Skip to content

Commit

Permalink
enhance(modular): handle deprecated resources in modules (#18)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jose-pablo-camacho
jose-pablo-camacho authored Oct 8, 2024
1 parent 2b58df2 commit 14e5159
Show file tree
Hide file tree
Showing 14 changed files with 162 additions and 184 deletions.
94 changes: 55 additions & 39 deletions modules/agentless-scanning/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ data "aws_iam_session_context" "current" {
data "sysdig_secure_agentless_scanning_assets" "assets" {}

data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
cloud_provider = "aws"
cloud_provider = "aws"
}

data "sysdig_secure_tenant_external_id" "external_id" {}
Expand Down Expand Up @@ -64,29 +64,13 @@ resource "random_id" "suffix" {
# predefined/default AWSCloudFormationStackSetAdministrationRole.
#-----------------------------------------------------------------------------------------------------------------------------------------

# IAM Policy Document used by Stackset roles for the KMS operations policy
data "aws_iam_policy_document" "kms_operations" {
count = !var.auto_create_stackset_roles ? 0 : 1

statement {
sid = "KmsOperationsAccess"
effect = "Allow"
actions = [
"kms:*",
]
resources = [
"*",
]
}
}

resource "aws_iam_role" "scanning_stackset_admin_role" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
tags = var.tags

assume_role_policy = <<EOF
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
Expand All @@ -101,10 +85,25 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
inline_policy {
name = "KmsOperationsAccess"
policy = data.aws_iam_policy_document.kms_operations[0].json
}
}

resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "KmsOperationsAccess"
role = aws_iam_role.scanning_stackset_admin_role[0].id
policy = jsonencode({
Statement = [
{
Sid = "KmsOperationsAccess"
Action = [
"kms:*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}

#-----------------------------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -139,10 +138,25 @@ EOF
managed_policy_arns = [
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
]
inline_policy {
name = "KmsOperationsAccess"
policy = data.aws_iam_policy_document.kms_operations[0].json
}
}

resource "aws_iam_role_policy" "scanning_stackset_execution_role_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "KmsOperationsAccess"
role = aws_iam_role.scanning_stackset_execution_role[0].id
policy = jsonencode({
Statement = [
{
Sid = "KmsOperationsAccess"
Action = [
"kms:*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}

#-----------------------------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -368,7 +382,7 @@ resource "aws_iam_policy_attachment" "scanning_policy_attachment" {
# - KMS Primary Key, and
# - KMS Primary alias
#
# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions
# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions
#-----------------------------------------------------------------------------------------------------------------------------------------

resource "aws_cloudformation_stack_set" "primary_acc_stackset" {
Expand Down Expand Up @@ -428,7 +442,9 @@ TEMPLATE
depends_on = [
aws_iam_role.scanning_role,
aws_iam_role.scanning_stackset_admin_role,
aws_iam_role.scanning_stackset_execution_role
aws_iam_role_policy.scanning_stackset_admin_role_policy,
aws_iam_role.scanning_stackset_execution_role,
aws_iam_role_policy.scanning_stackset_execution_role_policy
]
}

Expand Down Expand Up @@ -459,10 +475,10 @@ resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance"
# explicit dependency using depends_on
#-----------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-scanning"
version = "v0.1.0"
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-scanning"
version = "v0.1.0"
trusted_role_metadata = jsonencode({
aws = {
role_name = local.scanning_resource_name
Expand All @@ -477,16 +493,16 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
# explicit dependency using depends_on
#-----------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "aws_crypto_key" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_CRYPTO_KEY"
instance = "secure-scanning"
version = "v0.1.0"
account_id = var.sysdig_secure_account_id
type = "COMPONENT_CRYPTO_KEY"
instance = "secure-scanning"
version = "v0.1.0"
crypto_key_metadata = jsonencode({
aws = {
kms = {
alias = "alias/${local.scanning_resource_name}"
regions = var.regions
}
alias = "alias/${local.scanning_resource_name}"
regions = var.regions
}
}
})
}
4 changes: 2 additions & 2 deletions modules/agentless-scanning/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
output "scanning_role_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.aws_scanning_role.type}/${sysdig_secure_cloud_auth_account_component.aws_scanning_role.instance}"
description = "Component identifier of scanning role created in Sysdig Backend for Agentless Scanning"
depends_on = [ sysdig_secure_cloud_auth_account_component.aws_scanning_role ]
depends_on = [sysdig_secure_cloud_auth_account_component.aws_scanning_role]
}

