Terraform module to connect Chainguard to your AWS Account.
This module is needed if you're using Chainguard Enforce and:
- Your containers (along with potential signatures and SBOMs etc) are in a private AWS ECR registry
- Your signatures are created via AWS KMS
This module binds an Enforce IAM group to an AWS account. To set up the connect in Enforce using the CLI run:
export ENFORCE_GROUP_ID="<<uidp of target Enforce IAM group>>
export AWS_ACCOUNT_ID="12 digit AWS account ID to connect to"
chainctl iam group set-aws $ENFORCE_GROUP_ID --account $AWS_ACCOUNT_ID
Or using our (soon to be released publically) Terraform provider
resource "chainguard_account_associations" "example" {
group = "<< enforce group id >>"
amazon {
account = "<< 12 digit account id >>"
}
}To configured the connection on AWS side use this module as follows:
module "aws-impersonation" {
source = "chainguard-dev/chainguard-account-association/aws"
enforce_group_id = "<< enforce group id >>"
enforce_group_ids = ["<< enforce group id 1 >>", "<< enforce group id 2 >>"] # Optional, used only when more than one group
}
# While the above is global configuration, this module must be invoked for each
# AWS region containing resources to be monitored by Enforce.
module "aws-auditlogs" {
# The // here tells terraform that auditlogs is a directory in the repo.
source = "chainguard-dev/chainguard-account-association/aws//auditlogs"
}Chainguard Enforce has an OIDC identity provider. This module configured your AWS account to recognize that OIDC identity provider and allows certain tokens to bind to certain AWS IAM roles. In particular it allows:
- Our policy controller to bind to a role that gives us read access to your ECR registry to check signatures
- Our policy controller public key read access to your KMS keys to validate KMS signatures
This access is restricted to clusters and policies you've configured at or below the scope of the Enforce group you configure.
| Name | Version |
|---|---|
| aws | >= 2.7.0 |
| Name | Version |
|---|---|
| aws | >= 2.7.0 |
| null | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.chainguard_idp | resource |
| aws_iam_policy.chainguard_discovery_policy | resource |
| aws_iam_role.canary_role | resource |
| aws_iam_role.cosigned_role | resource |
| aws_iam_role.discovery_role | resource |
| aws_iam_role.ingester_role | resource |
| aws_iam_role_policy_attachment.cosigned_ecr_read | resource |
| aws_iam_role_policy_attachment.cosigned_kms_pki_read | resource |
| aws_iam_role_policy_attachment.discovery_cluster_viewer | resource |
| aws_iam_role_policy_attachment.ingester_ecr_read | resource |
| null_resource.enforce_group_id_is_specified | resource |
| aws_caller_identity.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| enforce_domain_name | Domain name of your Chainguard Enforce environment | string |
"enforce.dev" |
no |
| enforce_group_id | DEPRECATED: Please use 'enforce_group_ids'. Enforce IAM group ID to bind your AWS account to | string |
"" |
no |
| enforce_group_ids | Enforce IAM group IDs to bind your AWS account to. If both 'enforce_group_id' and 'enforce_group_ids' are specified, 'enforce_group_id' is ignored. | list(string) |
[] |
no |
No outputs.