From 57c2dcc68e630518edd65e8965a4bac8c6dd4774 Mon Sep 17 00:00:00 2001 From: Ravina Dhruve <136399755+ravinadhruve10@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:52:32 -0800 Subject: [PATCH] feat(modules): Support for Govcloud account/org (#138) * feat(modules): Support for Govcloud account/org Change summary: ---------------- - Added support to install govcloud single account and org in foundational template. - Added same support in log_ingestion event-bridge template. - For log_ingestion s3, no changes required to the template. Added minor nits. * Fix param name * Update makefile * Use Partition param instead --- modules/Makefile | 6 ++- modules/foundational.cft.yaml | 52 ++++++++++++++++++++------ modules/log_ingestion.events.cft.yaml | 54 +++++++++++++++++++-------- modules/log_ingestion.s3.cft.yaml | 6 +-- 4 files changed, 86 insertions(+), 32 deletions(-) diff --git a/modules/Makefile b/modules/Makefile index f37021a..c3d27a0 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -45,7 +45,8 @@ deploy: "ExternalID=$(PARAM_EXTERNAL_ID)" \ "TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "Partition=${PARAM_PARTITION}" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.events.cft.yaml \ @@ -57,7 +58,8 @@ deploy: "Regions=$(PARAM_REGIONS)" \ "TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \ "IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \ - "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" + "OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \ + "Partition=${PARAM_PARTITION}" aws cloudformation deploy \ --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \ --template-file log_ingestion.s3.cft.yaml \ diff --git a/modules/foundational.cft.yaml b/modules/foundational.cft.yaml index dcdd046..2efc86b 100644 --- a/modules/foundational.cft.yaml +++ b/modules/foundational.cft.yaml @@ -11,6 +11,7 @@ Metadata: - TrustedIdentity - IsOrganizational - OrganizationalUnitIDs + - Partition ParameterLabels: NameSuffix: default: Name Suffix @@ -22,6 +23,8 @@ Metadata: default: Is Organizational OrganizationalUnitIDs: default: Organizational Unit IDs + Partition: + default: AWS Partition Parameters: NameSuffix: Type: String @@ -45,6 +48,10 @@ Parameters: OrganizationalUnitIDs: Type: CommaDelimitedList Description: Comma separated list of organizational unit IDs to deploy + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in + Default: 'aws' Conditions: IsOrganizational: Fn::Equals: @@ -68,7 +75,7 @@ Resources: sts:ExternalId: Ref: ExternalID ManagedPolicyArns: - - arn:aws:iam::aws:policy/SecurityAudit + - !Sub arn:${Partition}:iam::aws:policy/SecurityAudit Policies: - PolicyName: !Sub sysdig-secure-posture-${NameSuffix} PolicyDocument: @@ -82,8 +89,8 @@ Resources: - waf-regional:ListRules - waf-regional:ListRuleGroups Resource: - - arn:aws:waf-regional:*:*:rule/* - - arn:aws:waf-regional:*:*:rulegroup/* + - !Sub arn:${Partition}:waf-regional:*:*:rule/* + - !Sub arn:${Partition}:waf-regional:*:*:rulegroup/* - Effect: Allow Action: macie2:ListClassificationJobs Resource: '*' @@ -114,9 +121,18 @@ Resources: ManagedPolicyArns: Fn::If: - IsOrganizational - - - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess - - arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess - - - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess + - - !Sub arn:${Partition}:iam::aws:policy/AWSOrganizationsReadOnlyAccess + - - !Ref AWS::NoValue + Policies: + - PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix} + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - account:Get* + - account:List* + Resource: '*' OrganizationStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational @@ -145,6 +161,9 @@ Resources: - ParameterKey: ExternalID ParameterValue: Ref: ExternalID + - ParameterKey: Partition + ParameterValue: + Ref: Partition StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -166,6 +185,9 @@ Resources: ExternalID: Type: String Description: external ID + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in Resources: ConfigPostureRole: @@ -183,7 +205,7 @@ Resources: StringEquals: sts:ExternalId: !Ref ExternalID ManagedPolicyArns: - - arn:aws:iam::aws:policy/SecurityAudit + - !Sub arn:${Partition}:iam::aws:policy/SecurityAudit Policies: - PolicyName: !Sub sysdig-secure-posture-${NameSuffix} PolicyDocument: @@ -197,8 +219,8 @@ Resources: - "waf-regional:ListRules" - "waf-regional:ListRuleGroups" Resource: - - "arn:aws:waf-regional:*:*:rule/*" - - "arn:aws:waf-regional:*:*:rulegroup/*" + - !Sub arn:${Partition}:waf-regional:*:*:rule/* + - !Sub arn:${Partition}:waf-regional:*:*:rulegroup/* - Effect: "Allow" Action: "macie2:ListClassificationJobs" Resource: "*" @@ -224,8 +246,16 @@ Resources: Condition: StringEquals: sts:ExternalId: !Ref ExternalID - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess + Policies: + - PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix} + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - account:Get* + - account:List* + Resource: '*' Outputs: ConfigPostureRoleARN: diff --git a/modules/log_ingestion.events.cft.yaml b/modules/log_ingestion.events.cft.yaml index 617261d..d2aef97 100644 --- a/modules/log_ingestion.events.cft.yaml +++ b/modules/log_ingestion.events.cft.yaml @@ -15,25 +15,28 @@ Metadata: - RuleEventPattern - IsOrganizational - OrganizationalUnitIDs + - Partition ParameterLabels: NameSuffix: default: Name Suffix ExternalID: - default: "External ID" + default: External ID TrustedIdentity: - default: "Trusted Identity" + default: Trusted Identity TargetEventBusARN: - default: "Target Event Bus" + default: Target Event Bus Regions: - default: "Instrumented Regions" + default: Instrumented Regions RuleState: - default: "EventBridge Rule state" + default: EventBridge Rule state RuleEventPattern: - default: "EventBridge Rule event pattern" + default: EventBridge Rule event pattern IsOrganizational: default: Is Organizational OrganizationalUnitIDs: - default: "Organizational Unit IDs" + default: Organizational Unit IDs + Partition: + default: AWS Partition Parameters: NameSuffix: Type: String @@ -93,6 +96,10 @@ Parameters: AllowedValues: - 'true' - 'false' + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in + Default: 'aws' Conditions: IsOrganizational: Fn::Equals: @@ -120,7 +127,7 @@ Resources: Action: - sts:AssumeRole Resource: - - !Sub arn:aws:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix} + - !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix} ExecutionRole: Type: AWS::IAM::Role Properties: @@ -135,8 +142,8 @@ Resources: Action: - sts:AssumeRole ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess - - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess + - !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess + - !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess EventBridgeRole: Type: AWS::IAM::Role Properties: @@ -168,7 +175,7 @@ Resources: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/sysdig-secure-events-${NameSuffix} + - !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix} EventBridgeRuleStackSet: Type: AWS::CloudFormation::StackSet Metadata: @@ -203,7 +210,9 @@ Resources: - ParameterKey: RuleState ParameterValue: !Ref RuleState - ParameterKey: RuleEventPattern - ParameterValue: !Ref RuleEventPattern + ParameterValue: !Ref RuleEventPattern + - ParameterKey: Partition + ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: Accounts: @@ -230,6 +239,9 @@ Resources: RuleEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in Resources: EventBridgeRule: Type: "AWS::Events::Rule" @@ -241,7 +253,7 @@ Resources: Targets: - Id: !Ref Name Arn: !Sub ${TargetEventBusARN} - RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${Name} + RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name} OrganizationRoleStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational @@ -269,6 +281,8 @@ Resources: ParameterValue: !Ref ExternalID - ParameterKey: TargetEventBusARN ParameterValue: !Ref TargetEventBusARN + - ParameterKey: Partition + ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -288,7 +302,10 @@ Resources: Description: A unique identifier used to create and reference resources TargetEventBusARN: Type: String - Description: The destination in Sysdig's AWS account where your events are sent + Description: The destination in Sysdig's AWS account where your events are sent + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in Resources: EventBridgeRole: Type: AWS::IAM::Role @@ -321,7 +338,7 @@ Resources: - "events:DescribeRule" - "events:ListTargetsByRule" Resource: - - !Sub arn:aws:events:*:*:rule/${Name} + - !Sub arn:${Partition}:events:*:*:rule/${Name} OrganizationRuleStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational @@ -352,6 +369,8 @@ Resources: ParameterValue: !Ref RuleState - ParameterKey: RuleEventPattern ParameterValue: !Ref RuleEventPattern + - ParameterKey: Partition + ParameterValue: !Ref Partition StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -377,6 +396,9 @@ Resources: RuleEventPattern: Type: String Description: JSON pattern for the EventBridge rule's event pattern + Partition: + Type: String + Description: AWS Partition of your account or organization to create resources in Resources: EventBridgeRule: Type: "AWS::Events::Rule" @@ -388,7 +410,7 @@ Resources: Targets: - Id: !Ref Name Arn: !Ref TargetEventBusARN - RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${Name}" + RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}" Outputs: EventBridgeRoleARN: Description: Sysdig Secure EventBridge Role ARN diff --git a/modules/log_ingestion.s3.cft.yaml b/modules/log_ingestion.s3.cft.yaml index c76eea7..bf68a0e 100644 --- a/modules/log_ingestion.s3.cft.yaml +++ b/modules/log_ingestion.s3.cft.yaml @@ -20,11 +20,11 @@ Metadata: NameSuffix: default: Name Suffix ExternalID: - default: "External ID" + default: External ID TrustedIdentity: - default: "Trusted Identity" + default: Trusted Identity BucketARN: - default: "Bucket ARN" + default: Bucket ARN Parameters: NameSuffix: