Skip to content

enhance(s3): add support for Govcloud account/org for fedramp #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 12, 2024
Merged

enhance(s3): add support for Govcloud account/org for fedramp #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a35c77d
enhance(s3): add support for Govcloud account/org for fedramp
jose-pablo-camacho Oct 30, 2024
3e6f655
enhance(s3): add support for Govcloud account/org for s3
jose-pablo-camacho Nov 5, 2024
a333ec2
fix version
jose-pablo-camacho Nov 5, 2024
0343f75
Merge branch 'main' into enhance/s3/add-gov-support
jose-pablo-camacho Nov 12, 2024
df2aaa2
fix version
jose-pablo-camacho Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 35 additions & 27 deletions modules/integrations/cloud-logs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,30 @@
# AWS Cloud Logs Module

This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role.
This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail
associated s3 bucket through a dedicated IAM role.

The following resources will be created in each instrumented account:
- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it.

- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and
retrieve items from it.

If instrumenting an AWS Gov account/organization, resources will be created in `aws-us-gov` region.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Requirements

| Name | Version |
|------|-----------|
| Name | Version |
|---------------------------------------------------------------------------|-----------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~>1.39 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |

## Providers

| Name | Version |
|------|---------|
| Name | Version |
|---------------------------------------------------|-----------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |

## Modules
Expand All @@ -27,33 +33,35 @@ No modules.

## Resources

| Name | Type |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| Name | Type |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------------------------------------------------|:--------:|
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
| <a name="input_name"></a> [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
| <a name="input_regions"></a> [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
| <a name="input_name"></a> [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
| <a name="input_regions"></a> [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
| <a name="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |

## Outputs

| Name | Description |
|-----------------------------------------------------------------------------------------------------------------|-------------|
| Name | Description |
|-----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| <a name="output_cloud_logs_component_id"></a> [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors
Expand Down
3 changes: 2 additions & 1 deletion modules/integrations/cloud-logs/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ locals {
account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
}

#-----------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -59,7 +60,7 @@ data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" {

principals {
type = "AWS"
identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
identifiers = [local.trusted_identity]
}

actions = ["sts:AssumeRole"]
Expand Down
6 changes: 6 additions & 0 deletions modules/integrations/cloud-logs/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,9 @@ variable "regions" {
type = set(string)
default = []
}

variable "is_gov_cloud_onboarding" {
type = bool
default = false
description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
}
1 change: 1 addition & 0 deletions modules/integrations/cloud-logs/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ terraform {
}
sysdig = {
source = "sysdiglabs/sysdig"
version = "~> 1.39"
}
random = {
source = "hashicorp/random"
Expand Down
26 changes: 26 additions & 0 deletions test/examples/organization/cloud_logs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#---------------------------------------------------------------------------------------------
# Ensure installation flow for foundational onboarding has been completed before
# installing additional Sysdig features.
#---------------------------------------------------------------------------------------------

module "cloud-logs" {
source = "../../../modules/integrations/cloud-logs"
folder_arn = "<FOLDER_ARN"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
}

resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_THREAT_DETECTION"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs]
}

resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
}
27 changes: 27 additions & 0 deletions test/examples/organization/cloud_logs_gov.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#---------------------------------------------------------------------------------------------
# Ensure installation flow for foundational onboarding has been completed before
# installing additional Sysdig features.
#---------------------------------------------------------------------------------------------

module "cloud-logs" {
source = "../../../modules/integrations/cloud-logs"
folder_arn = "<FOLDER_ARN"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding
}

resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_THREAT_DETECTION"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs]
}

resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
}
26 changes: 26 additions & 0 deletions test/examples/single_account/cloud_logs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#---------------------------------------------------------------------------------------------
# Ensure installation flow for foundational onboarding has been completed before
# installing additional Sysdig features.
#---------------------------------------------------------------------------------------------

module "cloud-logs" {
source = "../../../modules/integrations/cloud-logs"
folder_arn = "<FOLDER_ARN"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
}

resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_THREAT_DETECTION"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs]
}

resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
}
27 changes: 27 additions & 0 deletions test/examples/single_account/cloud_logs_gov.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#---------------------------------------------------------------------------------------------
# Ensure installation flow for foundational onboarding has been completed before
# installing additional Sysdig features.
#---------------------------------------------------------------------------------------------

module "cloud-logs" {
source = "../../../modules/integrations/cloud-logs"
folder_arn = "<FOLDER_ARN"
sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding
}

resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_THREAT_DETECTION"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs]
}

resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
account_id = module.onboarding.sysdig_secure_account_id
type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
enabled = true
components = [module.cloud-logs.cloud_logs_component_id]
depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
}