From 585d5a1bf03ef1e514a998a03bc75e63fd1443d2 Mon Sep 17 00:00:00 2001
From: matteopasa <146732818+matteopasa@users.noreply.github.com>
Date: Wed, 26 Mar 2025 15:27:11 +0100
Subject: [PATCH 1/4] feat(event-bridge): event bridge api dest (SSPROD-53939)
 (#42)

* first draft of api dest tf

* update tfs after testing

* update readme

* use provider version

* use event-bridge folder

* rename

* add cloudwatch permissions and newlines

* one locals block
---
 modules/integrations/event-bridge/README.md   |  33 ++--
 modules/integrations/event-bridge/main.tf     | 152 ++++++------------
 .../event-bridge/organizational.tf            |  85 ++++------
 .../event-bridge/stackset_template_body.tpl   |  12 --
 .../stackset_template_eb_rule_api_dest.tpl    |  31 ++++
 .../stackset_template_org_policies.tpl        |  37 +++++
 .../integrations/event-bridge/variables.tf    |   7 +
 modules/integrations/event-bridge/versions.tf |   2 +-
 8 files changed, 173 insertions(+), 186 deletions(-)
 delete mode 100644 modules/integrations/event-bridge/stackset_template_body.tpl
 create mode 100644 modules/integrations/event-bridge/stackset_template_eb_rule_api_dest.tpl
 create mode 100644 modules/integrations/event-bridge/stackset_template_org_policies.tpl

diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md
index 81e4204..f9afbd7 100644
--- a/modules/integrations/event-bridge/README.md
+++ b/modules/integrations/event-bridge/README.md
@@ -1,17 +1,17 @@
 # AWS Event Bridge Module
 
-This Module creates the resources required to send CloudTrail logs to Sysdig via AWS EventBridge for Log Ingestion. These resources enable Threat Detection in the given single account, or AWS Organization.
+This Module creates the resources required to send CloudTrail logs to Sysdig via AWS EventBridge API Destinations for Log Ingestion. These resources enable Threat Detection in the given single account, or AWS Organization.
 
 The following resources will be created in each instrumented account through CloudFormation StackSet in provided regions:
-- An `EventBridge Rule` that captures all CloudTrail events from the defaul EventBridge Bus
-- An `EventBridge Target` that sends these events to an EventBridge Bus is Sysdig's AWS Account
-- An `IAM Role` and associated policies that gives the EventBridge Bus in the source account permission to call PutEvent on the EventBridge Bus in Sysdig's Account.
-
+- An `EventBridge Rule` that captures all CloudTrail events from the default EventBridge Bus
+- An `EventBridge API Destination` that forwards these events to Sysdig's secure endpoint
+- An `EventBridge Connection` that handles authentication for the API Destination
+- An `IAM Role` and associated policies that gives the EventBridge Rule permission to invoke the API Destination
 When run in Organizational mode, this module will be deployed via CloudFormation StackSets that should be created in the management account. They will create the above resources in each account in the organization, and automatically in any member accounts that are later added to the organization.
 
-This module will also deploy an Event Bridge Component in Sysdig Backend for onboarded Sysdig Cloud Account.
+This module will also deploy a Webhook Datasource Component in Sysdig Backend for the onboarded Sysdig Cloud Account, which tracks and validates the API Destination configuration.
 
-If instrumenting an AWS Gov account/organization, IAM policies and event bridge resources will be created in `aws-us-gov` region.
+If instrumenting an AWS Gov account/organization, IAM policies and EventBridge resources will be created in `aws-us-gov`region.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -21,7 +21,7 @@ If instrumenting an AWS Gov account/organization, IAM policies and event bridge
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.48 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.51 |
 
 ## Providers
 
@@ -29,7 +29,7 @@ If instrumenting an AWS Gov account/organization, IAM policies and event bridge
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
-| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.48 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.51 |
 
