diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md
index 442e9ee..30606d8 100644
--- a/modules/config-posture/README.md
+++ b/modules/config-posture/README.md
@@ -10,6 +10,8 @@ The following resources will be created in each instrumented account:
If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account.
+If instrumenting an AWS Gov account/organization, IAM policies and resources will be created in `aws-us-gov` region.
+
## Requirements
@@ -17,6 +19,7 @@ If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
| [aws](#requirement\_aws) | >= 5.60.0 |
+| [sysdig](#requirement\_sysdig) | ~>1.39 |
## Providers
@@ -32,29 +35,35 @@ No modules.
| Name | Type |
|------|------|
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachments_exclusive.cspm_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
+| [aws_iam_role_policy.cspm_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [sysdig_secure_cloud_auth_account_component.config_posture_role](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
| [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
| [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
-| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
| [org\_units](#input\_org\_units) | Org unit id to install cspm | `set(string)` | `[]` | no |
| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
-| [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |
+| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
## Outputs
-No outputs.
+| Name | Description |
+|------|-------------|
+| [config\_posture\_component\_id](#output\_config\_posture\_component\_id) | The component id of the config posture trusted identity |
## Authors
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
index 799aa8a..9cc04c9 100644
--- a/modules/config-posture/main.tf
+++ b/modules/config-posture/main.tf
@@ -1,19 +1,28 @@
-// generate a random suffix for the config-posture role name
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+ cloud_provider = "aws"
+}
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
+#----------------------------------------------------------
+# Fetch & compute required data
+#----------------------------------------------------------
+
+// generate a random suffix for the config-posture role name
resource "random_id" "suffix" {
byte_length = 3
}
locals {
config_posture_role_name = "sysdig-secure-posture-${random_id.suffix.hex}"
+ trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
+ arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws"
}
-data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
- cloud_provider = "aws"
-}
-
-data "sysdig_secure_tenant_external_id" "external_id" {}
-
#----------------------------------------------------------
# Since this is not an Organizational deploy, create role/polices directly
#----------------------------------------------------------
@@ -28,7 +37,7 @@ resource "aws_iam_role" "cspm_role" {
"Sid": "",
"Effect": "Allow",
"Principal": {
- "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+ "AWS": "${local.trusted_identity}"
},
"Action": "sts:AssumeRole",
"Condition": {
@@ -45,7 +54,7 @@ EOF
resource "aws_iam_role_policy_attachments_exclusive" "cspm_role_managed_policy" {
role_name = aws_iam_role.cspm_role.id
policy_arns = [
- "arn:aws:iam::aws:policy/SecurityAudit"
+ "${local.arn_prefix}:iam::aws:policy/SecurityAudit"
]
}
@@ -70,8 +79,8 @@ resource "aws_iam_role_policy" "cspm_role_policy" {
]
Effect = "Allow"
Resource = [
- "arn:aws:waf-regional:*:*:rule/*",
- "arn:aws:waf-regional:*:*:rulegroup/*"
+ "${local.arn_prefix}:waf-regional:*:*:rule/*",
+ "${local.arn_prefix}:waf-regional:*:*:rulegroup/*"
]
},
{
diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf
index 3c4080c..01e74f0 100644
--- a/modules/config-posture/organizational.tf
+++ b/modules/config-posture/organizational.tf
@@ -45,13 +45,13 @@ Resources:
Statement:
- Effect: Allow
Principal:
- AWS: [ ${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity} ]
+ AWS: [ ${local.trusted_identity} ]
Action: [ 'sts:AssumeRole' ]
Condition:
StringEquals:
sts:ExternalId: ${data.sysdig_secure_tenant_external_id.external_id.external_id}
ManagedPolicyArns:
- - "arn:aws:iam::aws:policy/SecurityAudit"
+ - "${local.arn_prefix}:iam::aws:policy/SecurityAudit"
Policies:
- PolicyName: ${local.config_posture_role_name}
PolicyDocument:
@@ -67,8 +67,8 @@ Resources:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- - "arn:aws:waf-regional:*:*:rule/*"
- - "arn:aws:waf-regional:*:*:rulegroup/*"
+ - "${local.arn_prefix}:waf-regional:*:*:rule/*"
+ - "${local.arn_prefix}:waf-regional:*:*:rulegroup/*"
- Sid: "ListJobsOnConsole"
Effect: "Allow"
Action: "macie2:ListClassificationJobs"
diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf
index e1ffcd0..7a4d955 100644
--- a/modules/config-posture/variables.tf
+++ b/modules/config-posture/variables.tf
@@ -45,3 +45,9 @@ variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)"
}
+
+variable "is_gov_cloud_onboarding" {
+ type = bool
+ default = false
+ description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
+}
\ No newline at end of file
diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf
index 7ebfef6..d9b10c4 100644
--- a/modules/config-posture/versions.tf
+++ b/modules/config-posture/versions.tf
@@ -6,7 +6,8 @@ terraform {
version = ">= 5.60.0"
}
sysdig = {
- source = "sysdiglabs/sysdig"
+ source = "sysdiglabs/sysdig"
+ version = "~> 1.39"
}
}
}
diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md
index d4ef423..49ecbcb 100644
--- a/modules/integrations/event-bridge/README.md
+++ b/modules/integrations/event-bridge/README.md
@@ -11,6 +11,8 @@ When run in Organizational mode, this module will be deployed via CloudFormation
This module will also deploy an Event Bridge Component in Sysdig Backend for onboarded Sysdig Cloud Account.
