enhance(s3): add support for Govcloud account/org for fedramp (#24)

* enhance(s3): add support for Govcloud account/org for fedramp * enhance(s3): add support for Govcloud account/org for s3 * fix version * fix version
sysdiglabs · Nov 12, 2024 · 81addc2 · 81addc2
1 parent 6869379
commit 81addc2
Show file tree

Hide file tree

Showing 8 changed files with 150 additions and 28 deletions.
diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
@@ -1,24 +1,30 @@
 # AWS Cloud Logs Module
 
-This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role.
+This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail
+associated s3 bucket through a dedicated IAM role.
 
 The following resources will be created in each instrumented account:
-- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it.
+
+- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and
+  retrieve items from it.
+
+If instrumenting an AWS Gov account/organization, resources will be created in `aws-us-gov` region.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
 ## Requirements
 
-| Name | Version   |
-|------|-----------|
+| Name                                                                      | Version   |
+|---------------------------------------------------------------------------|-----------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0  |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 5.60.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~>1.39    |
+| <a name="requirement_random"></a> [random](#requirement\_random)          | >= 3.1    |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
+| Name                                              | Version   |
+|---------------------------------------------------|-----------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |
 
 ## Modules
@@ -27,33 +33,35 @@ No modules.
 
 ## Resources
 
-| Name                                                                                                                                                                             | Type |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
-| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                         | resource |
-| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy)                                                         | resource |
+| Name                                                                                                                                                                             | Type        |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id)                                                                            | resource    |
+| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                         | resource    |
+| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy)                                    | resource    |
 | [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                    | data source |
 | [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                                | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
-| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
-| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)                                                    | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity)        | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id)                     | data source |
+| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource    |
 
 ## Inputs
 
-| Name                                                                                                             | Description                                                                                                                         | Type          | Default                                                   | Required |
-|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------------------------------------------------|:--------:|
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string`      | n/a                                                       | yes |
-| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn)                                               | (Required) The ARN of your CloudTrail Bucket Folder                                                                                 | `string`      | n/a                                                       |   yes    |
-| <a name="input_tags"></a> [tags](#input\_tags)                                                                   | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                              | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
-| <a name="input_name"></a> [name](#input\_name)                                                                   | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                 | `string`      | sysdig-secure-cloudlogs                                   |    no    |
-| <a name="input_regions"></a> [regions](#input\_regions)                                                          | (Optional) The list of AWS regions we want to scrape data from                           | `set(string)` | `[]`                                                        |    no    |
+| Name                                                                                                             | Description                                                                                                                                   | Type          | Default                                                     | Required |
+|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string`      | n/a                                                         |   yes    |
+| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn)                                               | (Required) The ARN of your CloudTrail Bucket Folder                                                                                           | `string`      | n/a                                                         |   yes    |
+| <a name="input_tags"></a> [tags](#input\_tags)                                                                   | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                                        | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
+| <a name="input_name"></a> [name](#input\_name)                                                                   | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                           | `string`      | sysdig-secure-cloudlogs                                     |    no    |
+| <a name="input_regions"></a> [regions](#input\_regions)                                                          | (Optional) The list of AWS regions we want to scrape data from                                                                                | `set(string)` | `[]`                                                        |    no    |
+| <a name="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud](#input\_is\_gov\_cloud\_onboarding)                | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not                                                       | `bool`        | `false`                                                     |    no    |
 
 ## Outputs
 
-| Name                                                                                                            | Description |
-|-----------------------------------------------------------------------------------------------------------------|-------------|
+| Name                                                                                                            | Description                                                                                |
+|-----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
 | <a name="output_cloud_logs_component_id"></a> [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
@@ -28,6 +28,7 @@ locals {
   account_id_hash  = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
   role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
   bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
+  trusted_identity         = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
@@ -59,7 +60,7 @@ data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" {
 
     principals {
       type        = "AWS"
-      identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
+      identifiers = [local.trusted_identity]
     }
 
     actions = ["sts:AssumeRole"]

diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
@@ -28,3 +28,9 @@ variable "regions" {
   type        = set(string)
   default     = []
 }
+
+variable "is_gov_cloud_onboarding" {
+  type        = bool
+  default     = false
+  description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
+}
diff --git a/modules/integrations/cloud-logs/versions.tf b/modules/integrations/cloud-logs/versions.tf
@@ -8,6 +8,7 @@ terraform {
     }
     sysdig = {
       source = "sysdiglabs/sysdig"
+      version = "~> 1.39"
     }
     random = {
       source  = "hashicorp/random"

diff --git a/test/examples/organization/cloud_logs.tf b/test/examples/organization/cloud_logs.tf
@@ -0,0 +1,26 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "cloud-logs" {
+  source                   = "../../../modules/integrations/cloud-logs"
+  folder_arn               = "<FOLDER_ARN"
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
+}
diff --git a/test/examples/organization/cloud_logs_gov.tf b/test/examples/organization/cloud_logs_gov.tf
@@ -0,0 +1,27 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "cloud-logs" {
+  source                   = "../../../modules/integrations/cloud-logs"
+  folder_arn               = "<FOLDER_ARN"
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  is_gov_cloud_onboarding  = module.onboarding.is_gov_cloud_onboarding
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
+}
diff --git a/test/examples/single_account/cloud_logs.tf b/test/examples/single_account/cloud_logs.tf
@@ -0,0 +1,26 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "cloud-logs" {
+  source                   = "../../../modules/integrations/cloud-logs"
+  folder_arn               = "<FOLDER_ARN"
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
+}
diff --git a/test/examples/single_account/cloud_logs_gov.tf b/test/examples/single_account/cloud_logs_gov.tf
@@ -0,0 +1,27 @@
+#---------------------------------------------------------------------------------------------
+# Ensure installation flow for foundational onboarding has been completed before
+# installing additional Sysdig features.
+#---------------------------------------------------------------------------------------------
+
+module "cloud-logs" {
+  source                   = "../../../modules/integrations/cloud-logs"
+  folder_arn               = "<FOLDER_ARN"
+  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
+  is_gov_cloud_onboarding  = module.onboarding.is_gov_cloud_onboarding
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_THREAT_DETECTION"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs]
+}
+
+resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
+  account_id = module.onboarding.sysdig_secure_account_id
+  type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
+  enabled    = true
+  components = [module.cloud-logs.cloud_logs_component_id]
+  depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.config_posture]
+}