 ## Modules
 
@@ -39,16 +39,16 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_cloudformation_stack_set.eb-role-stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
-| [aws_cloudformation_stack_set.eb-rule-stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
-| [aws_cloudformation_stack_set.primary-acc-stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set.eb_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set.eb_rule_and_api_dest_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set.eb_rule_api_dest_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
 | [aws_cloudformation_stack_set_instance.eb_role_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_cloudformation_stack_set_instance.eb_rule_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_cloudformation_stack_set_instance.primary_acc_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_iam_role.event_bus_invoke_remote_event_bus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_cloudformation_stack_set_instance.eb_rule_and_api_dest_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_cloudformation_stack_set_instance.eb_rule_api_dest_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_iam_role.event_bridge_api_destination_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.event_bus_stackset_admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.event_bus_stackset_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.event_bus_invoke_remote_event_bus_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.event_bridge_api_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachments_exclusive.event_bus_stackset_admin_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [aws_iam_role_policy_attachments_exclusive.event_bus_stackset_execution_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
@@ -64,6 +64,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_api_dest_rate_limit"></a> [api\_dest\_rate\_limit](#input\_api\_dest\_rate\_limit) | Rate limit for API Destinations | `number` | `300` | no |
 | <a name="input_auto_create_stackset_roles"></a> [auto\_create\_stackset\_roles](#input\_auto\_create\_stackset\_roles) | Whether to auto create the custom stackset roles to run SELF\_MANAGED stackset. Default is true | `bool` | `true` | no |
 | <a name="input_event_pattern"></a> [event\_pattern](#input\_event\_pattern) | Event pattern for CloudWatch Event Rule | `string` | `"{\n  \"detail-type\": [\n    \"AWS API Call via CloudTrail\",\n    \"AWS Console Sign In via CloudTrail\",\n    \"AWS Service Event via CloudTrail\",\n    \"Object Access Tier Changed\",\n    \"Object ACL Updated\",\n    \"Object Created\",\n    \"Object Deleted\",\n    \"Object Restore Completed\",\n    \"Object Restore Expired\",\n    \"Object Restore Initiated\",\n    \"Object Storage Class Changed\",\n    \"Object Tags Added\",\n    \"Object Tags Deleted\",\n    \"GuardDuty Finding\"\n  ]\n}\n"` | no |
 | <a name="input_exclude_accounts"></a> [exclude\_accounts](#input\_exclude\_accounts) | (Optional) accounts to exclude for organization | `set(string)` | `[]` | no |
diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf
index 08fb529..6ab84ed 100644
--- a/modules/integrations/event-bridge/main.tf
+++ b/modules/integrations/event-bridge/main.tf
@@ -1,20 +1,10 @@
-#-----------------------------------------------------------------------------------------------------------------------------------------
-# For both Single Account and Organizational installs, resources are created using CloudFormation StackSet.
-# For Organizational installs, see organizational.tf.
-#
-# For single installs, the resources in this file are used to instrument the singleton account, whether it is a management account or a
-# member account.
-#
-# For organizational installs, resources in this file get created for management account only. (because service-managed stacksets do not
-# include the management account they are created in, even if this account is within the target Organization).
-#-----------------------------------------------------------------------------------------------------------------------------------------
-
-#-----------------------------------------------------------------------------------------
-# Fetch the data sources
-#-----------------------------------------------------------------------------------------
 data "aws_caller_identity" "current" {}
 
-data "sysdig_secure_cloud_ingestion_assets" "assets" {}
+data "sysdig_secure_cloud_ingestion_assets" "assets" {
+  cloud_provider     = "aws"
+  cloud_provider_id  = data.aws_caller_identity.current.account_id
+  component_type = local.component_type
+}
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
   cloud_provider = "aws"
@@ -22,44 +12,23 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
 
-#-----------------------------------------------------------------------------------------
-# These locals indicate the region list passed.
-#-----------------------------------------------------------------------------------------
 locals {
   region_set           = toset(var.regions)
   trusted_identity     = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
-  target_event_bus_arn = var.is_gov_cloud_onboarding ? data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARNGov : data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN
   arn_prefix           = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws"
+  component_type       = "COMPONENT_WEBHOOK_DATASOURCE"
+  account_id_hash      = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
+  eb_resource_name     = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
 }
 
-#-----------------------------------------------------------------------------------------
-# Generate a unique name for resources using random suffix and account ID hash
-#-----------------------------------------------------------------------------------------
-locals {
-  account_id_hash  = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
-  eb_resource_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
-}
-
-#-----------------------------------------------------------------------------------------------------------------------
-# A random resource is used to generate unique Event Bridge name suffix for resources.
-# This prevents conflicts when recreating an Event Bridge resources with the same name.
-#-----------------------------------------------------------------------------------------------------------------------
 resource "random_id" "suffix" {
   byte_length = 3
 }
 
-#-----------------------------------------------------------------------------------------------------------------------------------------
-# Self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions.
-#
-# If auto_create_stackset_roles is true, terraform will create this IAM Admin role in the source account with permissions to create
-# stacksets. If false, and values for stackset Admin role ARN is provided stackset will use it, else AWS will look for
-# predefined/default AWSCloudFormationStackSetAdministrationRole.
-#-----------------------------------------------------------------------------------------------------------------------------------------
-
 resource "aws_iam_role" "event_bus_stackset_admin_role" {
   count = !var.auto_create_stackset_roles ? 0 : 1
 
