Skip to content

Commit c685879

Browse files
authored
✨ add integration for audit log export to GCS (#411)
* ✨ add integration for audit log export to GCS with necessary resources and configurations * ✨ add Audit Log Export configuration options and integrate with resource management * 🧹 enhance audit log export outputs with descriptions and improve error handling in integration read function * ✨ add configuration validators for integration audit log export resource * ✨ enhance integration audit log export resource with required field validation and preserve write-only fields in read function * ✨ update AuditLogExportConfigurationOptions to include new fields and adjust read function for pointer types
1 parent a3e711b commit c685879

15 files changed

Lines changed: 813 additions & 3 deletions

File tree

.github/actions/spelling/expect.txt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ connectionstrings
1111
crowdstrike
1212
Cwj
1313
DXhjr
14+
Dynatrace
1415
FIGc
1516
Gci
1617
gcs
@@ -20,6 +21,7 @@ JFUz
2021
Jhb
2122
jira
2223
KBp
24+
linux
2325
ljq
2426
LQV
2527
mrns
@@ -29,13 +31,15 @@ NATGW
2931
NCIs
3032
NHar
3133
ocid
34+
OCSF
3235
Ooe
3336
Plutx
3437
QFKc
3538
Qhgn
3639
qpbi
3740
querypack
3841
Qwc
42+
rhel
3943
scim
4044
startswith
4145
Tcy
Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "mondoo_asset_routing_rule Resource - terraform-provider-mondoo"
4+
subcategory: ""
5+
description: |-
6+
Manages an individual asset routing rule for a Mondoo organization. This is a non-authoritative resource — it manages a single rule without affecting other rules. Multiple rules can coexist and be managed independently, making it ideal for multi-team setups where each team manages their own routing rules.
7+
~> Warning: Do not use this resource together with mondoo_asset_routing_table for the same organization. The table resource replaces all rules atomically, which will overwrite individually managed rules.
8+
---
9+
10+
# mondoo_asset_routing_rule (Resource)
11+
12+
Manages an individual asset routing rule for a Mondoo organization. This is a **non-authoritative** resource — it manages a single rule without affecting other rules. Multiple rules can coexist and be managed independently, making it ideal for multi-team setups where each team manages their own routing rules.
13+
14+
~> **Warning:** Do not use this resource together with `mondoo_asset_routing_table` for the same organization. The table resource replaces all rules atomically, which will overwrite individually managed rules.
15+
16+
## Example Usage
17+
18+
```terraform
19+
variable "org_id" {
20+
description = "The ID of the organization"
21+
type = string
22+
}
23+
24+
provider "mondoo" {}
25+
26+
data "mondoo_organization" "current" {
27+
id = var.org_id
28+
}
29+
30+
# Create spaces for routing targets
31+
resource "mondoo_space" "production" {
32+
name = "production"
33+
org_id = var.org_id
34+
}
35+
36+
resource "mondoo_space" "staging" {
37+
name = "staging"
38+
org_id = var.org_id
39+
}
40+
41+
# Manage individual routing rules independently.
42+
# Ideal for multi-team setups where each team manages their own rules.
43+
resource "mondoo_asset_routing_rule" "production" {
44+
org_mrn = data.mondoo_organization.current.mrn
45+
target_space_mrn = mondoo_space.production.mrn
46+
priority = 10
47+
48+
condition {
49+
field = "LABEL"
50+
operator = "EQUAL"
51+
key = "env"
52+
values = ["production"]
53+
}
54+
}
55+
56+
resource "mondoo_asset_routing_rule" "staging" {
57+
org_mrn = data.mondoo_organization.current.mrn
58+
target_space_mrn = mondoo_space.staging.mrn
59+
priority = 20
60+
61+
condition {
62+
field = "LABEL"
63+
operator = "EQUAL"
64+
key = "env"
65+
values = ["staging"]
66+
}
67+
}
68+
```
69+
70+
<!-- schema generated by tfplugindocs -->
71+
## Schema
72+
73+
### Required
74+
75+
- `org_mrn` (String) The Mondoo Resource Name (MRN) of the organization.
76+
- `priority` (Number) The priority of this rule. Lower values are evaluated first. Rules with the same priority are further sorted by specificity (number of conditions) and MRN.
77+
- `target_space_mrn` (String) The MRN of the space where matching assets will be routed.
78+
79+
### Optional
80+
81+
- `condition` (Block List) Conditions that must all match for this rule to apply (AND logic). If empty, the rule matches all assets (catch-all). (see [below for nested schema](#nestedblock--condition))
82+
83+
### Read-Only
84+
85+
- `mrn` (String) The Mondoo Resource Name (MRN) of the routing rule.
86+
87+
<a id="nestedblock--condition"></a>
88+
### Nested Schema for `condition`
89+
90+
Required:
91+
92+
- `field` (String) The field to match on. Valid values: `HOSTNAME`, `PLATFORM`, `LABEL`.
93+
