Revamp cloudformation templates for Cloudlogs module (#106)

sysdiglabs · Oct 19, 2023 · f7e7e7e · f7e7e7e
1 parent a350829
commit f7e7e7e
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 46 deletions.
diff --git a/templates_cloudlogs/CloudLogs.yaml b/templates_cloudlogs/CloudLogs.yaml
@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: >
- CloudFormation template for provisioning
+ CloudFormation single template for provisioning
  the necessary resources for the `cloud-logs`
  component.
 

diff --git a/templates_cloudlogs/Makefile b/templates_cloudlogs/Makefile
@@ -5,18 +5,21 @@ S3_PREFIX ?= "test"
 # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
 S3_REGION ?= "eu-west-1" # ireland
 SECURE_API_TOKEN ?= ""
-STACK_NAME = "CloudLogsTest"
+STACK_NAME = "CloudlogsTest"
+STACK_NAME_ORG = "OrgCloudlogsTest"
 
 .PHONY: packaged-template.yaml
+.PHONY: packaged-template-org.yaml
 
 validate:
  aws cloudformation validate-template --template-body file://./CloudLogs.yaml
+ aws cloudformation validate-template --template-body file://./OrgCloudLogs.yaml
 
 lint:
  cfn-lint *.yaml
 
 packaged-template.yaml:
- aws s3 rm s3://$(S3_BUCKET)/cloudlogs/$(S3_PREFIX) --recursive
+ aws s3 rm s3://$(S3_BUCKET)/cloudlogs/single/$(S3_PREFIX) --recursive
 
  aws cloudformation package \
  --region $(S3_REGION) \
@@ -35,7 +38,31 @@ test: packaged-template.yaml
  "SysdigSecureAPIToken=$(SECURE_API_TOKEN)"
 
 ci: packaged-template.yaml
- aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/cloudlogs/$(S3_PREFIX)/entry-point.yaml
+ aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/cloudlogs/single/$(S3_PREFIX)/entry-point.yaml
 