-  name = "AWSCloudFormationStackSetAdministrationRoleForEB"
+  name = "AWSCloudFormationStackSetAdministrationRoleForEBApiDest"
   tags = var.tags
 
   assume_role_policy = <<EOF
@@ -86,18 +55,10 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_r
   ]
 }
 
-#-----------------------------------------------------------------------------------------------------------------------------------------
-# Self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions.
-#
-# If auto_create_stackset_roles is true, terraform will create this IAM Admin role in the source account with permissions to create
-# stacksets, Event Bridge resources and trust relationship to CloudFormation service. If false, and values for stackset Execution role
-# name is provided stackset will use it, else AWS will look for predefined/default AWSCloudFormationStackSetExecutionRole.
-#-----------------------------------------------------------------------------------------------------------------------------------------
-
 resource "aws_iam_role" "event_bus_stackset_execution_role" {
   count = !var.auto_create_stackset_roles ? 0 : 1
 
-  name = "AWSCloudFormationStackSetExecutionRoleForEB"
+  name = "AWSCloudFormationStackSetExecutionRoleForEBApiDest"
   tags = var.tags
 
   assume_role_policy = <<EOF
@@ -126,15 +87,7 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_executi
   ]
 }
 
-#-----------------------------------------------------------------------------------------------------------------------------------------
-# These resources create an IAM role in the source account with permissions to call PutEvent on the EventBridge Bus in
-# Sysdig's AWS account. This role is attached to the EventBridge target that is created in the source account.
-#
-# This role will be used by EventBridge when sending events to Sysdig's EventBridge Bus. The EventBridge service is
-# given permission to assume this role.
-#-----------------------------------------------------------------------------------------------------------------------------------------
-
-resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
+resource "aws_iam_role" "event_bridge_api_destination_role" {
   name = local.eb_resource_name
   tags = var.tags
 
@@ -166,19 +119,19 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
 EOF
 }
 
-resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
+resource "aws_iam_role_policy" "event_bridge_api_destination_policy" {
   name = local.eb_resource_name
-  role = aws_iam_role.event_bus_invoke_remote_event_bus.id
+  role = aws_iam_role.event_bridge_api_destination_role.id
   policy = jsonencode({
     Statement = [
       {
-        Sid = "CloudTrailEventsPut"
+        Sid = "InvokeApiDestination"
         Action = [
-          "events:PutEvents",
+          "events:InvokeApiDestination",
         ]
         Effect = "Allow"
         Resource = [
-          "${local.target_event_bus_arn}",
+          "${local.arn_prefix}:events:*:*:api-destination/${local.eb_resource_name}-destination/*",
         ]
       },
       {
@@ -192,24 +145,22 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
           "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}",
         ]
       },
+      {
+        Sid = "ValidationAccess"
+        Action = [
+          "events:DescribeApiDestination",
+          "events:DescribeConnection",
+          "cloudwatch:GetMetricStatistics"
+        ]
+        Effect = "Allow"
+        Resource = "*"
+      }
     ]
   })
 }
 
-#-----------------------------------------------------------------------------------------------------------------------------------------
-# This resource creates a stackset to set up an EventBridge Rule and Target to forward all CloudTrail events from the
-# source account to Sysdig. CloudTrail events are sent to the default EventBridge Bus in the source account automatically.
-#
-# Rule captures all events from CloudTrail in the source account.
-# Target forwards all CloudTrail events to Sysdig's EventBridge Bus.
-# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target#cross-account-event-bus-target
-#
-# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions 
-#-----------------------------------------------------------------------------------------------------------------------------------------
-
-resource "aws_cloudformation_stack_set" "primary-acc-stackset" {
-  # for single installs, primary account is the singleton account provided. for org installs, it is the mgmt account
-  name                    = join("-", [local.eb_resource_name, "EBRulePrimaryAcc"])
+resource "aws_cloudformation_stack_set" "eb_rule_and_api_dest_stackset" {
+  name                    = join("-", [local.eb_resource_name, "EBRuleAndApiDestination"])
   tags                    = var.tags
   permission_model        = "SELF_MANAGED"
   capabilities            = ["CAPABILITY_NAMED_IAM"]
@@ -224,26 +175,27 @@ resource "aws_cloudformation_stack_set" "primary-acc-stackset" {
     ignore_changes = [administration_role_arn]
   }
 
