Skip to content

enhance(modular): handle deprecated resources in modules #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 8, 2024
Merged

enhance(modular): handle deprecated resources in modules #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 55 additions & 39 deletions modules/agentless-scanning/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ data "aws_iam_session_context" "current" {
data "sysdig_secure_agentless_scanning_assets" "assets" {}

data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
cloud_provider = "aws"
cloud_provider = "aws"
}

data "sysdig_secure_tenant_external_id" "external_id" {}
Expand Down Expand Up @@ -64,29 +64,13 @@ resource "random_id" "suffix" {
# predefined/default AWSCloudFormationStackSetAdministrationRole.
#-----------------------------------------------------------------------------------------------------------------------------------------

# IAM Policy Document used by Stackset roles for the KMS operations policy
data "aws_iam_policy_document" "kms_operations" {
count = !var.auto_create_stackset_roles ? 0 : 1

statement {
sid = "KmsOperationsAccess"
effect = "Allow"
actions = [
"kms:*",
]
resources = [
"*",
]
}
}

resource "aws_iam_role" "scanning_stackset_admin_role" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
tags = var.tags

assume_role_policy = <<EOF
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
Expand All @@ -101,10 +85,25 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
inline_policy {
name = "KmsOperationsAccess"
policy = data.aws_iam_policy_document.kms_operations[0].json
}
}

resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "KmsOperationsAccess"
role = aws_iam_role.scanning_stackset_admin_role[0].id
policy = jsonencode({
Statement = [
{
Sid = "KmsOperationsAccess"
Action = [
"kms:*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}

#-----------------------------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -139,10 +138,25 @@ EOF
managed_policy_arns = [
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
]
inline_policy {
name = "KmsOperationsAccess"
policy = data.aws_iam_policy_document.kms_operations[0].json
}
}

resource "aws_iam_role_policy" "scanning_stackset_execution_role_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "KmsOperationsAccess"
role = aws_iam_role.scanning_stackset_execution_role[0].id
policy = jsonencode({
Statement = [
{
Sid = "KmsOperationsAccess"
Action = [
"kms:*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}

#-----------------------------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -368,7 +382,7 @@ resource "aws_iam_policy_attachment" "scanning_policy_attachment" {
# - KMS Primary Key, and
# - KMS Primary alias
#
# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions
# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions
#-----------------------------------------------------------------------------------------------------------------------------------------

resource "aws_cloudformation_stack_set" "primary_acc_stackset" {
Expand Down Expand Up @@ -428,7 +442,9 @@ TEMPLATE
depends_on = [
aws_iam_role.scanning_role,
aws_iam_role.scanning_stackset_admin_role,
aws_iam_role.scanning_stackset_execution_role
aws_iam_role_policy.scanning_stackset_admin_role_policy,
aws_iam_role.scanning_stackset_execution_role,
aws_iam_role_policy.scanning_stackset_execution_role_policy
]
}

Expand Down Expand Up @@ -459,10 +475,10 @@ resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance"
# explicit dependency using depends_on
#-----------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-scanning"
version = "v0.1.0"
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-scanning"
version = "v0.1.0"
trusted_role_metadata = jsonencode({
aws = {
role_name = local.scanning_resource_name
Expand All @@ -477,16 +493,16 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
# explicit dependency using depends_on
#-----------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "aws_crypto_key" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_CRYPTO_KEY"
instance = "secure-scanning"
version = "v0.1.0"
account_id = var.sysdig_secure_account_id
type = "COMPONENT_CRYPTO_KEY"
instance = "secure-scanning"
version = "v0.1.0"
crypto_key_metadata = jsonencode({
aws = {
kms = {
alias = "alias/${local.scanning_resource_name}"
regions = var.regions
}
alias = "alias/${local.scanning_resource_name}"
regions = var.regions
}
}
})
}
4 changes: 2 additions & 2 deletions modules/agentless-scanning/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
output "scanning_role_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.aws_scanning_role.type}/${sysdig_secure_cloud_auth_account_component.aws_scanning_role.instance}"
description = "Component identifier of scanning role created in Sysdig Backend for Agentless Scanning"
depends_on = [ sysdig_secure_cloud_auth_account_component.aws_scanning_role ]
depends_on = [sysdig_secure_cloud_auth_account_component.aws_scanning_role]
}

