross_project/README.md

@@ -78,6 +78,14 @@ Use this **advanced** deployment model when:
    terraform init
    ```
 
+1. **Review the deployment plan**:
+   ```sh
+   terraform plan \
+     -var="scanner_project_id=my-scanner-project" \
+     -var="datadog_api_key=$DD_API_KEY" \
+     -var="datadog_site=datadoghq.com"
+   ```
+
 1. **Deploy the scanner infrastructure**. You will need to:
    - Set your scanner project ID
    - Set your Datadog [API key](https://docs.datadoghq.com/account_management/api-app-keys/)
@@ -100,14 +108,19 @@ Use this **advanced** deployment model when:
 
 1. Go to the `other_project` folder.
 1. Run `terraform init`.
-1. Run `terraform apply`.
+1. Run `terraform plan` to review the changes.
+1. Run `terraform apply` to deploy.
 1. Set the project ID to be scanned.
 1. Set both scanner service account emails from Step 1.
 
 Example:
 ```sh
 cd ../other_project
 terraform init
+terraform plan \
+  -var="scanned_project_id=my-other-project" \
+  -var="scanner_service_account_email_us=$SCANNER_SA_US" \
+  -var="scanner_service_account_email_eu=$SCANNER_SA_EU"
 terraform apply \
   -var="scanned_project_id=my-other-project" \
   -var="scanner_service_account_email_us=$SCANNER_SA_US" \
@@ -153,7 +166,7 @@ Repeat Step 2 for each additional project you want to scan.
 
 You have two options for providing the Datadog API key:
 
-1. **Pass the API key directly** (shown in examples below):
+1. **Pass the API key directly** (shown in examples above):
    ```bash
    -var="datadog_api_key=$DD_API_KEY"
    ```

gcp/examples/cross_project/other_project/main.tf

@@ -20,12 +20,10 @@ module "agentless_impersonated_service_account_us" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//gcp/modules/agentless-impersonated-service-account?ref=7993939f19df2a39c981cbffbcd48a91c9fba214"
 
   scanner_service_account_email = var.scanner_service_account_email_us
-  unique_suffix                 = "${var.unique_suffix}us"
 }
 
 module "agentless_impersonated_service_account_eu" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//gcp/modules/agentless-impersonated-service-account?ref=7993939f19df2a39c981cbffbcd48a91c9fba214"
 
   scanner_service_account_email = var.scanner_service_account_email_eu
-  unique_suffix                 = "${var.unique_suffix}eu"
 }

gcp/examples/cross_project/other_project/variables.tf

@@ -12,9 +12,3 @@ variable "scanner_service_account_email_eu" {
   description = "Email of the EU scanner service account from the scanner project (output from scanner_project deployment)"
   type        = string
 }
-
-variable "unique_suffix" {
-  description = "Unique suffix to append to resource names. Must be alphanumeric only and maximum 6 characters (will be appended with region suffix)."
-  type        = string
-  default     = ""
-}

gcp/examples/cross_project/scanner_project/main.tf

@@ -29,10 +29,9 @@ module "datadog_agentless_scanner_us" {
     google = google.us
   }
 
-  site          = var.datadog_site
-  api_key       = var.datadog_api_key
-  vpc_name      = "datadog-agentless-scanner-us"
-  unique_suffix = ""
+  site     = var.datadog_site
+  api_key  = var.datadog_api_key
+  vpc_name = "datadog-agentless-scanner-us"
 }
 
 # Deploy the scanner infrastructure in EU region
@@ -43,8 +42,7 @@ module "datadog_agentless_scanner_eu" {
     google = google.eu
   }
 
-  site          = var.datadog_site
-  api_key       = var.datadog_api_key
-  vpc_name      = "datadog-agentless-scanner-eu"
-  unique_suffix = ""
+  site     = var.datadog_site
+  api_key  = var.datadog_api_key
+  vpc_name = "datadog-agentless-scanner-eu"
 }

gcp/examples/single_region/README.md

@@ -2,7 +2,7 @@
 
 This folder shows an example of Terraform code that uses the [datadog-agentless-scanner module](https://github.com/Datadog/terraform-module-datadog-agentless-scanner/tree/main/gcp) to deploy a Datadog Agentless scanner in your [GCP](https://cloud.google.com/) project.
 
-With this deployment, a single Agentless scanner is deployed in a single region with instances distributed across multiple zones for high availability. Datadog recommends this option for most use cases.
+With this deployment, a single Agentless scanner is deployed in a single region with instances distributed across multiple zones for high availability.
 