-  template_body = templatefile("${path.module}/stackset_template_body.tpl", {
-    name                 = local.eb_resource_name
-    event_pattern        = var.event_pattern
-    rule_state           = var.rule_state
-    arn_prefix           = local.arn_prefix
-    target_event_bus_arn = local.target_event_bus_arn
+  template_body = templatefile("${path.module}/stackset_template_eb_rule_api_dest.tpl", {
+    name          = local.eb_resource_name
+    api_key       = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eb_api_key
+    endpoint_url  = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eb_routing_url
+    rate_limit    = var.api_dest_rate_limit
+    event_pattern = jsonencode(var.event_pattern)
+    rule_state    = var.rule_state
+    arn_prefix    = local.arn_prefix
   })
 
   depends_on = [
-    aws_iam_role.event_bus_invoke_remote_event_bus,
+    aws_iam_role.event_bridge_api_destination_role,
     aws_iam_role.event_bus_stackset_admin_role,
     aws_iam_role.event_bus_stackset_execution_role
   ]
 }
 
-// stackset instance to deploy rule in all regions of given account
-resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance" {
+resource "aws_cloudformation_stack_set_instance" "eb_rule_and_api_dest_stackset_instance" {
   for_each       = local.region_set
   region         = each.key
-  stack_set_name = aws_cloudformation_stack_set.primary-acc-stackset.name
+  stack_set_name = aws_cloudformation_stack_set.eb_rule_and_api_dest_stackset.name
 
   operation_preferences {
     max_concurrent_percentage    = 100
@@ -259,23 +211,23 @@ resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance"
   }
 }
 
-#-----------------------------------------------------------------------------------------------------------------------------------------
-# Call Sysdig Backend to add the event-bridge integration to the Sysdig Cloud Account
-#
-# Note (optional): To ensure this gets called after all cloud resources are created, add
-# explicit dependency using depends_on
-#-----------------------------------------------------------------------------------------------------------------------------------------
-
 resource "sysdig_secure_cloud_auth_account_component" "aws_event_bridge" {
   account_id = var.sysdig_secure_account_id
-  type       = "COMPONENT_EVENT_BRIDGE"
+  type       = local.component_type
   instance   = "secure-runtime"
   version    = "v0.1.0"
-  event_bridge_metadata = jsonencode({
+  webhook_datasource_metadata = jsonencode({
     aws = {
-      role_name = local.eb_resource_name
-      rule_name = local.eb_resource_name
-      regions   = var.regions
+      webhook_datasource = {
+        routing_key         = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eb_routing_key
+        ingestion_url       = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eb_routing_url
+        ingested_regions    = var.regions
+        rule_name           = local.eb_resource_name
+        api_dest_name       = "${local.eb_resource_name}-destination"
+        api_dest_rate_limit = tostring(var.api_dest_rate_limit)
+        role_name           = local.eb_resource_name
+        connection_name     = "${local.eb_resource_name}-connection"
+      }
     }
   })
-}
\ No newline at end of file
+}
diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index d476fdc..4148428 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -1,14 +1,15 @@
-#-----------------------------------------------------------------------------------------------------------------------
-# These resources set up an EventBridge Rule and Target to forward all CloudTrail events from the source account to
-# Sysdig in all accounts in an AWS Organization via service-managed CloudFormation StackSets.
-# For a single account installation, see main.tf.
-#-----------------------------------------------------------------------------------------------------------------------
-
-# stackset to deploy eventbridge rule in organization unit
-resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
+data "aws_organizations_organization" "org" {
   count = var.is_organizational ? 1 : 0
+}
+
+locals {
+  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
+}
 
-  name             = join("-", [local.eb_resource_name, "EBRuleOrg"])
+resource "aws_cloudformation_stack_set" "eb_rule_api_dest_stackset" {
+  count = var.is_organizational ? 1 : 0
+
+  name             = join("-", [local.eb_resource_name, "ApiDestAndRule"])
   tags             = var.tags
   permission_model = "SERVICE_MANAGED"
   capabilities     = ["CAPABILITY_NAMED_IAM"]
@@ -26,17 +27,18 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
     ignore_changes = [administration_role_arn]
   }
 
-  template_body = templatefile("${path.module}/stackset_template_body.tpl", {
-    name                 = local.eb_resource_name
-    event_pattern        = var.event_pattern
-    rule_state           = var.rule_state
-    arn_prefix           = local.arn_prefix
-    target_event_bus_arn = local.target_event_bus_arn
+  template_body = templatefile("${path.module}/stackset_template_eb_rule_api_dest.tpl", {
+    name          = local.eb_resource_name
+    api_key       = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eb_api_key
+    endpoint_url  = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eb_routing_url
+    rate_limit    = var.api_dest_rate_limit
+    event_pattern = jsonencode(var.event_pattern)
+    rule_state    = var.rule_state
+    arn_prefix    = local.arn_prefix
   })
 }
 
