Merge pull request #34 from draios/SSPROD-27730-TF-Module-for-S3-Onbo…

…arding

[SSPROD-27730] Terraform module for s3 onboarding

.github/workflows/ci-pull-request.yaml

@@ -36,7 +36,8 @@ jobs:
     strategy:
       matrix:
         example:
-          - "secure_threat_detection/single/main.tf"
+          - "secure_threat_detection_cloud_logs/single/main.tf"
+          - "secure_threat_detection_event_bridge/single/main.tf"
           - "secure_config_posture/single/main.tf"
     steps:
       - name: Checkout

modules/services/cloud-logs/README.md

@@ -0,0 +1,57 @@
+# AWS Cloud Logs Module
+
+This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role.
+
+
+The following resources will be created in each instrumented account:
+- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it. 
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.39.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.9.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | (Required) The name of your s3 bucket associated with your Clloudtrail trail | `string` | n/a | yes |
+| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | (Required) Random string generated unique to a customer | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | (Optional) Default region for resource creation | `string` | `"eu-central-1"` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Required) The name of the IAM Role that will enable access to the Cloudtrail logs | `string` | `"cloudtrail-s3-bucket-read-access"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | (Required) The name of Sysdig trusted identity | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of CloudLogs role |
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/services/cloud-logs/main.tf

@@ -0,0 +1,63 @@
+#-----------------------------------------------------------------------------------------------------------------------
+# The only resource needed to make Sysdig's backend start to fetch data from the CloudTrail associated s3 bucket is a
+# properly set AWS IAM Role. Sysdig's trusted identity act as the Principal in the assume role Policy, namely the role
+# that the backend will use to assume the Client's role. At that point, given the permission set granted to the newly
+# created Role in the Client's account, Sysdig's backend will be able to perform all the required actions in order to
+# retrieve the log files that are automatically published in the target s3 bucket.
+#
+# Note: this setup assumes that the Customer has already properly set up an AWS CloudTrail Trail and the associated bucket.
+# Sysdig's Secure UI provides the necessary information to make the Customer perform the
+# required setup operations before applying the Terraform module.
+#-----------------------------------------------------------------------------------------------------------------------
+
+# AWS IAM Role that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
+resource "aws_iam_role" "cloudlogs_s3_access" {
+  name = var.role_name
+  tags = var.tags
+
+  assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
+  inline_policy {
+    name   = "cloudlogs_s3_access_policy"
+    policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
+  }
+}
+
+# IAM Policy Document used for the assume role policy
+data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [var.trusted_identity]
+    }
+
+    actions = ["sts:AssumeRole"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [var.external_id]
+    }
+  }
+}
+
+# IAM Policy Document used for the bucket access policy
+data "aws_iam_policy_document" "cloudlogs_s3_access" {
+
+  statement {
+    sid = "CloudlogsS3Access"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:Get*",
+      "s3:List*"
+    ]
+
+    resources = [
+      var.bucket_arn,
+      "${var.bucket_arn}/*"
+    ]
+  }
+}

modules/services/cloud-logs/outputs.tf

@@ -0,0 +1,4 @@
+output "role_arn" {
+  value       = aws_iam_role.cloudlogs_s3_access.arn
+  description = "ARN of CloudLogs role"
+}

modules/services/cloud-logs/variables.tf

@@ -0,0 +1,29 @@
+variable "bucket_arn" {
+  description = "(Required) The ARN of your s3 bucket associated with your Cloudtrail trail"
+  type        = string
+}
+
+variable "external_id" {
+  type        = string
+  description = "(Required) Random string generated unique to a customer"
+}
+
+variable "role_name" {
+  description = "(Required) The name of the IAM Role that will enable access to the Cloudtrail logs"
+  type        = string
+  default     = "cloudtrail-s3-bucket-read-access"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "(Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
+
+  default = {
+    "product" = "sysdig-secure-for-cloud"
+  }
+}
+
+variable "trusted_identity" {
+  description = "(Required) The name of Sysdig trusted identity"
+  type        = string
+}

modules/services/cloud-logs/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.39.0"
+    }
+  }
+}

test/examples/secure_threat_detection_cloud_logs/single/main.tf

@@ -0,0 +1,18 @@
+provider "aws" {
+  region     = "us-east-1"
+  access_key = "test"
+  secret_key = "test"
+
+  endpoints {
+    iam = "http://127.0.0.1:5000/"
+    sts = "http://127.0.0.1:5000/"
+  }
+}
+
+module "single-account-threat-detection" {
+  source           = "../../../..//modules/services/cloud-logs"
+  trusted_identity = "arn:aws:iam::123456789012:role/secure-assume-role"
+  external_id      = "external_id"
+  role_name        = "sysdig-secure-single"
+  bucket_arn       = "arn:aws:s3:::sample_bucket_name"
+}