- `operator` (String) The comparison operator. Valid values: `EQUAL`, `NOT_EQUAL`, `CONTAINS`, `MATCHES`.
94+
- `values` (List of String) List of values to match against. A condition matches if the field matches any of the listed values (OR logic).
95+
96+
Optional:
97+
98+
- `key` (String) The label key to match on. Required when `field` is `LABEL`.
Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "mondoo_asset_routing_table Resource - terraform-provider-mondoo"
4+
subcategory: ""
5+
description: |-
6+
Manages the asset routing table for a Mondoo organization. This is an authoritative resource — it manages the entire routing table and replaces all rules on every apply. Priority is derived from the order of rules in the configuration (first rule = highest priority).
7+
~> Warning: Do not use this resource together with mondoo_asset_routing_rule for the same organization. The table resource replaces all rules atomically, which will overwrite individually managed rules.
8+
---
9+
10+
# mondoo_asset_routing_table (Resource)
11+
12+
Manages the asset routing table for a Mondoo organization. This is an **authoritative** resource — it manages the entire routing table and replaces all rules on every apply. Priority is derived from the order of rules in the configuration (first rule = highest priority).
13+
14+
~> **Warning:** Do not use this resource together with `mondoo_asset_routing_rule` for the same organization. The table resource replaces all rules atomically, which will overwrite individually managed rules.
15+
16+
## Example Usage
17+
18+
```terraform
19+
variable "org_id" {
20+
description = "The ID of the organization"
21+
type = string
22+
}
23+
24+
provider "mondoo" {}
25+
26+
data "mondoo_organization" "current" {
27+
id = var.org_id
28+
}
29+
30+
# Create spaces for routing targets
31+
resource "mondoo_space" "linux" {
32+
name = "linux-assets"
33+
org_id = var.org_id
34+
}
35+
36+
resource "mondoo_space" "windows" {
37+
name = "windows-assets"
38+
org_id = var.org_id
39+
}
40+
41+
resource "mondoo_space" "catch_all" {
42+
name = "catch-all"
43+
org_id = var.org_id
44+
}
45+
46+
# Manage the entire routing table for an organization.
47+
# Priority is derived from the order of rules (first = highest priority).
48+
resource "mondoo_asset_routing_table" "example" {
49+
org_mrn = data.mondoo_organization.current.mrn
50+
51+
# Rule 1: Route Linux assets
52+
rule {
53+
target_space_mrn = mondoo_space.linux.mrn
54+
55+
condition {
56+
field = "PLATFORM"
57+
operator = "EQUAL"
58+
values = ["ubuntu", "debian", "rhel", "amazonlinux"]
59+
}
60+
}
61+
62+
# Rule 2: Route Windows assets
63+
rule {
64+
target_space_mrn = mondoo_space.windows.mrn
65+
66+
condition {
67+
field = "PLATFORM"
68+
operator = "EQUAL"
69+
values = ["windows"]
70+
}
71+
}
72+
73+
# Rule 3: Catch-all for everything else
74+
rule {
75+
target_space_mrn = mondoo_space.catch_all.mrn
76+
}
77+
}
78+
```
79+
80+
<!-- schema generated by tfplugindocs -->
81+
## Schema
82+
83+
### Required
84+
85+
- `org_mrn` (String) The Mondoo Resource Name (MRN) of the organization.
86+
87+
### Optional
88+
89+
- `rule` (Block List) Ordered list of routing rules. Priority is determined by position (first = highest priority). A rule with no conditions acts as a catch-all. (see [below for nested schema](#nestedblock--rule))
90+
91+
<a id="nestedblock--rule"></a>
92+
### Nested Schema for `rule`
93+
94+
Required:
95+
96+
- `target_space_mrn` (String) The MRN of the space where matching assets will be routed.
97+
98+
Optional:
99+
100+
- `condition` (Block List) Conditions that must all match for this rule to apply (AND logic). If empty, the rule matches all assets (catch-all). (see [below for nested schema](#nestedblock--rule--condition))
101+
102+
<a id="nestedblock--rule--condition"></a>
103+
### Nested Schema for `rule.condition`
104+
105+
Required:
106+
107+
- `field` (String) The field to match on. Valid values: `HOSTNAME`, `PLATFORM`, `LABEL`.
108+
- `operator` (String) The comparison operator. Valid values: `EQUAL`, `NOT_EQUAL`, `CONTAINS`, `MATCHES`.
109+
- `values` (List of String) List of values to match against. A condition matches if the field matches any of the listed values (OR logic).
110+
111+
Optional:
112+
113+
- `key` (String) The label key to match on. Required when `field` is `LABEL`.
Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "mondoo_integration_audit_log_export Resource - terraform-provider-mondoo"
4+
subcategory: ""
5+
description: |-
6+
Export Mondoo audit logs to a GCS bucket in OCSF format for ingestion by third-party SIEM systems.
7+
---
8+
9+
# mondoo_integration_audit_log_export (Resource)
10+
11+
Export Mondoo audit logs to a GCS bucket in OCSF format for ingestion by third-party SIEM systems.
12+
13+
## Example Usage
14+
15+
