Skip to content

Commit

Permalink
feat(modules): Support for Govcloud account/org (#138)
Browse files Browse the repository at this point in the history 
* feat(modules): Support for Govcloud account/org

Change summary:
----------------
- Added support to install govcloud single account and org in foundational template.
- Added same support in log_ingestion event-bridge template.
- For log_ingestion s3, no changes required to the template. Added minor nits.

* Fix param name

* Update makefile

* Use Partition param instead
  • Loading branch information
@ravinadhruve10
ravinadhruve10 authored Nov 19, 2024
1 parent cbb6be4 commit 57c2dcc
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 32 deletions.
6 changes: 4 additions & 2 deletions modules/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@ deploy:
"ExternalID=$(PARAM_EXTERNAL_ID)" \
"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
"Partition=${PARAM_PARTITION}"
aws cloudformation deploy \
--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
--template-file log_ingestion.events.cft.yaml \
Expand All @@ -57,7 +58,8 @@ deploy:
"Regions=$(PARAM_REGIONS)" \
"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
"Partition=${PARAM_PARTITION}"
aws cloudformation deploy \
--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
--template-file log_ingestion.s3.cft.yaml \
Expand Down
52 changes: 41 additions & 11 deletions modules/foundational.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Metadata:
- TrustedIdentity
- IsOrganizational
- OrganizationalUnitIDs
- Partition
ParameterLabels:
NameSuffix:
default: Name Suffix
Expand All @@ -22,6 +23,8 @@ Metadata:
default: Is Organizational
OrganizationalUnitIDs:
default: Organizational Unit IDs
Partition:
default: AWS Partition
Parameters:
NameSuffix:
Type: String
Expand All @@ -45,6 +48,10 @@ Parameters:
OrganizationalUnitIDs:
Type: CommaDelimitedList
Description: Comma separated list of organizational unit IDs to deploy
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Default: 'aws'
Conditions:
IsOrganizational:
Fn::Equals:
Expand All @@ -68,7 +75,7 @@ Resources:
sts:ExternalId:
Ref: ExternalID
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
PolicyDocument:
Expand All @@ -82,8 +89,8 @@ Resources:
- waf-regional:ListRules
- waf-regional:ListRuleGroups
Resource:
- arn:aws:waf-regional:*:*:rule/*
- arn:aws:waf-regional:*:*:rulegroup/*
- !Sub arn:${Partition}:waf-regional:*:*:rule/*
- !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
- Effect: Allow
Action: macie2:ListClassificationJobs
Resource: '*'
Expand Down Expand Up @@ -114,9 +121,18 @@ Resources:
ManagedPolicyArns:
Fn::If:
- IsOrganizational
- - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
- arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess
- - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
- - !Sub arn:${Partition}:iam::aws:policy/AWSOrganizationsReadOnlyAccess
- - !Ref AWS::NoValue
Policies:
- PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- account:Get*
- account:List*
Resource: '*'
OrganizationStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
Expand Down Expand Up @@ -145,6 +161,9 @@ Resources:
- ParameterKey: ExternalID
ParameterValue:
Ref: ExternalID
- ParameterKey: Partition
ParameterValue:
Ref: Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -166,6 +185,9 @@ Resources:
ExternalID:
Type: String
Description: external ID
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
ConfigPostureRole:
Expand All @@ -183,7 +205,7 @@ Resources:
StringEquals:
sts:ExternalId: !Ref ExternalID
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
PolicyDocument:
Expand All @@ -197,8 +219,8 @@ Resources:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- !Sub arn:${Partition}:waf-regional:*:*:rule/*
- !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
- Effect: "Allow"
Action: "macie2:ListClassificationJobs"
Resource: "*"
Expand All @@ -224,8 +246,16 @@ Resources:
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalID
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
Policies:
- PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- account:Get*
- account:List*
Resource: '*'
Outputs:
ConfigPostureRoleARN:
Expand Down
54 changes: 38 additions & 16 deletions modules/log_ingestion.events.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,28 @@ Metadata:
- RuleEventPattern
- IsOrganizational
- OrganizationalUnitIDs
- Partition
ParameterLabels:
NameSuffix:
default: Name Suffix
ExternalID:
default: "External ID"
default: External ID
TrustedIdentity:
default: "Trusted Identity"
default: Trusted Identity
TargetEventBusARN:
default: "Target Event Bus"
default: Target Event Bus
Regions:
default: "Instrumented Regions"
default: Instrumented Regions
RuleState:
default: "EventBridge Rule state"
default: EventBridge Rule state
RuleEventPattern:
default: "EventBridge Rule event pattern"
default: EventBridge Rule event pattern
IsOrganizational:
default: Is Organizational
OrganizationalUnitIDs:
default: "Organizational Unit IDs"
default: Organizational Unit IDs
Partition:
default: AWS Partition
Parameters:
NameSuffix:
Type: String
Expand Down Expand Up @@ -93,6 +96,10 @@ Parameters:
AllowedValues:
- 'true'
- 'false'
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Default: 'aws'
Conditions:
IsOrganizational:
Fn::Equals:
Expand Down Expand Up @@ -120,7 +127,7 @@ Resources:
Action:
- sts:AssumeRole
Resource:
- !Sub arn:aws:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
- !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
ExecutionRole:
Type: AWS::IAM::Role
Properties:
Expand All @@ -135,8 +142,8 @@ Resources:
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
- !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess
- !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
Expand Down Expand Up @@ -168,7 +175,7 @@ Resources:
- "events:DescribeRule"
- "events:ListTargetsByRule"
Resource:
- !Sub arn:aws:events:*:*:rule/sysdig-secure-events-${NameSuffix}
- !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
EventBridgeRuleStackSet:
Type: AWS::CloudFormation::StackSet
Metadata:
Expand Down Expand Up @@ -203,7 +210,9 @@ Resources:
- ParameterKey: RuleState
ParameterValue: !Ref RuleState
- ParameterKey: RuleEventPattern
ParameterValue: !Ref RuleEventPattern
ParameterValue: !Ref RuleEventPattern
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
Accounts:
Expand All @@ -230,6 +239,9 @@ Resources:
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Expand All @@ -241,7 +253,7 @@ Resources:
Targets:
- Id: !Ref Name
Arn: !Sub ${TargetEventBusARN}
RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${Name}
RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
OrganizationRoleStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
Expand Down Expand Up @@ -269,6 +281,8 @@ Resources:
ParameterValue: !Ref ExternalID
- ParameterKey: TargetEventBusARN
ParameterValue: !Ref TargetEventBusARN
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -288,7 +302,10 @@ Resources:
Description: A unique identifier used to create and reference resources
TargetEventBusARN:
Type: String
Description: The destination in Sysdig's AWS account where your events are sent
Description: The destination in Sysdig's AWS account where your events are sent
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -321,7 +338,7 @@ Resources:
- "events:DescribeRule"
- "events:ListTargetsByRule"
Resource:
- !Sub arn:aws:events:*:*:rule/${Name}
- !Sub arn:${Partition}:events:*:*:rule/${Name}
OrganizationRuleStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
Expand Down Expand Up @@ -352,6 +369,8 @@ Resources:
ParameterValue: !Ref RuleState
- ParameterKey: RuleEventPattern
ParameterValue: !Ref RuleEventPattern
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -377,6 +396,9 @@ Resources:
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
Partition:
Type: String
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Expand All @@ -388,7 +410,7 @@ Resources:
Targets:
- Id: !Ref Name
Arn: !Ref TargetEventBusARN
RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${Name}"
RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
Outputs:
EventBridgeRoleARN:
Description: Sysdig Secure EventBridge Role ARN
Expand Down
6 changes: 3 additions & 3 deletions modules/log_ingestion.s3.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ Metadata:
NameSuffix:
default: Name Suffix
ExternalID:
default: "External ID"
default: External ID
TrustedIdentity:
default: "Trusted Identity"
default: Trusted Identity
BucketARN:
default: "Bucket ARN"
default: Bucket ARN

Parameters:
NameSuffix:
Expand Down

0 comments on commit 57c2dcc

Please sign in to comment.