Merge pull request #245 from DataDog/mohamed.challal/add-gcp-scan-options-providers

[K9VULN-8133] feat(gcp): create the scan options with the TF provider

Co-authored-by: mohamed-challal <[email protected]>

Author: dd-mergequeue[bot]

gcp/examples/cross_project/README.md

@@ -81,12 +81,14 @@ Use this **advanced** deployment model when:
 1. **Review the deployment plan**. You will need to:
    - Set the project ID where the scanner will be deployed
    - Set your Datadog [API key](https://docs.datadoghq.com/account_management/api-app-keys/)
+   - Set your Datadog [APP key](https://docs.datadoghq.com/account_management/api-app-keys/)
    - Set your Datadog site
 
    ```sh
    terraform plan \
      -var="scanner_project_id=my-scanner-project" \
      -var="datadog_api_key=$DD_API_KEY" \
+     -var="datadog_app_key=$DD_APP_KEY" \
      -var="datadog_site=datadoghq.com"
    ```
 
@@ -95,6 +97,7 @@ Use this **advanced** deployment model when:
    terraform apply \
      -var="scanner_project_id=my-scanner-project" \
      -var="datadog_api_key=$DD_API_KEY" \
+     -var="datadog_app_key=$DD_APP_KEY" \
      -var="datadog_site=datadoghq.com"
    ```
 
@@ -122,11 +125,17 @@ terraform init
 terraform plan \
   -var="scanned_project_id=my-other-project" \
   -var="scanner_service_account_email_us=$SCANNER_SA_US" \
-  -var="scanner_service_account_email_eu=$SCANNER_SA_EU"
+  -var="scanner_service_account_email_eu=$SCANNER_SA_EU" \
+  -var="datadog_api_key=$DD_API_KEY" \
+  -var="datadog_app_key=$DD_APP_KEY" \
+  -var="datadog_site=datadoghq.com"
 terraform apply \
   -var="scanned_project_id=my-other-project" \
   -var="scanner_service_account_email_us=$SCANNER_SA_US" \
-  -var="scanner_service_account_email_eu=$SCANNER_SA_EU"
+  -var="scanner_service_account_email_eu=$SCANNER_SA_EU" \
+  -var="datadog_api_key=$DD_API_KEY" \
+  -var="datadog_app_key=$DD_APP_KEY" \
+  -var="datadog_site=datadoghq.com"
 ```
 
 Repeat Step 2 for each additional project you want to scan.

gcp/examples/cross_project/other_project/main.tf

@@ -6,13 +6,30 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 5.0"
     }
+    datadog = {
+      source  = "DataDog/datadog"
+      version = ">= 3.80.0"
+    }
   }
 }
 
 provider "google" {
   project = var.scanned_project_id
 }
 
+provider "datadog" {
+  api_key = var.datadog_api_key
+  app_key = var.datadog_app_key
+  api_url = "https://api.${var.datadog_site}/"
+}
+
+# Enable agentless scanning for this project
+resource "datadog_agentless_scanning_gcp_scan_options" "scanned_project" {
+  gcp_project_id     = var.scanned_project_id
+  vuln_host_os       = true
+  vuln_containers_os = true
+}
+
 # Create impersonated service accounts for each scanner service account (US and EU)
 # This allows both the US and EU scanners to scan resources in this project
 

gcp/examples/cross_project/other_project/variables.tf

@@ -12,3 +12,20 @@ variable "scanner_service_account_email_eu" {
   description = "Email of the EU scanner service account from the scanner project (output from scanner_project deployment)"
   type        = string
 }
+
+variable "datadog_api_key" {
+  description = "Datadog API key with Remote Configuration enabled"
+  type        = string
+  sensitive   = true
+}
+
+variable "datadog_app_key" {
+  description = "Datadog APP key needed to enable the product"
+  type        = string
+  sensitive   = true
+}
+
+variable "datadog_site" {
+  description = "The Datadog site of your organization where scanner data will be sent (for example, datadoghq.com, datadoghq.eu, us3.datadoghq.com, us5.datadoghq.com, ap1.datadoghq.com, ddog-gov.com). See https://docs.datadoghq.com/getting_started/site/"
+  type        = string
+}

gcp/examples/cross_project/scanner_project/main.tf

@@ -6,6 +6,10 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 5.0"
     }
+    datadog = {
+      source  = "DataDog/datadog"
+      version = ">= 3.80.0"
+    }
   }
 }
 
@@ -21,6 +25,19 @@ provider "google" {
   alias   = "eu"
 }
 
+provider "datadog" {
+  api_key = var.datadog_api_key
+  app_key = var.datadog_app_key
+  api_url = "https://api.${var.datadog_site}/"
+}
+
+# Enable agentless scanning for the scanner project
+resource "datadog_agentless_scanning_gcp_scan_options" "scanner_project" {
+  gcp_project_id     = var.scanner_project_id
+  vuln_host_os       = true
+  vuln_containers_os = true
+}
+
 # Deploy the scanner infrastructure in US region
 module "datadog_agentless_scanner_us" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//gcp?ref=0.11.12"

gcp/examples/cross_project/scanner_project/variables.tf

@@ -9,6 +9,12 @@ variable "datadog_api_key" {
   sensitive   = true
 }
 
+variable "datadog_app_key" {
+  description = "Datadog APP key needed to enable the product"
+  type        = string
+  sensitive   = true
+}
+
 variable "datadog_site" {
   description = "The Datadog site of your organization where scanner data will be sent (for example, datadoghq.com, datadoghq.eu, us3.datadoghq.com, us5.datadoghq.com, ap1.datadoghq.com, ddog-gov.com). See https://docs.datadoghq.com/getting_started/site/"
   type        = string

gcp/examples/single_region/README.md

@@ -38,12 +38,14 @@ To deploy a Datadog agentless scanner:
 1. **Review the deployment plan**. You will need to:
    - Set your GCP project ID
    - Set your Datadog [API key](https://docs.datadoghq.com/account_management/api-app-keys/)
+   - Set your Datadog [APP key](https://docs.datadoghq.com/account_management/api-app-keys/)
    - Set your Datadog site
 
    ```sh
    terraform plan \
      -var="project_id=my-gcp-project" \
      -var="datadog_api_key=$DD_API_KEY" \
+     -var="datadog_app_key=$DD_APP_KEY" \
      -var="datadog_site=datadoghq.com"
    ```
 
@@ -52,6 +54,7 @@ To deploy a Datadog agentless scanner:
    terraform apply \
      -var="project_id=my-gcp-project" \
      -var="datadog_api_key=$DD_API_KEY" \
+     -var="datadog_app_key=$DD_APP_KEY" \
      -var="datadog_site=datadoghq.com"
    ```
 

gcp/examples/single_region/main.tf

@@ -6,6 +6,10 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 5.0"
     }
+    datadog = {
+      source  = "DataDog/datadog"
+      version = ">= 3.80.0"
+    }
   }
 }
 
@@ -14,6 +18,18 @@ provider "google" {
   region  = "us-central1"
 }
 
+provider "datadog" {
+  api_key = var.datadog_api_key
+  app_key = var.datadog_app_key
+  api_url = "https://api.${var.datadog_site}/"
+}
+
+resource "datadog_agentless_scanning_gcp_scan_options" "scan_options" {
+  gcp_project_id     = var.project_id
+  vuln_host_os       = true
+  vuln_containers_os = true
+}
+
 module "datadog_agentless_scanner" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//gcp?ref=0.11.12"
 

gcp/examples/single_region/variables.tf

@@ -9,6 +9,12 @@ variable "datadog_api_key" {
   sensitive   = true
 }
 
+variable "datadog_app_key" {
+  description = "Datadog APP key needed to enable the product"
+  type        = string
+  sensitive   = true
+}
+
 variable "datadog_site" {
   description = "The Datadog site of your organization where scanner data will be sent (for example, datadoghq.com, datadoghq.eu, us3.datadoghq.com, us5.datadoghq.com, ap1.datadoghq.com, ddog-gov.com). See https://docs.datadoghq.com/getting_started/site/"
   type        = string