```terraform
16+
# ──────────────────────────────────────────────
17+
# GCS bucket for audit log export
18+
# ──────────────────────────────────────────────
19+
20+
resource "google_storage_bucket" "audit_logs" {
21+
name = var.bucket_name
22+
location = var.gcp_region
23+
force_destroy = true # allow terraform destroy to clean up objects
24+
25+
uniform_bucket_level_access = true
26+
}
27+
28+
# ──────────────────────────────────────────────
29+
# Service account with write-only access
30+
# ──────────────────────────────────────────────
31+
32+
resource "google_service_account" "audit_export" {
33+
account_id = "mondoo-audit-export"
34+
display_name = "Mondoo Audit Log Export"
35+
}
36+
37+
resource "google_storage_bucket_iam_member" "audit_export_writer" {
38+
bucket = google_storage_bucket.audit_logs.name
39+
role = "roles/storage.objectCreator"
40+
member = "serviceAccount:${google_service_account.audit_export.email}"
41+
}
42+
43+
resource "google_service_account_key" "audit_export" {
44+
service_account_id = google_service_account.audit_export.name
45+
}
46+
47+
# ──────────────────────────────────────────────
48+
# WIF binding: allow any integration in this Mondoo org to impersonate the SA
49+
# ──────────────────────────────────────────────
50+
51+
data "google_project" "current" {}
52+
53+
resource "google_service_account_iam_member" "audit_export_wif" {
54+
service_account_id = google_service_account.audit_export.name
55+
role = "roles/iam.workloadIdentityUser"
56+
member = "principalSet://iam.googleapis.com/projects/${data.google_project.current.number}/locations/global/workloadIdentityPools/${var.wif_pool_id}/attribute.org/${var.mondoo_org_id}"
57+
}
58+
59+
# ──────────────────────────────────────────────
60+
# Mondoo audit log export integration
61+
# ──────────────────────────────────────────────
62+
63+
resource "mondoo_integration_audit_log_export" "example" {
64+
org_id = var.mondoo_org_id
65+
name = "Audit Log Export to GCS"
66+
bucket = google_storage_bucket.audit_logs.name
67+
include_historical = true
68+
69+
# service_account_json = base64decode(google_service_account_key.audit_export.private_key)
70+
71+
wif_audience = "//iam.googleapis.com/projects/${data.google_project.current.number}/locations/global/workloadIdentityPools/${var.wif_pool_id}/providers/${var.wif_provider_id}"
72+
wif_service_account_email = google_service_account.audit_export.email
73+
74+
depends_on = [google_service_account_iam_member.audit_export_wif]
75+
# wif_subject is computed server-side from the integration's org MRN
76+
}
77+
78+
output "gcs_bucket" {
79+
description = "Name of the GCS bucket receiving audit log exports"
80+
value = google_storage_bucket.audit_logs.name
81+
}
82+
83+
output "service_account_email" {
84+
description = "Email of the service account used for audit log export"
85+
value = google_service_account.audit_export.email
86+
}
87+
88+
output "integration_mrn" {
89+
description = "MRN of the Mondoo audit log export integration"
90+
value = mondoo_integration_audit_log_export.example.mrn
91+
}
92+
```
93+
94+
<!-- schema generated by tfplugindocs -->
95+
## Schema
96+
97+
### Required
98+
99+
- `bucket` (String) GCS bucket name for audit log export.
100+
- `name` (String) Name of the integration.
101+
102+
### Optional
103+
104+
- `include_historical` (Boolean) Whether to include historical audit logs on first export. Default false.
105+
- `org_id` (String) Mondoo organization identifier. Use this for org-scoped integrations. Conflicts with `scope_mrn`.
106+
- `scope_mrn` (String) Scope MRN for the integration. Use `//platform.api.mondoo.app` for platform-level exports. Conflicts with `org_id`.
107+
- `service_account_json` (String, Sensitive) GCS service account JSON credentials. Either this or WIF credentials must be provided.
108+
- `wif_audience` (String) WIF audience URL for GCP workload identity federation.
109+
- `wif_service_account_email` (String) GCP service account email for WIF service account impersonation.
110+
111+
### Read-Only
112+
113+
- `mrn` (String) Integration identifier.
114+
115+
## Import
116+
117+
Import is supported using the following syntax:
118+
119+
The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
120+
121+
```shell
122+
# Import an existing audit log export integration by MRN
123+
terraform import mondoo_integration_audit_log_export.example '//integrations.api.mondoo.app/organizations/ORG_ID/integrations/INTEGRATION_ID'
124+
```
Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
# Import an existing audit log export integration by MRN
2+
terraform import mondoo_integration_audit_log_export.example '//integrations.api.mondoo.app/organizations/ORG_ID/integrations/INTEGRATION_ID'

0 commit comments

Comments
 (0)