#!/usr/bin/env bash set -euo pipefail TARGET_ROOT="${1:-.}" BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}" BLACKSHIELD_SAAS_IMAGE="${BLACKSHIELD_SAAS_IMAGE:-public.ecr.aws/blackshield-security/saas-scanner:1.0.0}" mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/.terraform.lock.hcl" <<'EOF' # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { version = "5.45.2" constraints = "~> 5.0" hashes = [ "h1:A8h5KUdnCeKRf+g0vhCEpPYICOiU0O3+1uybZVl8+tg=", "zh:0d09c8f20b556305192cdbe0efa6d333ceebba963a8ba91f9f1714b5a20c4b7a", "zh:117143fc91be407874568df416b938a6896f94cb873f26bba279cedab646a804", "zh:16ccf77d18dd2c5ef9c0625f9cf546ebdf3213c0a452f432204c69feed55081e", "zh:3e555cf22a570a4bd247964671f421ed7517970cd9765ceb46f335edc2c6f392", "zh:688bd5b05a75124da7ae6e885b2b92bd29f4261808b2b78bd5f51f525c1052ca", "zh:6db3ef37a05010d82900bfffb3261c59a0c247e0692049cb3eb8c2ef16c9d7bf", "zh:70316fde75f6a15d72749f66d994ccbdde5f5ed4311b6d06b99850f698c9bbf9", "zh:84b8e583771a4f2bd514e519d98ed7fd28dce5efe0634e973170e1cfb5556fb4", "zh:9d4b8ef0a9b6677935c604d94495042e68ff5489932cfd1ec41052e094a279d3", "zh:a2089dd9bd825c107b148dd12d6b286f71aa37dfd4ca9c35157f2dcba7bc19d8", "zh:f03d795c0fd9721e59839255ee7ba7414173017dc530b4ce566daf3802a0d6dd", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } EOF mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/main.tf" <<'EOF' terraform { required_version = ">= 1.7" required_providers { google = { source = "hashicorp/google" version = "~> 5.0" } } } provider "google" {} # ── Deployment targets ───────────────────────────────────────────────────────── # One module instance deploys one Cloud Run Job + Scheduler per project+region. # Add entries to scale across projects; re-apply to update all. locals { targets = { "prod-us" = { project = "my-prod-project", region = "us-central1" } # "prod-eu" = { project = "my-prod-project", region = "europe-west1" } } } module "saas_scanner" { for_each = local.targets source = "./modules/saas-scanner" project_id = each.value.project region = each.value.region scanner_image = var.scanner_image blackshield_api_url = var.blackshield_api_url blackshield_api_key = var.blackshield_api_key saas_access_token = var.saas_access_token saas_scan_provider = var.saas_scan_provider google_customer_id = var.google_customer_id schedule_cron = var.schedule_cron } EOF mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner/modules/saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/modules/saas-scanner/main.tf" <<'EOF' locals { sa_name = "blackshield-saas-scanner" api_secret_id = "blackshield-saas-api-key" tok_secret_id = "blackshield-saas-access-token" job_name = "blackshield-saas-scanner" sched_name = "blackshield-saas-scanner-trigger" scan_mode = contains( ["google_workspace", "microsoft_graph", "generic"], var.saas_scan_provider, ) ? "oauth" : "ai_assets" } # ── Enable APIs ──────────────────────────────────────────────────────────────── resource "google_project_service" "apis" { for_each = toset([ "run.googleapis.com", "cloudscheduler.googleapis.com", "secretmanager.googleapis.com", "iam.googleapis.com", ]) project = var.project_id service = each.value disable_on_destroy = false } # ── Service account ──────────────────────────────────────────────────────────── resource "google_service_account" "scanner" { project = var.project_id account_id = local.sa_name display_name = "BlackShield SaaS Scanner" description = "Runs SaaS OAuth and AI asset scanner for BlackShield" } # ── Secrets ──────────────────────────────────────────────────────────────────── resource "google_secret_manager_secret" "api_key" { project = var.project_id secret_id = local.api_secret_id replication { auto {} } depends_on = [google_project_service.apis] } resource "google_secret_manager_secret_version" "api_key" { secret = google_secret_manager_secret.api_key.id secret_data = var.blackshield_api_key } resource "google_secret_manager_secret_iam_member" "api_key_read" { project = var.project_id secret_id = google_secret_manager_secret.api_key.secret_id role = "roles/secretmanager.secretAccessor" member = "serviceAccount:${google_service_account.scanner.email}" } resource "google_secret_manager_secret" "access_token" { count = var.saas_access_token != "" ? 1 : 0 project = var.project_id secret_id = local.tok_secret_id replication { auto {} } depends_on = [google_project_service.apis] } resource "google_secret_manager_secret_version" "access_token" { count = var.saas_access_token != "" ? 