-# stackset to deploy eventbridge role in organization unit
-resource "aws_cloudformation_stack_set" "eb-role-stackset" {
+resource "aws_cloudformation_stack_set" "eb_role_stackset" {
   count = var.is_organizational ? 1 : 0
 
   name             = join("-", [local.eb_resource_name, "EBRoleOrg"])
@@ -57,48 +59,19 @@ resource "aws_cloudformation_stack_set" "eb-role-stackset" {
     ignore_changes = [administration_role_arn]
   }
 
-  template_body = <<TEMPLATE
-Resources:
-  EventBridgeRole:
-      Type: AWS::IAM::Role
-      Properties:
-        RoleName: ${local.eb_resource_name}
-        AssumeRolePolicyDocument:
-          Version: "2012-10-17"
-          Statement:
-            - Effect: Allow
-              Principal:
-                Service: events.amazonaws.com
-              Action: 'sts:AssumeRole'
-            - Effect: "Allow"
-              Principal:
-                AWS: "${local.trusted_identity}"
-              Action: "sts:AssumeRole"
-              Condition:
-                StringEquals:
-                  sts:ExternalId: "${data.sysdig_secure_tenant_external_id.external_id.external_id}"
-        Policies:
-          - PolicyName: ${local.eb_resource_name}
-            PolicyDocument:
-              Version: "2012-10-17"
-              Statement:
-                - Effect: Allow
-                  Action: 'events:PutEvents'
-                  Resource: "${local.target_event_bus_arn}"
-                - Effect: Allow
-                  Action:
-                    - "events:DescribeRule"
-                    - "events:ListTargetsByRule"
-                  Resource: "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}"
-TEMPLATE
+  template_body = templatefile("${path.module}/stackset_template_org_policies.tpl", {
+    name            = local.eb_resource_name
+    trusted_identity = local.trusted_identity
+    external_id     = data.sysdig_secure_tenant_external_id.external_id.external_id
+    arn_prefix      = local.arn_prefix
+  })
 }
 
-// stackset instance to deploy rule in all organization units
-resource "aws_cloudformation_stack_set_instance" "eb_rule_stackset_instance" {
+resource "aws_cloudformation_stack_set_instance" "eb_rule_api_dest_instance" {
   for_each = var.is_organizational ? local.region_set : toset([])
   region   = each.key
 
-  stack_set_name = aws_cloudformation_stack_set.eb-rule-stackset[0].name
+  stack_set_name = aws_cloudformation_stack_set.eb_rule_api_dest_stackset[0].name
   deployment_targets {
     organizational_unit_ids = local.deployment_targets_org_units
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
@@ -118,11 +91,10 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_stackset_instance" {
   }
 }
 
-// stackset instance to deploy role in all organization units
 resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
   count = var.is_organizational ? 1 : 0
 
-  stack_set_name = aws_cloudformation_stack_set.eb-role-stackset[0].name
+  stack_set_name = aws_cloudformation_stack_set.eb_role_stackset[0].name
   deployment_targets {
     organizational_unit_ids = local.deployment_targets_org_units
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
@@ -132,7 +104,6 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
     max_concurrent_percentage    = 100
     failure_tolerance_percentage = var.failure_tolerance_percentage
     concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
-    # Roles are not regional and hence do not need regional parallelism
   }
 