output "crypto_key_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}"
description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning"
depends_on = [ sysdig_secure_cloud_auth_account_component.aws_crypto_key ]
depends_on = [sysdig_secure_cloud_auth_account_component.aws_crypto_key]
}
4 changes: 2 additions & 2 deletions modules/agentless-scanning/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ variable "stackset_admin_role_arn" {

variable "stackset_execution_role_name" {
description = "(Optional) stackset execution role name to run SELF_MANAGED stackset"
type = string
default = ""
type = string
default = ""
}

variable "timeout" {
Expand Down
2 changes: 1 addition & 1 deletion modules/agentless-scanning/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ terraform {
version = ">= 5.60.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
source = "sysdiglabs/sysdig"
}
random = {
source = "hashicorp/random"
Expand Down
144 changes: 56 additions & 88 deletions modules/config-posture/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ locals {
}

data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
cloud_provider = "aws"
cloud_provider = "aws"
}

data "sysdig_secure_tenant_external_id" "external_id" {}
Expand Down Expand Up @@ -41,103 +41,71 @@ resource "aws_iam_role" "cspm_role" {
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
inline_policy {
name = local.config_posture_role_name
policy = data.aws_iam_policy_document.custom_resources_policy.json
}
}

# Custom IAM Policy Document used by trust-relationship role
data "aws_iam_policy_document" "custom_resources_policy" {

statement {
sid = "DescribeEFSAccessPoints"

effect = "Allow"

actions = [
"elasticfilesystem:DescribeAccessPoints",
]

resources = [
"*",
]
}

statement {
sid = "ListWafRegionalRulesAndRuleGroups"

effect = "Allow"

actions = [
"waf-regional:ListRules",
"waf-regional:ListRuleGroups",
]

resources = [
"arn:aws:waf-regional:*:*:rule/*",
"arn:aws:waf-regional:*:*:rulegroup/*"
]
}

statement {
sid = "ListJobsOnConsole"

effect = "Allow"

actions = [
"macie2:ListClassificationJobs",
resource "aws_iam_role_policy" "cspm_role_policy" {
name = local.config_posture_role_name
role = aws_iam_role.cspm_role.id
policy = jsonencode({
Statement = [
{
Sid = "DescribeEFSAccessPoints"
Action = [
"elasticfilesystem:DescribeAccessPoints",
]
Effect = "Allow"
Resource = "*"
},
{
Sid = "ListWafRegionalRulesAndRuleGroups"
Action = [
"waf-regional:ListRules",
"waf-regional:ListRuleGroups",
]
Effect = "Allow"
Resource = [
"arn:aws:waf-regional:*:*:rule/*",
"arn:aws:waf-regional:*:*:rulegroup/*"
]
},
{
Sid = "ListJobsOnConsole"
Action = "macie2:ListClassificationJobs"
Effect = "Allow"
Resource = "*"
},
{
Sid = "GetFunctionDetails"
Action = [
"lambda:GetRuntimeManagementConfig",
"lambda:GetFunction",
]
Effect = "Allow"
Resource = "*"
},
{
Sid = "AccessAccountContactInfo"
Action = "account:GetContactInformation"
Effect = "Allow"
Resource = "*"
},
]

resources = [
"*",
]
}

statement {
sid = "GetFunctionDetails"

effect = "Allow"

actions = [
"lambda:GetRuntimeManagementConfig",
"lambda:GetFunction",
]

resources = [
"*"
]
}

statement {
sid = "AccessAccountContactInfo"

effect = "Allow"

actions = [
"account:GetContactInformation",
]

resources = [
"*",
]
}
})
}

#--------------------------------------------------------------------------------------------------------------
# Call Sysdig Backend to add the trusted role for Config Posture to the Sysdig Cloud Account
#
# Note (optional): To ensure this gets called after all cloud resources are created, add
# explicit dependency using depends_on
#--------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "config_posture_role" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-posture"
version = "v0.1.0"
account_id = var.sysdig_secure_account_id
type = "COMPONENT_TRUSTED_ROLE"
instance = "secure-posture"
version = "v0.1.0"
trusted_role_metadata = jsonencode({
aws = {
role_name = local.config_posture_role_name
}
})
aws = {
role_name = local.config_posture_role_name
}
})
}
2 changes: 1 addition & 1 deletion modules/config-posture/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
output "config_posture_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}"
description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture"
depends_on = [ sysdig_secure_cloud_auth_account_component.config_posture_role ]
depends_on = [sysdig_secure_cloud_auth_account_component.config_posture_role]
}
2 changes: 1 addition & 1 deletion modules/config-posture/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ terraform {
version = ">= 5.60.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
source = "sysdiglabs/sysdig"
}
}
}
Loading

0 comments on commit 14e5159

Please sign in to comment.