Skip to content

Commit

Permalink
feat(modules/cloud-logs): introduce cloud logs module for s3 onboardi…
Browse files Browse the repository at this point in the history 
…ng (#16)
  • Loading branch information
@SKosier
SKosier authored Oct 2, 2024
1 parent d78b5d0 commit 84de7bf
Show file tree
Hide file tree
Showing 5 changed files with 235 additions and 0 deletions.
63 changes: 63 additions & 0 deletions modules/integrations/cloud-logs/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# AWS Cloud Logs Module

This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role.

The following resources will be created in each instrumented account:
- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|-----------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |

## Modules

No modules.

## Resources

| Name | Type |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
| <a name="input_name"></a> [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |

## Outputs

| Name | Description |
|-----------------------------------------------------------------------------------------------------------------|-------------|
| <a name="output_cloud_logs_component_id"></a> [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors

Module is maintained by [Sysdig](https://sysdig.com).

## License

Apache 2 Licensed. See LICENSE for full details.
126 changes: 126 additions & 0 deletions modules/integrations/cloud-logs/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
#-----------------------------------------------------------------------------------------------------------------------
# The only resource needed to make Sysdig's backend start to fetch data from the CloudTrail associated s3 bucket is a
# properly set AWS IAM Role. Sysdig's trusted identity act as the Principal in the assume role Policy, namely the role
# that the backend will use to assume the Client's role. At that point, given the permission set granted to the newly
# created Role in the Client's account, Sysdig's backend will be able to perform all the required actions in order to
# retrieve the log files that are automatically published in the target s3 bucket.
#
# Note: this setup assumes that the Customer has already properly set up an AWS CloudTrail Trail and the associated bucket.
# Sysdig's Secure UI provides the necessary information to make the Customer perform the
# required setup operations before applying the Terraform module.
#-----------------------------------------------------------------------------------------------------------------------

#-----------------------------------------------------------------------------------------
# Fetch the data sources
#-----------------------------------------------------------------------------------------
data "aws_caller_identity" "current" {}

data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
cloud_provider = "aws"
}

data "sysdig_secure_tenant_external_id" "external_id" {}

#-----------------------------------------------------------------------------------------
# Generate a unique name for resources using random suffix and account ID hash
#-----------------------------------------------------------------------------------------
locals {
account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"

bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
}

#-----------------------------------------------------------------------------------------------------------------------
# A random resource is used to generate unique role name suffix.
# This prevents conflicts when recreating an role with the same name.
#-----------------------------------------------------------------------------------------------------------------------
resource "random_id" "suffix" {
byte_length = 3
}

# AWS IAM Role that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
resource "aws_iam_role" "cloudlogs_s3_access" {
name = local.role_name
tags = var.tags

assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
inline_policy {
name = "cloudlogs_s3_access_policy"
policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
}
}

# IAM Policy Document used for the assume role policy
data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" {
statement {
effect = "Allow"

principals {
type = "AWS"
identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
}

actions = ["sts:AssumeRole"]

condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [data.sysdig_secure_tenant_external_id.external_id.external_id]
}
}
}

# IAM Policy Document used for the bucket access policy
data "aws_iam_policy_document" "cloudlogs_s3_access" {
statement {
sid = "CloudlogsS3AccessGet"

effect = "Allow"

actions = [
"s3:Get*",
]

resources = [
local.bucket_arn,
"${local.bucket_arn}/*"
]
}

statement {
sid = "CloudlogsS3AccessList"

effect = "Allow"

actions = [
"s3:List*"
]

resources = [
local.bucket_arn,
"${local.bucket_arn}/*"
]
}
}

#-----------------------------------------------------------------------------------------------------------------------------------------
# Call Sysdig Backend to add the cloud logs integration to the Sysdig Cloud Account
#
# Note (optional): To ensure this gets called after all cloud resources are created, add
# explicit dependency using depends_on
#-----------------------------------------------------------------------------------------------------------------------------------------
resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
account_id = var.sysdig_secure_account_id
type = "COMPONENT_CLOUD_LOGS"
instance = "secure-runtime"
version = "v0.1.0"
cloud_logs_metadata = jsonencode({
aws = {
cloudtrailS3Bucket = {
folder_arn = var.folder_arn
role_name = local.role_name
}
}
})
}
5 changes: 5 additions & 0 deletions modules/integrations/cloud-logs/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
output "cloud_logs_component_id" {
value = "${sysdig_secure_cloud_auth_account_component.aws_cloud_logs.type}/${sysdig_secure_cloud_auth_account_component.aws_cloud_logs.instance}"
description = "Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion"
depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
}
24 changes: 24 additions & 0 deletions modules/integrations/cloud-logs/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
variable "sysdig_secure_account_id" {
type = string
description = "ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account)"
}

variable "folder_arn" {
description = "(Required) The ARN of your CloudTrail Bucket Folder"
type = string
}

variable "tags" {
type = map(string)
description = "(Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"

default = {
"product" = "sysdig-secure-for-cloud"
}
}

variable "name" {
description = "(Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
type = string
default = "sysdig-secure-cloudlogs"
}
17 changes: 17 additions & 0 deletions modules/integrations/cloud-logs/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
terraform {
required_version = ">= 1.0.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.60.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
}
random = {
source = "hashicorp/random"
version = ">= 3.1"
}
}
}

0 comments on commit 84de7bf

Please sign in to comment.