Skip to content

Commit

Permalink
Use Partition param instead
Browse files Browse the repository at this point in the history
  • Loading branch information
@ravinadhruve10
ravinadhruve10 committed Nov 19, 2024
1 parent cfb16f2 commit 7c75d71
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 44 deletions.
4 changes: 2 additions & 2 deletions modules/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ deploy:
"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
"ARNPrefix=${PARAM_ARN_PREFIX}"
"Partition=${PARAM_PARTITION}"
aws cloudformation deploy \
--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
--template-file log_ingestion.events.cft.yaml \
Expand All @@ -59,7 +59,7 @@ deploy:
"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
"ARNPrefix=${PARAM_ARN_PREFIX}"
"Partition=${PARAM_PARTITION}"
aws cloudformation deploy \
--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
--template-file log_ingestion.s3.cft.yaml \
Expand Down
34 changes: 17 additions & 17 deletions modules/foundational.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Metadata:
- TrustedIdentity
- IsOrganizational
- OrganizationalUnitIDs
- ARNPrefix
- Partition
ParameterLabels:
NameSuffix:
default: Name Suffix
Expand All @@ -23,8 +23,8 @@ Metadata:
default: Is Organizational
OrganizationalUnitIDs:
default: Organizational Unit IDs
ARNPrefix:
default: ARN Prefix
Partition:
default: AWS Partition
Parameters:
NameSuffix:
Type: String
Expand All @@ -48,10 +48,10 @@ Parameters:
OrganizationalUnitIDs:
Type: CommaDelimitedList
Description: Comma separated list of organizational unit IDs to deploy
ARNPrefix:
Partition:
Type: String
Description: ARN prefix for the resources based on your account or organization partition
Default: 'arn:aws'
Description: AWS Partition of your account or organization to create resources in
Default: 'aws'
Conditions:
IsOrganizational:
Fn::Equals:
Expand All @@ -75,7 +75,7 @@ Resources:
sts:ExternalId:
Ref: ExternalID
ManagedPolicyArns:
- !Sub ${ARNPrefix}:iam::aws:policy/SecurityAudit
- !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
PolicyDocument:
Expand All @@ -89,8 +89,8 @@ Resources:
- waf-regional:ListRules
- waf-regional:ListRuleGroups
Resource:
- !Sub ${ARNPrefix}:waf-regional:*:*:rule/*
- !Sub ${ARNPrefix}:waf-regional:*:*:rulegroup/*
- !Sub arn:${Partition}:waf-regional:*:*:rule/*
- !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
- Effect: Allow
Action: macie2:ListClassificationJobs
Resource: '*'
Expand Down Expand Up @@ -121,7 +121,7 @@ Resources:
ManagedPolicyArns:
Fn::If:
- IsOrganizational
- - !Sub ${ARNPrefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess
- - !Sub arn:${Partition}:iam::aws:policy/AWSOrganizationsReadOnlyAccess
- - !Ref AWS::NoValue
Policies:
- PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
Expand Down Expand Up @@ -161,9 +161,9 @@ Resources:
- ParameterKey: ExternalID
ParameterValue:
Ref: ExternalID
- ParameterKey: ARNPrefix
- ParameterKey: Partition
ParameterValue:
Ref: ARNPrefix
Ref: Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -185,9 +185,9 @@ Resources:
ExternalID:
Type: String
Description: external ID
ARNPrefix:
Partition:
Type: String
Description: ARN prefix for the resources based on your account or organization partition
Description: AWS Partition of your account or organization to create resources in
Resources:
ConfigPostureRole:
Expand All @@ -205,7 +205,7 @@ Resources:
StringEquals:
sts:ExternalId: !Ref ExternalID
ManagedPolicyArns:
- !Sub ${ARNPrefix}:iam::aws:policy/SecurityAudit
- !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
PolicyDocument:
Expand All @@ -219,8 +219,8 @@ Resources:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- !Sub ${ARNPrefix}:waf-regional:*:*:rule/*
- !Sub ${ARNPrefix}:waf-regional:*:*:rulegroup/*
- !Sub arn:${Partition}:waf-regional:*:*:rule/*
- !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
- Effect: "Allow"
Action: "macie2:ListClassificationJobs"
Resource: "*"
Expand Down
50 changes: 25 additions & 25 deletions modules/log_ingestion.events.cft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Metadata:
- RuleEventPattern
- IsOrganizational
- OrganizationalUnitIDs
- ARNPrefix
- Partition
ParameterLabels:
NameSuffix:
default: Name Suffix