+If instrumenting an AWS Gov account/organization, IAM policies and event bridge resources will be created in `aws-us-gov` region.
+
## Requirements
@@ -18,7 +20,7 @@ This module will also deploy an Event Bridge Component in Sysdig Backend for onb
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
| [aws](#requirement\_aws) | >= 5.60.0 |
-| [sysdig](#requirement\_sysdig) |
+| [sysdig](#requirement\_sysdig) | ~>1.39 |
| [random](#requirement\_random) | >= 3.1 |
@@ -72,6 +74,7 @@ No modules.
| [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether Event Bridge should be deployed in a govcloud account/org or not | `bool` | `false` | no |
## Outputs
diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf
index 1ae99b5..08fb529 100644
--- a/modules/integrations/event-bridge/main.tf
+++ b/modules/integrations/event-bridge/main.tf
@@ -26,7 +26,10 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
# These locals indicate the region list passed.
#-----------------------------------------------------------------------------------------
locals {
- region_set = toset(var.regions)
+ region_set = toset(var.regions)
+ trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
+ target_event_bus_arn = var.is_gov_cloud_onboarding ? data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARNGov : data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
+ arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws"
}
#-----------------------------------------------------------------------------------------
@@ -79,7 +82,7 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_r
count = !var.auto_create_stackset_roles ? 0 : 1
role_name = aws_iam_role.event_bus_stackset_admin_role[0].id
policy_arns = [
- "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
+ "${local.arn_prefix}:iam::aws:policy/AWSCloudFormationFullAccess"
]
}
@@ -104,7 +107,7 @@ resource "aws_iam_role" "event_bus_stackset_execution_role" {
{
"Action": "sts:AssumeRole",
"Principal": {
- "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.event_bus_stackset_admin_role[0].name}"
+ "AWS": "${local.arn_prefix}:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.event_bus_stackset_admin_role[0].name}"
},
"Effect": "Allow",
"Condition": {}
@@ -118,8 +121,8 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_executi
count = !var.auto_create_stackset_roles ? 0 : 1
role_name = aws_iam_role.event_bus_stackset_execution_role[0].id
policy_arns = [
- "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess",
- "arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess"
+ "${local.arn_prefix}:iam::aws:policy/AWSCloudFormationFullAccess",
+ "${local.arn_prefix}:iam::aws:policy/AmazonEventBridgeFullAccess"
]
}
@@ -149,7 +152,7 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
{
"Action": "sts:AssumeRole",
"Principal": {
- "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+ "AWS": "${local.trusted_identity}"
},
"Effect": "Allow",
"Condition": {
@@ -163,7 +166,6 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
EOF
}
-
resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
name = local.eb_resource_name
role = aws_iam_role.event_bus_invoke_remote_event_bus.id
@@ -176,7 +178,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
]
Effect = "Allow"
Resource = [
- data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN,
+ "${local.target_event_bus_arn}",
]
},
{
@@ -187,7 +189,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
]
Effect = "Allow"
Resource = [
- "arn:aws:events:*:*:rule/${local.eb_resource_name}",
+ "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}",
]
},
]
@@ -226,7 +228,8 @@ resource "aws_cloudformation_stack_set" "primary-acc-stackset" {
name = local.eb_resource_name
event_pattern = var.event_pattern
rule_state = var.rule_state
- target_event_bus_arn = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
+ arn_prefix = local.arn_prefix
+ target_event_bus_arn = local.target_event_bus_arn
})
depends_on = [
diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index fbd8c71..53230e4 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -38,7 +38,8 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
name = local.eb_resource_name
event_pattern = var.event_pattern
rule_state = var.rule_state
- target_event_bus_arn = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
+ arn_prefix = local.arn_prefix
+ target_event_bus_arn = local.target_event_bus_arn
})
}
@@ -79,7 +80,7 @@ Resources:
Action: 'sts:AssumeRole'