   timeouts {
diff --git a/modules/integrations/event-bridge/stackset_template_body.tpl b/modules/integrations/event-bridge/stackset_template_body.tpl
deleted file mode 100644
index 67e7b81..0000000
--- a/modules/integrations/event-bridge/stackset_template_body.tpl
+++ /dev/null
@@ -1,12 +0,0 @@
-Resources:
-  EventBridgeRule:
-    Type: AWS::Events::Rule
-    Properties:
-      Name: ${name}
-      Description: Capture all CloudTrail events
-      EventPattern: ${event_pattern}
-      State: ${rule_state}
-      Targets:
-        - Id: ${name}
-          Arn: ${target_event_bus_arn}
-          RoleArn: !Sub "${arn_prefix}:iam::$${AWS::AccountId}:role/${name}"
diff --git a/modules/integrations/event-bridge/stackset_template_eb_rule_api_dest.tpl b/modules/integrations/event-bridge/stackset_template_eb_rule_api_dest.tpl
new file mode 100644
index 0000000..5c4c069
--- /dev/null
+++ b/modules/integrations/event-bridge/stackset_template_eb_rule_api_dest.tpl
@@ -0,0 +1,31 @@
+Resources:
+  ApiConnection:
+    Type: AWS::Events::Connection
+    Properties:
+      Name: ${name}-connection
+      AuthorizationType: API_KEY
+      AuthParameters:
+        ApiKeyAuthParameters:
+          ApiKeyName: X-Api-Key
+          ApiKeyValue: ${api_key}
+
+  ApiDestination:
+    Type: AWS::Events::ApiDestination
+    Properties:
+      Name: ${name}-destination
+      ConnectionArn: !GetAtt ApiConnection.Arn
+      InvocationEndpoint: ${endpoint_url}
+      HttpMethod: POST
+      InvocationRateLimitPerSecond: ${rate_limit}
+
+  EventBridgeRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Name: ${name}
+      Description: Forwards events to Sysdig via API Destination
+      EventPattern: ${event_pattern}
+      State: ${rule_state}
+      Targets:
+        - Id: SysdigApiDestination
+          Arn: !GetAtt ApiDestination.Arn
+          RoleArn: !Sub "${arn_prefix}:iam::$${AWS::AccountId}:role/${name}"
diff --git a/modules/integrations/event-bridge/stackset_template_org_policies.tpl b/modules/integrations/event-bridge/stackset_template_org_policies.tpl
new file mode 100644
index 0000000..bbe1473
--- /dev/null
+++ b/modules/integrations/event-bridge/stackset_template_org_policies.tpl
@@ -0,0 +1,37 @@
+Resources:
+  EventBridgeRole:
+      Type: AWS::IAM::Role
+      Properties:
+        RoleName: ${name}
+        AssumeRolePolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+            - Effect: Allow
+              Principal:
+                Service: events.amazonaws.com
+              Action: 'sts:AssumeRole'
+            - Effect: "Allow"
+              Principal:
+                AWS: "${trusted_identity}"
+              Action: "sts:AssumeRole"
+              Condition:
+                StringEquals:
+                  sts:ExternalId: "${external_id}"
+        Policies:
+          - PolicyName: ${name}
+            PolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: Allow
+                  Action: 'events:InvokeApiDestination'
+                  Resource: "${arn_prefix}:events:*:*:api-destination/${name}-destination/*"
+                - Effect: Allow
+                  Action:
+                    - "events:DescribeRule"
+                    - "events:ListTargetsByRule"
+                  Resource: "${arn_prefix}:events:*:*:rule/${name}"
+                - Effect: Allow
+                  Action:
+                    - "events:DescribeApiDestination"
+                    - "events:DescribeConnection"
+                  Resource: "*"
diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf
index 6ecb7d9..019f73d 100644
--- a/modules/integrations/event-bridge/variables.tf
+++ b/modules/integrations/event-bridge/variables.tf
@@ -111,6 +111,7 @@ variable "is_gov_cloud_onboarding" {
   default     = false
   description = "true/false whether EventBridge should be deployed in a govcloud account/org or not"
 }
+
 variable "include_ouids" {
   description = "(Optional) ouids to include for organization"
   type        = set(string)
@@ -134,3 +135,9 @@ variable "exclude_accounts" {
   type        = set(string)
   default     = []
 }
+
+variable "api_dest_rate_limit" {
+  type        = number
+  default     = 300
+  description = "Rate limit for API Destinations"
+}
diff --git a/modules/integrations/event-bridge/versions.tf b/modules/integrations/event-bridge/versions.tf
index 0b9a469..2f72e29 100644
--- a/modules/integrations/event-bridge/versions.tf
+++ b/modules/integrations/event-bridge/versions.tf
@@ -7,7 +7,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.48"
+      version = "~> 1.51"
     }
     random = {
       source  = "hashicorp/random"

From 408cc74a11a1ca1fe77d1943a1cf3d2da1792d0b Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Thu, 3 Apr 2025 12:00:44 +0200
Subject: [PATCH 2/4] add cloudwatch policies

---
 .../integrations/event-bridge/stackset_template_org_policies.tpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/integrations/event-bridge/stackset_template_org_policies.tpl b/modules/integrations/event-bridge/stackset_template_org_policies.tpl
index bbe1473..a114097 100644
--- a/modules/integrations/event-bridge/stackset_template_org_policies.tpl
+++ b/modules/integrations/event-bridge/stackset_template_org_policies.tpl
@@ -34,4 +34,5 @@ Resources:
                   Action:
                     - "events:DescribeApiDestination"
                     - "events:DescribeConnection"
+                    - "cloudwatch:GetMetricStatistics"
                   Resource: "*"

