fix org onboarding for vm workoad scanning (#31)

maratsal · web-flow · commit ed0c917b8f0f · 2025-01-09T09:24:26.000+01:00
diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf
@@ -67,16 +67,14 @@ data "aws_iam_policy_document" "functions" {
 }
 
 resource "aws_iam_policy" "ecr_scanning" {
-  count = var.is_organizational ? 0 : 1
-
   name        = "${local.ecr_role_name}-ecr"
   description = "Grants Sysdig Secure access to ECR images"
   policy      = data.aws_iam_policy_document.scanning.json
   tags        = var.tags
 }
 
 resource "aws_iam_policy" "functions_scanning" {
-  count = var.lambda_scanning_enabled && !var.is_organizational? 1 : 0
+  count = var.lambda_scanning_enabled ? 1 : 0
 
   name        = "${local.ecr_role_name}-functions"
   description = "Grants Sysdig Secure access to AWS Lambda"
@@ -108,26 +106,22 @@ data "aws_iam_policy_document" "scanning_assume_role_policy" {
 }
 
 resource "aws_iam_role" "scanning" {
-  count = var.is_organizational ? 0 : 1
-
   name               = local.ecr_role_name
   tags               = var.tags
   assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy.json
 }
 
 resource "aws_iam_policy_attachment" "scanning" {
-  count = var.is_organizational ? 0 : 1
-
   name       = local.ecr_role_name
-  roles      = [aws_iam_role.scanning[0].name]
-  policy_arn = aws_iam_policy.ecr_scanning[0].arn
+  roles      = [aws_iam_role.scanning.name]
+  policy_arn = aws_iam_policy.ecr_scanning.arn
 }
 
 resource "aws_iam_policy_attachment" "functions" {
-  count = var.lambda_scanning_enabled && !var.is_organizational ? 1 : 0
+  count = var.lambda_scanning_enabled ? 1 : 0
 
   name       = local.ecr_role_name
-  roles      = [aws_iam_role.scanning[0].name]
+  roles      = [aws_iam_role.scanning.name]
   policy_arn = aws_iam_policy.functions_scanning[0].arn
 }
 
@@ -145,7 +139,7 @@ resource "sysdig_secure_cloud_auth_account_component" "vm_workload_scanning_acco
   version    = "v0.1.0"
   trusted_role_metadata = jsonencode({
     aws = {
-      role_name = aws_iam_role.scanning[0].name
+      role_name = aws_iam_role.scanning.name
     }
   })
 
diff --git a/modules/vm-workload-scanning/outputs.tf b/modules/vm-workload-scanning/outputs.tf
@@ -1,6 +1,6 @@
 output "role_arn" {
   description = "Role used by Sysdig Platform for Agentless Workload Scanning"
-  value       = var.is_organizational ? null : aws_iam_role.scanning[0].arn
+  value       = var.is_organizational ? null : aws_iam_role.scanning.arn
   depends_on  = [aws_iam_role.scanning]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`output "role_arn" {`
`2`	`2`	`description = "Role used by Sysdig Platform for Agentless Workload Scanning"`
`3`		`- value = var.is_organizational ? null : aws_iam_role.scanning[0].arn`
	`3`	`+ value = var.is_organizational ? null : aws_iam_role.scanning.arn`
`4`	`4`	`depends_on = [aws_iam_role.scanning]`
`5`	`5`	`}`
`6`	`6`