- Effect: "Allow"
Principal:
- AWS: "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+ AWS: "${local.trusted_identity}"
Action: "sts:AssumeRole"
Condition:
StringEquals:
@@ -91,12 +92,12 @@ Resources:
Statement:
- Effect: Allow
Action: 'events:PutEvents'
- Resource: ${data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN}
+ Resource: "${local.target_event_bus_arn}"
- Effect: Allow
Action:
- "events:DescribeRule"
- "events:ListTargetsByRule"
- Resource: "arn:aws:events:*:*:rule/${local.eb_resource_name}"
+ Resource: "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}"
TEMPLATE
}
diff --git a/modules/integrations/event-bridge/stackset_template_body.tpl b/modules/integrations/event-bridge/stackset_template_body.tpl
index d4befe1..67e7b81 100644
--- a/modules/integrations/event-bridge/stackset_template_body.tpl
+++ b/modules/integrations/event-bridge/stackset_template_body.tpl
@@ -9,4 +9,4 @@ Resources:
Targets:
- Id: ${name}
Arn: ${target_event_bus_arn}
- RoleArn: !Sub "arn:aws:iam::$${AWS::AccountId}:role/${name}"
+ RoleArn: !Sub "${arn_prefix}:iam::$${AWS::AccountId}:role/${name}"
diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf
index dbc76f1..6d4fe8e 100644
--- a/modules/integrations/event-bridge/variables.tf
+++ b/modules/integrations/event-bridge/variables.tf
@@ -100,4 +100,10 @@ variable "stackset_execution_role_name" {
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)"
+}
+
+variable "is_gov_cloud_onboarding" {
+ type = bool
+ default = false
+ description = "true/false whether EventBridge should be deployed in a govcloud account/org or not"
}
\ No newline at end of file
diff --git a/modules/integrations/event-bridge/versions.tf b/modules/integrations/event-bridge/versions.tf
index ffc5d6d..244a963 100644
--- a/modules/integrations/event-bridge/versions.tf
+++ b/modules/integrations/event-bridge/versions.tf
@@ -6,7 +6,8 @@ terraform {
version = ">= 5.60.0"
}
sysdig = {
- source = "sysdiglabs/sysdig"
+ source = "sysdiglabs/sysdig"
+ version = "~> 1.39"
}
random = {
source = "hashicorp/random"
diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md
index d3b10e5..eeda86c 100644
--- a/modules/onboarding/README.md
+++ b/modules/onboarding/README.md
@@ -8,7 +8,9 @@ The following resources will be created in each instrumented account:
- `arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess` (for organizational setup)
- An Access Policy attached to this role using a Sysdig provided `ExternalId`.
-If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account.
+If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account.
+
+If instrumenting an AWS Gov account/organization, IAM policies and resources will be created in `aws-us-gov` region.
## Requirements
@@ -16,13 +18,15 @@ If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 3.62.0 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
+| [random](#requirement\_random) | >= 3.1 |
+| [sysdig](#requirement\_sysdig) | ~>1.39 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.62.0 |
+| [aws](#provider\_aws) | >= 5.60.0 |
## Modules
@@ -32,29 +36,41 @@ No modules.
| Name | Type |
|------|------|
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_role.onboarding_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.onboarding_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachments_exclusive.onboarding_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
+| [sysdig_secure_cloud_auth_account.cloud_auth_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) | resource |
| [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
| [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [sysdig_secure_organization.aws_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) | resource |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
-| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
-| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
-| [org\_units](#input\_org\_units) | Org unit id to install cspm | `set(string)` | `[]` | no |
-| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
-| [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no |
+| [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | Org unit ids to install onboarding | `set(string)` | `[]` | no |
+| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
+| [account_alias](#input\_account\_alias) | Alias name of the AWS account | `string` | `""` | no |
+| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
## Outputs
-No outputs.
+| Name | Description |
+|------|-------------|
+| [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created |
+| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire AWS organization or not |
+| [organizational\_unit\_ids](#output\_organizational\_unit\_ids) | organizational unit ids onboarded |
+| [is\_gov\_cloud\_onboarding](#output\_is\_gov\_cloud\_onboarding) | Boolean value to indicate if a govcloud account/organization is being onboarded |
## Authors
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index d2ba689..5c2ed00 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -1,3 +1,13 @@
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+ cloud_provider = "aws"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
#----------------------------------------------------------
# Fetch & compute required data
#----------------------------------------------------------
@@ -9,14 +19,10 @@ resource "random_id" "suffix" {
locals {
onboarding_role_name = "sysdig-secure-onboarding-${random_id.suffix.hex}"
+ trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
+ arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws"
}
-data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
- cloud_provider = "aws"
-}
-
-data "sysdig_secure_tenant_external_id" "external_id" {}
-
#----------------------------------------------------------
# Since this is not an Organizational deploy, create role/polices directly
#----------------------------------------------------------
@@ -31,7 +37,7 @@ resource "aws_iam_role" "onboarding_role" {
"Sid": "",
"Effect": "Allow",
"Principal": {
- "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+ "AWS": "${local.trusted_identity}"
},
"Action": "sts:AssumeRole",
"Condition": {
@@ -49,12 +55,30 @@ EOF
}
}
+resource "aws_iam_role_policy" "onboarding_role_policy" {
+ name = local.onboarding_role_name
+ role = aws_iam_role.onboarding_role.id
+ policy = jsonencode({
+ Statement = [
+ {
+ Sid = "AccountManagementReadAccess"
+ Action = [
+ "account:Get*",
+ "account:List*",
+ ]
+ Effect = "Allow"
+ Resource = "*"
+ },
+ ]
+ })
+}
+
resource "aws_iam_role_policy_attachments_exclusive" "onboarding_role_managed_policy" {
+ count = var.is_organizational ? 1 : 0
role_name = aws_iam_role.onboarding_role.id
- policy_arns = compact([
- "arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess",
- var.is_organizational ? "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" : ""
- ])
+ policy_arns = [
+ "${local.arn_prefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess"
+ ]
}
data "aws_caller_identity" "current" {}
@@ -64,6 +88,7 @@ resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" {
provider_id = data.aws_caller_identity.current.account_id
provider_type = "PROVIDER_AWS"
provider_alias = var.account_alias
+ provider_partition = var.is_gov_cloud_onboarding ? "PROVIDER_PARTITION_AWS_GOVCLOUD" : ""
component {
type = "COMPONENT_TRUSTED_ROLE"
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index c53a1e5..b3d4b65 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -45,14 +45,23 @@ Resources:
Statement:
- Effect: Allow
Principal:
- AWS: [ ${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity} ]
+ AWS: [ ${local.trusted_identity} ]
Action: [ 'sts:AssumeRole' ]
Condition:
StringEquals:
sts:ExternalId: ${data.sysdig_secure_tenant_external_id.external_id.external_id}
+ Policies:
+ - PolicyName: ${local.onboarding_role_name}
+ PolicyDocument:
+ Version: "2012-10-17"
+ Statement:
+ - Effect: Allow
+ Action:
+ - "account:Get*"
+ - "account:List*"
+ Resource: "*"
ManagedPolicyArns:
- - "arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess"
- - "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess"
+ - "${local.arn_prefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess"
TEMPLATE
}
diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf
index dc16a86..857f898 100644
--- a/modules/onboarding/outputs.tf
+++ b/modules/onboarding/outputs.tf
@@ -12,3 +12,8 @@ output "organizational_unit_ids" {
value = var.organizational_unit_ids
description = "organizational unit ids to onboard"
}
+
+output "is_gov_cloud_onboarding" {
+ value = var.is_gov_cloud_onboarding
+ description = "onboard the govcloud account/organization"
+}
\ No newline at end of file
diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf
index e6e0461..b38f1c3 100644
--- a/modules/onboarding/variables.tf
+++ b/modules/onboarding/variables.tf
@@ -47,3 +47,8 @@ variable "account_alias" {
default = ""
}
+variable "is_gov_cloud_onboarding" {
+ type = bool
+ default = false
+ description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
+}
\ No newline at end of file
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
index 17c7f6b..86d990d 100644
--- a/modules/onboarding/versions.tf
+++ b/modules/onboarding/versions.tf
@@ -10,7 +10,8 @@ terraform {
version = ">= 3.1"
}
sysdig = {
- source = "sysdiglabs/sysdig"
+ source = "sysdiglabs/sysdig"