From 857285fbbc827fb99e05f5f469da2c240e0c0059 Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Tue, 8 Apr 2025 11:45:09 +0200
Subject: [PATCH 3/4] fix org

---
 modules/integrations/event-bridge/organizational.tf | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index 4148428..709dc8e 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -1,11 +1,3 @@
-data "aws_organizations_organization" "org" {
-  count = var.is_organizational ? 1 : 0
-}
-
-locals {
-  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
-}
-
 resource "aws_cloudformation_stack_set" "eb_rule_api_dest_stackset" {
   count = var.is_organizational ? 1 : 0
 
@@ -73,7 +65,7 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_api_dest_instance" {
 
   stack_set_name = aws_cloudformation_stack_set.eb_rule_api_dest_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.deployment_targets_org_units
+    organizational_unit_ids = local.deployment_targets_ous.org_units_to_deploy
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
     account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }
@@ -96,7 +88,7 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
 
   stack_set_name = aws_cloudformation_stack_set.eb_role_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.deployment_targets_org_units
+    organizational_unit_ids = local.deployment_targets_ous.org_units_to_deploy
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
     account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }

From 3fb73e7bf51b53f9ad6f1217aa6b2e77073a4e34 Mon Sep 17 00:00:00 2001
From: matteopasa <matteo.pasina@sysdig.com>
Date: Thu, 10 Apr 2025 10:06:56 +0200
Subject: [PATCH 4/4] add back some comments

---
 modules/integrations/event-bridge/main.tf     | 72 +++++++++++++++++--
 .../event-bridge/organizational.tf            |  9 ++-
 2 files changed, 75 insertions(+), 6 deletions(-)

diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf
index 6ab84ed..361ce94 100644
--- a/modules/integrations/event-bridge/main.tf
+++ b/modules/integrations/event-bridge/main.tf
@@ -1,3 +1,17 @@
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# For both Single Account and Organizational installs, resources are created using CloudFormation StackSet.
+# For Organizational installs, see organizational.tf.
+#
+# For single installs, the resources in this file are used to instrument the singleton account, whether it is a management account or a
+# member account.
+#
+# For organizational installs, resources in this file get created for management account only. (because service-managed stacksets do not
+# include the management account they are created in, even if this account is within the target Organization).
+#-----------------------------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
 data "aws_caller_identity" "current" {}
 
 data "sysdig_secure_cloud_ingestion_assets" "assets" {
@@ -21,10 +35,21 @@ locals {
   eb_resource_name     = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
 }
 
+#-----------------------------------------------------------------------------------------------------------------------
+# A random resource is used to generate unique Event Bridge name suffix for resources.
+# This prevents conflicts when recreating an Event Bridge resources with the same name.
+#-----------------------------------------------------------------------------------------------------------------------
 resource "random_id" "suffix" {
   byte_length = 3
 }
 
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# Self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions.
+#
+# If auto_create_stackset_roles is true, terraform will create this IAM Admin role in the source account with permissions to create
+# stacksets. If false, and values for stackset Admin role ARN is provided stackset will use it, else AWS will look for
+# predefined/default AWSCloudFormationStackSetAdministrationRoleForEBApiDest.
+#-----------------------------------------------------------------------------------------------------------------------------------------
 resource "aws_iam_role" "event_bus_stackset_admin_role" {
   count = !var.auto_create_stackset_roles ? 0 : 1
 
@@ -55,6 +80,13 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_r
   ]
 }
 
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# Self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions.
+#
+# If auto_create_stackset_roles is true, terraform will create this IAM Admin role in the source account with permissions to create
+# stacksets, Event Bridge resources and trust relationship to CloudFormation service. If false, and values for stackset Execution role
+# name is provided stackset will use it, else AWS will look for predefined/default AWSCloudFormationStackSetExecutionRoleForEBApiDest.
+#-----------------------------------------------------------------------------------------------------------------------------------------
 resource "aws_iam_role" "event_bus_stackset_execution_role" {
   count = !var.auto_create_stackset_roles ? 0 : 1
 
@@ -87,6 +119,13 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_executi
   ]
 }
 
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# These resources create an IAM role in the source account with permissions to invoke API destinations.
+# This role is attached to the EventBridge rule that is created in the source account.
+#
+# This role will be used by EventBridge when sending events to Sysdig via API Destinations. The EventBridge service is
+# given permission to assume this role, and Sysdig's cloud identity is allowed to assume the role for validation purposes.
+#-----------------------------------------------------------------------------------------------------------------------------------------
 resource "aws_iam_role" "event_bridge_api_destination_role" {
   name = local.eb_resource_name
   tags = var.tags
@@ -119,6 +158,12 @@ resource "aws_iam_role" "event_bridge_api_destination_role" {
 EOF
 }
 