output "crypto_key_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}"
description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning"
depends_on = [ sysdig_secure_cloud_auth_account_component.aws_crypto_key ]
depends_on = [sysdig_secure_cloud_auth_account_component.aws_crypto_key]
}
4 changes: 2 additions & 2 deletions modules/agentless-scanning/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ variable "stackset_admin_role_arn" {

variable "stackset_execution_role_name" {
description = "(Optional) stackset execution role name to run SELF_MANAGED stackset"
type = string
default = ""
type = string
default = ""
}

variable "timeout" {
Expand Down
2 changes: 1 addition & 1 deletion modules/agentless-scanning/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ terraform {
version = ">= 5.60.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
source = "sysdiglabs/sysdig"
}
random = {
source = "hashicorp/random"
Expand Down
144 changes: 56 additions & 88 deletions modules/config-posture/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ locals {
}

data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
cloud_provider = "aws"
cloud_provider = "aws"
}

data "sysdig_secure_tenant_external_id" "external_id" {}
Expand Down Expand Up @@ -41,103 +41,71 @@ resource "aws_iam_role" "cspm_role" {
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
inline_policy {
name = local.config_posture_role_name
policy = data.aws_iam_policy_document.custom_resources_policy.json
}
}

# Custom IAM Policy Document used by trust-relationship role
data "aws_iam_policy_document" "custom_resources_policy" {

statement {
sid = "DescribeEFSAccessPoints"

effect = "Allow"

actions = [
"elasticfilesystem:DescribeAccessPoints",
]

resources = [
"*",
]
}

statement {
sid = "ListWafRegionalRulesAndRuleGroups"

effect = "Allow"

actions = [
"waf-regional:ListRules",
"waf-regional:ListRuleGroups",
]

resources = [
"arn:aws:waf-regional:*:*:rule/*",
"arn:aws:waf-regional:*:*:rulegroup/*"
]
}

statement {
sid = "ListJobsOnConsole"

effect = "Allow"

actions = [
"macie2:ListClassificationJobs",
resource "aws_iam_role_policy" "cspm_role_policy" {
name = local.config_posture_role_name
role = aws_iam_role.cspm_role.id
policy = jsonencode({
Statement = [
{
Sid = "DescribeEFSAccessPoints"
Action = [
"elasticfilesystem:DescribeAccessPoints",
]
Effect = "Allow"
Resource = "*"
},
{
Sid = "ListWafRegionalRulesAndRuleGroups"
Action = [
"waf-regional:ListRules",
"waf-regional:ListRuleGroups",
]
Effect = "Allow"
Resource = [
"arn:aws:waf-regional:*:*:rule/*",
"arn:aws:waf-regional:*:*:rulegroup/*"
]
},
{
Sid = "ListJobsOnConsole"
Action = "macie2:ListClassificationJobs"
Effect = "Allow"
Resource = "*"
},
{
Sid = "GetFunctionDetails"
Action = [
"lambda:GetRuntimeManagementConfig",
"lambda:GetFunction",
]
Effect = "Allow"
Resource = "*"
},
{
Sid = "AccessAccountContactInfo"
Action = "account:GetContactInformation"
Effect = "Allow"
Resource = "*"
},
]

resources = [
"*",
]
}

statement {
sid = "GetFunctionDetails"

effect = "Allow"

actions = [
"lambda:GetRuntimeManagementConfig",
"lambda:GetFunction",
]

resources = [
"*"
]
}

statement {
sid = "AccessAccountContactInfo"

effect = "Allow"

actions = [
"account:GetContactInformation",
]

resources = [
"*",
]
}
})
}

#--------------------------------------------------------------------------------------------------------------
# Call Sysdig Backend to add the trusted role for Config Posture to the Sysdig Cloud Account
#
# Note (optional): To ensure this gets called after all cloud resources are created, add
# explicit dependency using depends_on
#--------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "config_posture_role" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-posture"
version = "v0.1.0"
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-posture"
version = "v0.1.0"
trusted_role_metadata = jsonencode({
aws = {
role_name = local.config_posture_role_name
}
})
aws = {
role_name = local.config_posture_role_name
}
})
}
2 changes: 1 addition & 1 deletion modules/config-posture/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
output "config_posture_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}"
description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture"
depends_on = [ sysdig_secure_cloud_auth_account_component.config_posture_role ]
depends_on = [sysdig_secure_cloud_auth_account_component.config_posture_role]
}
2 changes: 1 addition & 1 deletion modules/config-posture/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ terraform {
version = ">= 5.60.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
source = "sysdiglabs/sysdig"
}
}
}
Loading