sysdiglabs · ravinadhruve10 · Nov 12, 2024 · Oct 30, 2024 · Oct 31, 2024 · Nov 5, 2024
@@ -10,13 +10,16 @@ The following resources will be created in each instrumented account:
 
 If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account.
 
+If instrumenting an AWS Gov account/organization, IAM policies and resources will be created in `aws-us-gov` region.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.39 |
 
 ## Providers
 
@@ -32,29 +35,35 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachments_exclusive.cspm_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
+| [aws_iam_role_policy.cspm_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [sysdig_secure_cloud_auth_account_component.config_posture_role](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
 | [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
 | [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
 | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
-| <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
 | <a name="input_failure_tolerance_percentage"></a> [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
 | <a name="input_org_units"></a> [org\_units](#input\_org\_units) | Org unit id to install cspm | `set(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
-| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes |
+| <a name="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_config_posture_component_id"></a> [config\_posture\_component\_id](#output\_config\_posture\_component\_id) | The component id of the config posture trusted identity |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors

@@ -1,19 +1,28 @@
-// generate a random suffix for the config-posture role name
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "aws"
+}
 
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
+#----------------------------------------------------------
+# Fetch & compute required data
+#----------------------------------------------------------
+
+// generate a random suffix for the config-posture role name
 resource "random_id" "suffix" {
   byte_length = 3
 }
 
 locals {
   config_posture_role_name = "sysdig-secure-posture-${random_id.suffix.hex}"
+  trusted_identity         = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
+  arn_prefix               = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws"
 }
 
-data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-  cloud_provider = "aws"
-}
-
-data "sysdig_secure_tenant_external_id" "external_id" {}
-
 #----------------------------------------------------------
 # Since this is not an Organizational deploy, create role/polices directly
 #----------------------------------------------------------
@@ -28,7 +37,7 @@ resource "aws_iam_role" "cspm_role" {
             "Sid": "",
             "Effect": "Allow",
             "Principal": {
-                "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+                "AWS": "${local.trusted_identity}"
             },
             "Action": "sts:AssumeRole",
             "Condition": {
@@ -45,7 +54,7 @@ EOF
 resource "aws_iam_role_policy_attachments_exclusive" "cspm_role_managed_policy" {
   role_name = aws_iam_role.cspm_role.id
   policy_arns = [
-    "arn:aws:iam::aws:policy/SecurityAudit"
+    "${local.arn_prefix}:iam::aws:policy/SecurityAudit"
   ]
 }
 
@@ -70,8 +79,8 @@ resource "aws_iam_role_policy" "cspm_role_policy" {
         ]
         Effect = "Allow"
         Resource = [
-          "arn:aws:waf-regional:*:*:rule/*",
-          "arn:aws:waf-regional:*:*:rulegroup/*"
+          "${local.arn_prefix}:waf-regional:*:*:rule/*",
+          "${local.arn_prefix}:waf-regional:*:*:rulegroup/*"
         ]
       },
       {

@@ -45,13 +45,13 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              AWS: [ ${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity} ]
+              AWS: [ ${local.trusted_identity} ]
             Action: [ 'sts:AssumeRole' ]
             Condition:
               StringEquals:
                 sts:ExternalId: ${data.sysdig_secure_tenant_external_id.external_id.external_id}
       ManagedPolicyArns:
-        - "arn:aws:iam::aws:policy/SecurityAudit"
+        - "${local.arn_prefix}:iam::aws:policy/SecurityAudit"
       Policies:
         - PolicyName: ${local.config_posture_role_name}
           PolicyDocument:
@@ -67,8 +67,8 @@ Resources:
                   - "waf-regional:ListRules"
                   - "waf-regional:ListRuleGroups"
                 Resource:
-                  - "arn:aws:waf-regional:*:*:rule/*"
-                  - "arn:aws:waf-regional:*:*:rulegroup/*"
+                  - "${local.arn_prefix}:waf-regional:*:*:rule/*"
+                  - "${local.arn_prefix}:waf-regional:*:*:rulegroup/*"
               - Sid: "ListJobsOnConsole"
                 Effect: "Allow"
                 Action: "macie2:ListClassificationJobs"

@@ -45,3 +45,9 @@ variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)"
 }
+
+variable "is_gov_cloud_onboarding" {
+  type        = bool
+  default     = false
+  description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
+}
@@ -6,7 +6,8 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source = "sysdiglabs/sysdig"
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.39"
     }
   }
 }
@@ -11,14 +11,16 @@ When run in Organizational mode, this module will be deployed via CloudFormation
 
 This module will also deploy an Event Bridge Component in Sysdig Backend for onboarded Sysdig Cloud Account.
 