 clean:
  aws cloudformation delete-stack --stack-name $(STACK_NAME)
+
+packaged-template-org.yaml:
+ aws s3 rm s3://$(S3_BUCKET)/cloudlogs/org/$(S3_PREFIX) --recursive
+ aws cloudformation package \
+ --region $(S3_REGION) \
+ --template-file OrgCloudlogs.yaml \
+ --s3-bucket $(S3_BUCKET) \
+ --s3-prefix cspm/$(S3_PREFIX) \
+ --force-upload \
+ --output-template-file packaged-template-org.yaml
+
+test-org: packaged-template-org.yaml
+ aws cloudformation deploy \
+ --stack-name $(STACK_NAME_ORG) \
+ --template-file packaged-template-org.yaml \
+ --capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+ --parameter-overrides \
+ "SysdigSecureAPIToken=$(SECURE_API_TOKEN)"
+
+ci-org: packaged-template-org.yaml
+ aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/cloudlogs/org/$(S3_PREFIX)/entry-point.yaml
+
+clean-org:
+ aws cloudformation delete-stack --stack-name $(STACK_NAME_ORG)
diff --git a/templates_cloudlogs/OrgCloudLogs.yaml b/templates_cloudlogs/OrgCloudLogs.yaml
@@ -0,0 +1,97 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >
+ CloudFormation organizational template for provisioning
+ the necessary resources for the `cloud-logs`
+ component and the read-only role required to itneract with
+ the target organizational environment.
+
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: "Sysdig Settings (Do not change)"
+ Parameters:
+ - CSPMRoleName
+ - CloudLogsRoleName
+ - ExternalID
+ - TrustedIdentity
+ - BucketARN
+
+ ParameterLabels:
+ CSPMRoleName:
+ default: "CSPM Role Name (Sysdig use only)"
+ CloudLogsRoleName:
+ default: "CloudLogs Role Name (Sysdig use only)"
+ ExternalID:
+ default: "External ID (Sysdig use only)"
+ TrustedIdentity:
+ default: "Trusted Identity (Sysdig use only)"
+ BucketARN:
+ default: "Bucket ARN"
+
+Parameters:
+ CSPMRoleName:
+ Type: String
+ Description: The name of the read-only IAM Role that Sysdig will use to interact with the target environment
+ CloudLogsRoleName:
+ Type: String
+ Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
+ ExternalID:
+ Type: String
+ Description: Random string generated unique to a customer.
+ TrustedIdentity:
+ Type: String
+ Description: The name of Sysdig trusted identity.
+ BucketARN:
+ Type: String
+ Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
+
+Resources:
+ CloudLogsRole:
+ Type: "AWS::IAM::Role"
+ Properties:
+ RoleName: !Ref CloudLogsRoleName
+ AssumeRolePolicyDocument:
+ Version: "2012-10-17"
+ Statement:
+ - Effect: "Allow"
+ Principal:
+ AWS: !Ref TrustedIdentity
+ Action:
+ - "sts:AssumeRole"
+ Condition:
+ StringEquals:
+ "sts:ExternalId": !Ref ExternalID
+ CloudLogsRolePolicies:
+ Type: "AWS::IAM::Policy"
+ Properties:
+ PolicyName: "CloudlogsS3Access"
+ PolicyDocument:
+ Version: "2012-10-17"
+ Statement:
+ - Sid: "CloudlogsS3Access"
+ Effect: "Allow"
+ Action:
+ - "s3:Get*"
+ - "s3:List*"
+ Resource:
+ - !Sub '${BucketARN}'
+ - !Sub '${BucketARN}/*'
+ Roles:
+ - Ref: "CloudLogsRole"
+ CloudAgentlessRole:
+ Type: "AWS::IAM::Role"
+ Properties:
+ RoleName: !Ref CSPMRoleName
+ AssumeRolePolicyDocument:
+ Version: "2012-10-17"
+ Statement:
+ - Effect: "Allow"
+ Principal:
+ AWS: !Ref TrustedIdentity
+ Action: "sts:AssumeRole"
+ Condition:
+ StringEquals:
+ sts:ExternalId: !Ref ExternalID
+ ManagedPolicyArns:
+ - arn:aws:iam::aws:policy/SecurityAudit
diff --git a/templates_cspm_cloudlogs/OrgFullInstall.yaml b/templates_cspm_cloudlogs/OrgFullInstall.yaml
@@ -112,14 +112,10 @@ Resources:
  Parameters:
  - ParameterKey: CSPMRoleName
  ParameterValue: !Ref CSPMRoleName
- - ParameterKey: CloudLogsRoleName
- ParameterValue: !Ref CloudLogsRoleName
  - ParameterKey: TrustedIdentity
  ParameterValue: !Ref TrustedIdentity
  - ParameterKey: ExternalID
  ParameterValue: !Ref ExternalID
- - ParameterKey: BucketARN
- ParameterValue: !Ref BucketARN
  StackInstancesGroup:
  - DeploymentTargets:
  OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs]
@@ -131,15 +127,9 @@ Resources:
  CSPMRoleName:
  Type: String
  Description: A unique identifier used to create an IAM Role
- CloudLogsRoleName:
- Type: String
- Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
  TrustedIdentity:
  Type: String
  Description: The Role in Sysdig's AWS Account with permissions to your account
- BucketARN:
- Type: String
- Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
  ExternalID:
  Type: String
  Description: Sysdig ExternalID required for the policy creation
@@ -160,35 +150,3 @@ Resources:
  sts:ExternalId: !Sub ${ExternalID}
  ManagedPolicyArns:
  - arn:aws:iam::aws:policy/SecurityAudit
- CloudLogsRole:
- Type: "AWS::IAM::Role"
- Properties:
- RoleName: !Ref CloudLogsRoleName
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Effect: "Allow"
- Principal:
- AWS: !Ref TrustedIdentity
- Action:
- - "sts:AssumeRole"
- Condition:
- StringEquals:
- "sts:ExternalId": !Ref ExternalID
- CloudLogsRolePolicies:
- Type: "AWS::IAM::Policy"
- Properties:
- PolicyName: "CloudlogsS3Access"
- PolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Sid: "CloudlogsS3Access"
- Effect: "Allow"
- Action:
- - "s3:Get*"
- - "s3:List*"
- Resource:
- - !Sub '${BucketARN}'
- - !Sub '${BucketARN}/*'
- Roles:
- - Ref: "CloudLogsRole"