Expand All @@ -35,8 +35,8 @@ Metadata:
default: Is Organizational
OrganizationalUnitIDs:
default: Organizational Unit IDs
ARNPrefix:
default: ARN Prefix
Partition:
default: AWS Partition
Parameters:
NameSuffix:
Type: String
Expand Down Expand Up @@ -96,10 +96,10 @@ Parameters:
AllowedValues:
- 'true'
- 'false'
ARNPrefix:
Partition:
Type: String
Description: ARN prefix for the resources based on your account or organization partition
Default: 'arn:aws'
Description: AWS Partition of your account or organization to create resources in
Default: 'aws'
Conditions:
IsOrganizational:
Fn::Equals:
Expand Down Expand Up @@ -127,7 +127,7 @@ Resources:
Action:
- sts:AssumeRole
Resource:
- !Sub ${ARNPrefix}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
- !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
ExecutionRole:
Type: AWS::IAM::Role
Properties:
Expand All @@ -142,8 +142,8 @@ Resources:
Action:
- sts:AssumeRole
ManagedPolicyArns:
- !Sub ${ARNPrefix}:iam::aws:policy/AmazonEventBridgeFullAccess
- !Sub ${ARNPrefix}:iam::aws:policy/AWSCloudFormationFullAccess
- !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess
- !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
Expand Down Expand Up @@ -175,7 +175,7 @@ Resources:
- "events:DescribeRule"
- "events:ListTargetsByRule"
Resource:
- !Sub ${ARNPrefix}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
- !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
EventBridgeRuleStackSet:
Type: AWS::CloudFormation::StackSet
Metadata:
Expand Down Expand Up @@ -211,8 +211,8 @@ Resources:
ParameterValue: !Ref RuleState
- ParameterKey: RuleEventPattern
ParameterValue: !Ref RuleEventPattern
- ParameterKey: ARNPrefix
ParameterValue: !Ref ARNPrefix
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
Accounts:
Expand All @@ -239,9 +239,9 @@ Resources:
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
ARNPrefix:
Partition:
Type: String
Description: ARN prefix for the resources based on your account or organization partition
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Expand All @@ -253,7 +253,7 @@ Resources:
Targets:
- Id: !Ref Name
Arn: !Sub ${TargetEventBusARN}
RoleArn: !Sub ${ARNPrefix}:iam::${AWS::AccountId}:role/${Name}
RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
OrganizationRoleStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
Expand Down Expand Up @@ -281,8 +281,8 @@ Resources:
ParameterValue: !Ref ExternalID
- ParameterKey: TargetEventBusARN
ParameterValue: !Ref TargetEventBusARN
- ParameterKey: ARNPrefix
ParameterValue: !Ref ARNPrefix
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -303,9 +303,9 @@ Resources:
TargetEventBusARN:
Type: String
Description: The destination in Sysdig's AWS account where your events are sent
ARNPrefix:
Partition:
Type: String
Description: ARN prefix for the resources based on your account or organization partition
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -338,7 +338,7 @@ Resources:
- "events:DescribeRule"
- "events:ListTargetsByRule"
Resource:
- !Sub ${ARNPrefix}:events:*:*:rule/${Name}
- !Sub arn:${Partition}:events:*:*:rule/${Name}
OrganizationRuleStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
Expand Down Expand Up @@ -369,8 +369,8 @@ Resources:
ParameterValue: !Ref RuleState
- ParameterKey: RuleEventPattern
ParameterValue: !Ref RuleEventPattern
- ParameterKey: ARNPrefix
ParameterValue: !Ref ARNPrefix
- ParameterKey: Partition
ParameterValue: !Ref Partition
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -396,9 +396,9 @@ Resources:
RuleEventPattern:
Type: String
Description: JSON pattern for the EventBridge rule's event pattern
ARNPrefix:
Partition:
Type: String
Description: ARN prefix for the resources based on your account or organization partition
Description: AWS Partition of your account or organization to create resources in
Resources:
EventBridgeRule:
Type: "AWS::Events::Rule"
Expand All @@ -410,7 +410,7 @@ Resources:
Targets:
- Id: !Ref Name
Arn: !Ref TargetEventBusARN
RoleArn: !Sub "${ARNPrefix}:iam::${AWS::AccountId}:role/${Name}"
RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
Outputs:
EventBridgeRoleARN:
Description: Sysdig Secure EventBridge Role ARN
Expand Down

0 comments on commit 7c75d71

Please sign in to comment.