+If instrumenting an AWS Gov account/organization, IAM policies and event bridge resources will be created in `aws-us-gov` region.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.39 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
 
 
@@ -72,6 +74,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| <a name="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether Event Bridge should be deployed in a govcloud account/org or not | `bool` | `false` | no |
 
 ## Outputs
 

@@ -26,7 +26,10 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
 # These locals indicate the region list passed.
 #-----------------------------------------------------------------------------------------
 locals {
-  region_set = toset(var.regions)
+  region_set           = toset(var.regions)
+  trusted_identity     = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
+  target_event_bus_arn = var.is_gov_cloud_onboarding ? data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARNGov : data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
+  arn_prefix           = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws"
 }
 
 #-----------------------------------------------------------------------------------------
@@ -79,7 +82,7 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_r
   count     = !var.auto_create_stackset_roles ? 0 : 1
   role_name = aws_iam_role.event_bus_stackset_admin_role[0].id
   policy_arns = [
-    "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
+    "${local.arn_prefix}:iam::aws:policy/AWSCloudFormationFullAccess"
   ]
 }
 
@@ -104,7 +107,7 @@ resource "aws_iam_role" "event_bus_stackset_execution_role" {
     {
       "Action": "sts:AssumeRole",
       "Principal": {
-        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.event_bus_stackset_admin_role[0].name}"
+        "AWS": "${local.arn_prefix}:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.event_bus_stackset_admin_role[0].name}"
       },
       "Effect": "Allow",
       "Condition": {}
@@ -118,8 +121,8 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_executi
   count     = !var.auto_create_stackset_roles ? 0 : 1
   role_name = aws_iam_role.event_bus_stackset_execution_role[0].id
   policy_arns = [
-    "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess",
-    "arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess"
+    "${local.arn_prefix}:iam::aws:policy/AWSCloudFormationFullAccess",
+    "${local.arn_prefix}:iam::aws:policy/AmazonEventBridgeFullAccess"
   ]
 }
 
@@ -149,7 +152,7 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
     {
       "Action": "sts:AssumeRole",
       "Principal": {
-        "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+        "AWS": "${local.trusted_identity}"
       },
       "Effect": "Allow",
       "Condition": {
@@ -163,7 +166,6 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
 EOF
 }
 
-
 resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
   name = local.eb_resource_name
   role = aws_iam_role.event_bus_invoke_remote_event_bus.id
@@ -176,7 +178,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
         ]
         Effect = "Allow"
         Resource = [
-          data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN,
+          "${local.target_event_bus_arn}",
         ]
       },
       {
@@ -187,7 +189,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
         ]
         Effect = "Allow"
         Resource = [
-          "arn:aws:events:*:*:rule/${local.eb_resource_name}",
+          "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}",
         ]
       },
     ]
@@ -226,7 +228,8 @@ resource "aws_cloudformation_stack_set" "primary-acc-stackset" {
     name                 = local.eb_resource_name
     event_pattern        = var.event_pattern
     rule_state           = var.rule_state
-    target_event_bus_arn = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
+    arn_prefix           = local.arn_prefix
+    target_event_bus_arn = local.target_event_bus_arn
   })
 
   depends_on = [

@@ -38,7 +38,8 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
     name                 = local.eb_resource_name
     event_pattern        = var.event_pattern
     rule_state           = var.rule_state
-    target_event_bus_arn = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
+    arn_prefix           = local.arn_prefix
+    target_event_bus_arn = local.target_event_bus_arn
   })
 }
 
@@ -79,7 +80,7 @@ Resources:
               Action: 'sts:AssumeRole'
             - Effect: "Allow"
               Principal:
-                AWS: "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}"
+                AWS: "${local.trusted_identity}"
               Action: "sts:AssumeRole"
               Condition:
                 StringEquals:
@@ -91,12 +92,12 @@ Resources:
               Statement:
                 - Effect: Allow
                   Action: 'events:PutEvents'
-                  Resource: ${data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN}
+                  Resource: "${local.target_event_bus_arn}"
                 - Effect: Allow
                   Action:
                     - "events:DescribeRule"
                     - "events:ListTargetsByRule"
-                  Resource: "arn:aws:events:*:*:rule/${local.eb_resource_name}"
+                  Resource: "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}"
 TEMPLATE
 }
 

@@ -9,4 +9,4 @@ Resources:
       Targets:
         - Id: ${name}
           Arn: ${target_event_bus_arn}
-          RoleArn: !Sub "arn:aws:iam::$${AWS::AccountId}:role/${name}"
+          RoleArn: !Sub "${arn_prefix}:iam::$${AWS::AccountId}:role/${name}"
@@ -100,4 +100,10 @@ variable "stackset_execution_role_name" {
 variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)"
+}
+
+variable "is_gov_cloud_onboarding" {
+  type        = bool
+  default     = false
+  description = "true/false whether EventBridge should be deployed in a govcloud account/org or not"
 }
@@ -6,7 +6,8 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source = "sysdiglabs/sysdig"
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.39"
     }
     random = {
       source  = "hashicorp/random"