-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #34 from draios/SSPROD-27730-TF-Module-for-S3-Onbo…
…arding [SSPROD-27730] Terraform module for s3 onboarding
- Loading branch information
Showing
8 changed files
with
182 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# AWS Cloud Logs Module | ||
|
||
This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role. | ||
|
||
|
||
The following resources will be created in each instrumented account: | ||
- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it. | ||
|
||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.39.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.9.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | ||
| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
| [aws_iam_policy_document.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | (Required) The name of your s3 bucket associated with your Clloudtrail trail | `string` | n/a | yes | | ||
| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes | | ||
| <a name="input_region"></a> [region](#input\_region) | (Optional) Default region for resource creation | `string` | `"eu-central-1"` | no | | ||
| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Required) The name of the IAM Role that will enable access to the Cloudtrail logs | `string` | `"cloudtrail-s3-bucket-read-access"` | no | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no | | ||
| <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | (Required) The name of Sysdig trusted identity | `string` | n/a | yes | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of CloudLogs role | | ||
|
||
## Authors | ||
|
||
Module is maintained by [Sysdig](https://sysdig.com). | ||
|
||
## License | ||
|
||
Apache 2 Licensed. See LICENSE for full details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
# The only resource needed to make Sysdig's backend start to fetch data from the CloudTrail associated s3 bucket is a | ||
# properly set AWS IAM Role. Sysdig's trusted identity act as the Principal in the assume role Policy, namely the role | ||
# that the backend will use to assume the Client's role. At that point, given the permission set granted to the newly | ||
# created Role in the Client's account, Sysdig's backend will be able to perform all the required actions in order to | ||
# retrieve the log files that are automatically published in the target s3 bucket. | ||
# | ||
# Note: this setup assumes that the Customer has already properly set up an AWS CloudTrail Trail and the associated bucket. | ||
# Sysdig's Secure UI provides the necessary information to make the Customer perform the | ||
# required setup operations before applying the Terraform module. | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
# AWS IAM Role that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket | ||
resource "aws_iam_role" "cloudlogs_s3_access" { | ||
name = var.role_name | ||
tags = var.tags | ||
|
||
assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json | ||
inline_policy { | ||
name = "cloudlogs_s3_access_policy" | ||
policy = data.aws_iam_policy_document.cloudlogs_s3_access.json | ||
} | ||
} | ||
|
||
# IAM Policy Document used for the assume role policy | ||
data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" { | ||
statement { | ||
effect = "Allow" | ||
|
||
principals { | ||
type = "AWS" | ||
identifiers = [var.trusted_identity] | ||
} | ||
|
||
actions = ["sts:AssumeRole"] | ||
|
||
condition { | ||
test = "StringEquals" | ||
variable = "sts:ExternalId" | ||
values = [var.external_id] | ||
} | ||
} | ||
} | ||
|
||
# IAM Policy Document used for the bucket access policy | ||
data "aws_iam_policy_document" "cloudlogs_s3_access" { | ||
|
||
statement { | ||
sid = "CloudlogsS3Access" | ||
|
||
effect = "Allow" | ||
|
||
actions = [ | ||
"s3:Get*", | ||
"s3:List*" | ||
] | ||
|
||
resources = [ | ||
var.bucket_arn, | ||
"${var.bucket_arn}/*" | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "role_arn" { | ||
value = aws_iam_role.cloudlogs_s3_access.arn | ||
description = "ARN of CloudLogs role" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
variable "bucket_arn" { | ||
description = "(Required) The ARN of your s3 bucket associated with your Cloudtrail trail" | ||
type = string | ||
} | ||
|
||
variable "external_id" { | ||
type = string | ||
description = "(Required) Random string generated unique to a customer" | ||
} | ||
|
||
variable "role_name" { | ||
description = "(Required) The name of the IAM Role that will enable access to the Cloudtrail logs" | ||
type = string | ||
default = "cloudtrail-s3-bucket-read-access" | ||
} | ||
|
||
variable "tags" { | ||
type = map(string) | ||
description = "(Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning" | ||
|
||
default = { | ||
"product" = "sysdig-secure-for-cloud" | ||
} | ||
} | ||
|
||
variable "trusted_identity" { | ||
description = "(Required) The name of Sysdig trusted identity" | ||
type = string | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
terraform { | ||
required_version = ">= 1.0.0" | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.39.0" | ||
} | ||
} | ||
} |
18 changes: 18 additions & 0 deletions
18
test/examples/secure_threat_detection_cloud_logs/single/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
provider "aws" { | ||
region = "us-east-1" | ||
access_key = "test" | ||
secret_key = "test" | ||
|
||
endpoints { | ||
iam = "http://127.0.0.1:5000/" | ||
sts = "http://127.0.0.1:5000/" | ||
} | ||
} | ||
|
||
module "single-account-threat-detection" { | ||
source = "../../../..//modules/services/cloud-logs" | ||
trusted_identity = "arn:aws:iam::123456789012:role/secure-assume-role" | ||
external_id = "external_id" | ||
role_name = "sysdig-secure-single" | ||
bucket_arn = "arn:aws:s3:::sample_bucket_name" | ||
} |
File renamed without changes.