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# This policy grants the necessary permissions for the API destination role:
+# 1. InvokeApiDestination - Allows invoking the API destination to send events to Sysdig
+# 2. EventRuleAndDestinationAccess - Allows describing rules, targets, API destinations, and connections for validation
+# 3. CloudWatchMetricsAccess - Allows retrieving metrics for monitoring and validation
+#-----------------------------------------------------------------------------------------------------------------------------------------
 resource "aws_iam_role_policy" "event_bridge_api_destination_policy" {
   name = local.eb_resource_name
   role = aws_iam_role.event_bridge_api_destination_role.id
@@ -135,21 +180,23 @@ resource "aws_iam_role_policy" "event_bridge_api_destination_policy" {
         ]
       },
       {
-        Sid = "CloudTrailEventRuleAccess"
+        Sid = "EventRuleAndDestinationAccess"
         Action = [
           "events:DescribeRule",
           "events:ListTargetsByRule",
+          "events:DescribeApiDestination",
+          "events:DescribeConnection"
         ]
         Effect = "Allow"
         Resource = [
           "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}",
+          "${local.arn_prefix}:events:*:*:api-destination/${local.eb_resource_name}-destination",
+          "${local.arn_prefix}:events:*:*:connection/${local.eb_resource_name}-connection"
         ]
       },
       {
-        Sid = "ValidationAccess"
+        Sid = "CloudWatchMetricsAccess"
         Action = [
-          "events:DescribeApiDestination",
-          "events:DescribeConnection",
           "cloudwatch:GetMetricStatistics"
         ]
         Effect = "Allow"
@@ -159,6 +206,17 @@ resource "aws_iam_role_policy" "event_bridge_api_destination_policy" {
   })
 }
 
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# This resource creates a stackset to set up an EventBridge Rule and API Destination to forward CloudTrail events from the
+# source account to Sysdig. CloudTrail events are sent to the default EventBridge Bus in the source account automatically.
+#
+# The stackset creates three resources in each region:
+# 1. API Connection - Authenticates with Sysdig's endpoint using an API key
+# 2. API Destination - Forwards events to Sysdig's webhook ingestion endpoint
+# 3. EventBridge Rule - Captures events matching the specified pattern and targets the API destination
+#
+# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions 
+#-----------------------------------------------------------------------------------------------------------------------------------------
 resource "aws_cloudformation_stack_set" "eb_rule_and_api_dest_stackset" {
   name                    = join("-", [local.eb_resource_name, "EBRuleAndApiDestination"])
   tags                    = var.tags
@@ -211,6 +269,12 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_and_api_dest_stackset_
   }
 }
 
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the event-bridge integration to the Sysdig Cloud Account
+#
+# Note (optional): To ensure this gets called after all cloud resources are created, add
+# explicit dependency using depends_on
+#-----------------------------------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "aws_event_bridge" {
   account_id = var.sysdig_secure_account_id
   type       = local.component_type
diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf
index 709dc8e..d3f6715 100644
--- a/modules/integrations/event-bridge/organizational.tf
+++ b/modules/integrations/event-bridge/organizational.tf
@@ -1,3 +1,8 @@
+#-----------------------------------------------------------------------------------------------------------------------
+# These resources set up an EventBridge Rule and Target to forward all CloudTrail events from the source account to
+# Sysdig in all accounts in an AWS Organization via service-managed CloudFormation StackSets.
+# For a single account installation, see main.tf.
+#-----------------------------------------------------------------------------------------------------------------------
 resource "aws_cloudformation_stack_set" "eb_rule_api_dest_stackset" {
   count = var.is_organizational ? 1 : 0
 
@@ -65,7 +70,7 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_api_dest_instance" {
 
   stack_set_name = aws_cloudformation_stack_set.eb_rule_api_dest_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.deployment_targets_ous.org_units_to_deploy
+    organizational_unit_ids = local.deployment_targets_org_units
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
     account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }
@@ -88,7 +93,7 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
 
   stack_set_name = aws_cloudformation_stack_set.eb_role_stackset[0].name
   deployment_targets {
-    organizational_unit_ids = local.deployment_targets_ous.org_units_to_deploy
+    organizational_unit_ids = local.deployment_targets_org_units
     accounts                = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy)
     account_filter_type     = local.check_old_ouid_param ? null : local.deployment_targets_accounts_filter
   }