 **Note**: The region is configured via the Google provider. In this example, `us-central1` is used, but you can change it to any GCP region.
 
@@ -35,6 +35,14 @@ To deploy a Datadog agentless scanner:
    terraform init
    ```
 
+1. **Review the deployment plan**:
+   ```sh
+   terraform plan \
+     -var="project_id=my-gcp-project" \
+     -var="datadog_api_key=$DD_API_KEY" \
+     -var="datadog_site=datadoghq.com"
+   ```
+
 1. **Deploy the scanner**. You will need to:
    - Set your GCP project ID
    - Set your Datadog [API key](https://docs.datadoghq.com/account_management/api-app-keys/)
@@ -60,7 +68,7 @@ To deploy a Datadog agentless scanner:
 
 You have two options for providing the Datadog API key:
 
-1. **Pass the API key directly** (shown in examples below):
+1. **Pass the API key directly** (shown in examples above):
    ```bash
    -var="datadog_api_key=$DD_API_KEY"
    ```

gcp/examples/single_region/main.tf

@@ -17,9 +17,7 @@ provider "google" {
 module "datadog_agentless_scanner" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//gcp?ref=7993939f19df2a39c981cbffbcd48a91c9fba214"
 
-  site          = var.datadog_site
-  api_key       = var.datadog_api_key
-  vpc_name      = "datadog-agentless-scanner"
-  unique_suffix = ""
+  site     = var.datadog_site
+  api_key  = var.datadog_api_key
+  vpc_name = "datadog-agentless-scanner"
 }
-

gcp/modules/agentless-impersonated-service-account/main.tf

@@ -3,13 +3,12 @@ data "google_client_config" "current" {}
 # Random ID for unique resource naming when unique_suffix is empty
 resource "random_id" "deployment_suffix" {
   byte_length = 4
-  count       = var.unique_suffix == "" ? 1 : 0
 }
 
 locals {
   project_id = data.google_client_config.current.project
   # Use provided unique_suffix or generate random one
-  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix[0].hex
+  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix.hex
 }
 
 # Custom role for creating snapshots

gcp/modules/agentless-scanner-service-account/main.tf

@@ -3,13 +3,12 @@ data "google_client_config" "current" {}
 # Random ID for unique resource naming when unique_suffix is empty
 resource "random_id" "deployment_suffix" {
   byte_length = 4
-  count       = var.unique_suffix == "" ? 1 : 0
 }
 
 locals {
   project_id = data.google_client_config.current.project
   # Use provided unique_suffix or generate random one
-  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix[0].hex
+  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix.hex
   # Extract secret name from full path (projects/PROJECT_ID/secrets/SECRET_NAME -> SECRET_NAME)
   secret_name = regex("^projects/[a-zA-Z0-9-]+/secrets/([a-zA-Z0-9-]+)$", var.api_key_secret_id)[0]
 }

gcp/modules/instance/main.tf

@@ -5,15 +5,14 @@ data "google_client_config" "current" {}
 # Random ID for unique resource naming when unique_suffix is empty
 resource "random_id" "deployment_suffix" {
   byte_length = 4
-  count       = var.unique_suffix == "" ? 1 : 0
 }
 
 locals {
   project_id        = data.google_client_config.current.project
   region            = data.google_client_config.current.region
   api_key_secret_id = var.api_key_secret_id != null ? var.api_key_secret_id : google_secret_manager_secret.api_key_secret[0].id
   # Use provided unique_suffix or generate random one
-  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix[0].hex
+  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix.hex
   # Validation for api_key XOR api_key_secret_id
   api_key_validation = (var.api_key != null && var.api_key_secret_id == null) || (var.api_key == null && var.api_key_secret_id != null)
   # Validation to ensure both SSH variables are provided or neither

gcp/modules/vpc/main.tf

@@ -3,13 +3,12 @@ data "google_client_config" "current" {}
 # Random ID for unique resource naming when unique_suffix is empty
 resource "random_id" "deployment_suffix" {
   byte_length = 4
-  count       = var.unique_suffix == "" ? 1 : 0
 }
 
 locals {
   region = data.google_client_config.current.region
   # Use provided unique_suffix or generate random one
-  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix[0].hex
+  effective_suffix = var.unique_suffix != "" ? var.unique_suffix : random_id.deployment_suffix.hex
   vpc_name         = "${var.name}-${local.effective_suffix}"
 }