1 : 0 secret = google_secret_manager_secret.access_token[0].id secret_data = var.saas_access_token } resource "google_secret_manager_secret_iam_member" "access_token_read" { count = var.saas_access_token != "" ? 1 : 0 project = var.project_id secret_id = google_secret_manager_secret.access_token[0].secret_id role = "roles/secretmanager.secretAccessor" member = "serviceAccount:${google_service_account.scanner.email}" } # ── Cloud Run Job ────────────────────────────────────────────────────────────── resource "google_cloud_run_v2_job" "scanner" { project = var.project_id name = local.job_name location = var.region labels = { "managed-by" = "terraform" component = "saas-scanner" } template { task_count = 1 parallelism = 1 template { service_account = google_service_account.scanner.email max_retries = 1 timeout = "${var.job_timeout_seconds}s" containers { image = var.scanner_image env { name = "BLACKSHIELD_API_URL" value = var.blackshield_api_url } env { name = "SAAS_SCAN_MODE" value = local.scan_mode } env { name = "SAAS_SCAN_PROVIDER" value = var.saas_scan_provider } env { name = "SAAS_COLLECTOR_STRATEGY" value = "api" } env { name = "SCAN_INTERVAL_SECONDS" value = "0" } env { name = "LOG_LEVEL" value = "INFO" } dynamic "env" { for_each = var.google_customer_id != "" ? [1] : [] content { name = "GOOGLE_CUSTOMER_ID" value = var.google_customer_id } } env { name = "BLACKSHIELD_API_KEY" value_source { secret_key_ref { secret = google_secret_manager_secret.api_key.secret_id version = "latest" } } } dynamic "env" { for_each = var.saas_access_token != "" ? [1] : [] content { name = "SAAS_ACCESS_TOKEN" value_source { secret_key_ref { secret = google_secret_manager_secret.access_token[0].secret_id version = "latest" } } } } resources { limits = { cpu = "1" memory = "1Gi" } } } } } depends_on = [ google_secret_manager_secret_iam_member.api_key_read, google_project_service.apis, ] } # ── Cloud Scheduler ──────────────────────────────────────────────────────────── resource "google_service_account" "scheduler" { project = var.project_id account_id = "blackshield-saas-scheduler" display_name = "BlackShield SaaS Scheduler invoker" } resource "google_cloud_run_v2_job_iam_member" "scheduler_invoke" { project = var.project_id location = var.region name = google_cloud_run_v2_job.scanner.name role = "roles/run.invoker" member = "serviceAccount:${google_service_account.scheduler.email}" } resource "google_cloud_scheduler_job" "trigger" { project = var.project_id region = var.region name = local.sched_name description = "Trigger BlackShield SaaS scanner" schedule = var.schedule_cron time_zone = "UTC" attempt_deadline = "${var.job_timeout_seconds}s" http_target { uri = "https://${var.region}-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${var.project_id}/jobs/${local.job_name}:run" http_method = "POST" oauth_token { service_account_email = google_service_account.scheduler.email } } depends_on = [google_project_service.apis] } EOF mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner/modules/saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/modules/saas-scanner/outputs.tf" <<'EOF' output "job_name" { value = google_cloud_run_v2_job.scanner.name } output "scheduler_name" { value = google_cloud_scheduler_job.trigger.name } output "service_account" { value = google_service_account.scanner.email } EOF mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner/modules/saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/modules/saas-scanner/variables.tf" <<'EOF' variable "project_id" { type = string } variable "region" { type = string } variable "scanner_image" { type = string } variable "blackshield_api_url" { type = string } variable "blackshield_api_key" { type = string sensitive = true } variable "saas_access_token" { type = string sensitive = true default = "" } variable "saas_scan_provider" { type = string default = "google_workspace" } variable "google_customer_id" { type = string default = "" } variable "schedule_cron" { type = string default = "0 */6 * * *" } variable "job_timeout_seconds" { type = number default = 900 } EOF mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/outputs.tf" <<'EOF' output "cloud_run_job_names" { description = "Cloud Run Job name per deployment target." value = { for k, m in module.saas_scanner : k => m.job_name } } output "scheduler_job_names" { description = "Cloud Scheduler job name per deployment target." value = { for k, m in module.saas_scanner : k => m.scheduler_name } } EOF mkdir -p "$TARGET_ROOT/deploy/gcp-saas-scanner" cat > "$TARGET_ROOT/deploy/gcp-saas-scanner/variables.tf" <