+ version = "~> 1.39"
}
}
}
diff --git a/test/examples/organization/event_bridge_gov.tf b/test/examples/organization/event_bridge_gov.tf
new file mode 100644
index 0000000..cfe3414
--- /dev/null
+++ b/test/examples/organization/event_bridge_gov.tf
@@ -0,0 +1,29 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "event-bridge" {
+ source = "../../../modules/integrations/event-bridge"
+ regions = ["us-gov-east-1"]
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ is_organizational = module.onboarding.is_organizational
+ org_units = module.onboarding.organizational_unit_ids
+ is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_THREAT_DETECTION"
+ enabled = true
+ components = [module.event-bridge.event_bridge_component_id]
+ depends_on = [module.event-bridge]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+ enabled = true
+ components = [module.event-bridge.event_bridge_component_id]
+ depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture]
+}
diff --git a/test/examples/organization/onboarding_with_cspm.tf b/test/examples/organization/onboarding_with_cspm.tf
index 56b5a0a..9ab29b3 100644
--- a/test/examples/organization/onboarding_with_cspm.tf
+++ b/test/examples/organization/onboarding_with_cspm.tf
@@ -18,16 +18,16 @@ provider "aws" {
}
module "onboarding" {
- source = "../../../modules/onboarding"
+ source = "../../../modules/onboarding"
organizational_unit_ids = ["ou-ks5g-dofso0kc"]
- is_organizational = true
+ is_organizational = true
}
module "config-posture" {
source = "../../../modules/config-posture"
- org_units = module.onboarding.organizational_unit_ids
- is_organizational = module.onboarding.is_organizational
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ org_units = ["ou-ks5g-dofso0kc"]
+ is_organizational = true
}
resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
diff --git a/test/examples/organization/onboarding_with_cspm_gov.tf b/test/examples/organization/onboarding_with_cspm_gov.tf
new file mode 100644
index 0000000..f5d45d8
--- /dev/null
+++ b/test/examples/organization/onboarding_with_cspm_gov.tf
@@ -0,0 +1,41 @@
+terraform {
+ required_providers {
+ sysdig = {
+ source = "sysdiglabs/sysdig"
+ version = "~> 1.39"
+ }
+ }
+}
+
+provider "sysdig" {
+ sysdig_secure_url = "https://secure-staging.sysdig.com"
+ sysdig_secure_api_token = ""
+}
+
+provider "aws" {
+ region = "us-gov-east-1"
+ allowed_account_ids = ["123456789101"]
+}
+
+module "onboarding" {
+ source = "../../../modules/onboarding"
+ organizational_unit_ids = ["ou-ks5g-dofso0kc"]
+ is_organizational = true
+ is_gov_cloud_onboarding = true
+}
+
+module "config-posture" {
+ source = "../../../modules/config-posture"
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ org_units = ["ou-ks5g-dofso0kc"]
+ is_organizational = true
+ is_gov_cloud_onboarding = true
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_CONFIG_POSTURE"
+ enabled = true
+ components = [module.config-posture.config_posture_component_id]
+ depends_on = [module.config-posture]
+}
diff --git a/test/examples/single_account/event_bridge_gov.tf b/test/examples/single_account/event_bridge_gov.tf
new file mode 100644
index 0000000..ba068a5
--- /dev/null
+++ b/test/examples/single_account/event_bridge_gov.tf
@@ -0,0 +1,27 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "event-bridge" {
+ source = "../../../modules/integrations/event-bridge"
+ regions = ["us-gov-east-1"]
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_THREAT_DETECTION"
+ enabled = true
+ components = [module.event-bridge.event_bridge_component_id]
+ depends_on = [module.event-bridge]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+ enabled = true
+ components = [module.event-bridge.event_bridge_component_id]
+ depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture]
+}
diff --git a/test/examples/single_account/onboarding_with_cspm_gov.tf b/test/examples/single_account/onboarding_with_cspm_gov.tf
new file mode 100644
index 0000000..f3de5d1
--- /dev/null
+++ b/test/examples/single_account/onboarding_with_cspm_gov.tf
@@ -0,0 +1,37 @@
+terraform {
+ required_providers {
+ sysdig = {
+ source = "sysdiglabs/sysdig"
+ version = "~> 1.39"
+ }
+ }
+}
+
+provider "sysdig" {
+ sysdig_secure_url = "https://secure-staging.sysdig.com"
+ sysdig_secure_api_token = ""
+}
+
+provider "aws" {
+ region = "us-gov-east-1"
+ allowed_account_ids = ["123456789101"]
+}
+
+module "onboarding" {
+ source = "../../../modules/onboarding"
+ is_gov_cloud_onboarding = true
+}
+
+module "config-posture" {
+ source = "../../../modules/config-posture"
+ sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+ is_gov_cloud_onboarding = true
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "config_posture" {
+ account_id = module.onboarding.sysdig_secure_account_id
+ type = "FEATURE_SECURE_CONFIG_POSTURE"
+ enabled = true
+ components = [module.config-posture.config_posture_component_id]
+ depends_on = [module.config-posture]
+}