From 84de7bf31c81804bc5dce647614eee4125292720 Mon Sep 17 00:00:00 2001
From: Sanja Kosier <43904019+SKosier@users.noreply.github.com>
Date: Wed, 2 Oct 2024 12:44:42 +0200
Subject: [PATCH] feat(modules/cloud-logs): introduce cloud logs module for s3
onboarding (#16)
---
modules/integrations/cloud-logs/README.md | 63 ++++++++++
modules/integrations/cloud-logs/main.tf | 126 +++++++++++++++++++
modules/integrations/cloud-logs/outputs.tf | 5 +
modules/integrations/cloud-logs/variables.tf | 24 ++++
modules/integrations/cloud-logs/versions.tf | 17 +++
5 files changed, 235 insertions(+)
create mode 100644 modules/integrations/cloud-logs/README.md
create mode 100644 modules/integrations/cloud-logs/main.tf
create mode 100644 modules/integrations/cloud-logs/outputs.tf
create mode 100644 modules/integrations/cloud-logs/variables.tf
create mode 100644 modules/integrations/cloud-logs/versions.tf
diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
new file mode 100644
index 0000000..ae20f99
--- /dev/null
+++ b/modules/integrations/cloud-logs/README.md
@@ -0,0 +1,63 @@
+# AWS Cloud Logs Module
+
+This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role.
+
+The following resources will be created in each instrumented account:
+- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it.
+
+
+## Requirements
+
+| Name | Version |
+|------|-----------|
+| [terraform](#requirement\_terraform) | >= 1.0.0 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
+| [sysdig](#requirement\_sysdig) |
+| [random](#requirement\_random) | >= 3.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.60.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
+| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
+| [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
+| [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
+
+## Outputs
+
+| Name | Description |
+|-----------------------------------------------------------------------------------------------------------------|-------------|
+| [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
+
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
new file mode 100644
index 0000000..75a7580
--- /dev/null
+++ b/modules/integrations/cloud-logs/main.tf
@@ -0,0 +1,126 @@
+#-----------------------------------------------------------------------------------------------------------------------
+# The only resource needed to make Sysdig's backend start to fetch data from the CloudTrail associated s3 bucket is a
+# properly set AWS IAM Role. Sysdig's trusted identity act as the Principal in the assume role Policy, namely the role
+# that the backend will use to assume the Client's role. At that point, given the permission set granted to the newly
+# created Role in the Client's account, Sysdig's backend will be able to perform all the required actions in order to
+# retrieve the log files that are automatically published in the target s3 bucket.
+#
+# Note: this setup assumes that the Customer has already properly set up an AWS CloudTrail Trail and the associated bucket.
+# Sysdig's Secure UI provides the necessary information to make the Customer perform the
+# required setup operations before applying the Terraform module.
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+data "aws_caller_identity" "current" {}
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+ cloud_provider = "aws"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
+#-----------------------------------------------------------------------------------------
+# Generate a unique name for resources using random suffix and account ID hash
+#-----------------------------------------------------------------------------------------
+locals {
+ account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
+ role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
+
+ bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
+}
+
+#-----------------------------------------------------------------------------------------------------------------------
+# A random resource is used to generate unique role name suffix.
+# This prevents conflicts when recreating an role with the same name.
+#-----------------------------------------------------------------------------------------------------------------------
+resource "random_id" "suffix" {
+ byte_length = 3
+}
+
+# AWS IAM Role that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
+resource "aws_iam_role" "cloudlogs_s3_access" {
+ name = local.role_name
+ tags = var.tags
+
+ assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
+ inline_policy {
+ name = "cloudlogs_s3_access_policy"
+ policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
+ }
+}
+
+# IAM Policy Document used for the assume role policy
+data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" {
+ statement {
+ effect = "Allow"
+
+ principals {
+ type = "AWS"
+ identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
+ }
+
+ actions = ["sts:AssumeRole"]
+
+ condition {
+ test = "StringEquals"
+ variable = "sts:ExternalId"
+ values = [data.sysdig_secure_tenant_external_id.external_id.external_id]
+ }
+ }
+}
+
+# IAM Policy Document used for the bucket access policy
+data "aws_iam_policy_document" "cloudlogs_s3_access" {
+ statement {
+ sid = "CloudlogsS3AccessGet"
+
+ effect = "Allow"
+
+ actions = [
+ "s3:Get*",
+ ]
+
+ resources = [
+ local.bucket_arn,
+ "${local.bucket_arn}/*"
+ ]
+ }
+
+ statement {
+ sid = "CloudlogsS3AccessList"
+
+ effect = "Allow"
+
+ actions = [
+ "s3:List*"
+ ]
+
+ resources = [
+ local.bucket_arn,
+ "${local.bucket_arn}/*"
+ ]
+ }
+}
+
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the cloud logs integration to the Sysdig Cloud Account
+#
+# Note (optional): To ensure this gets called after all cloud resources are created, add
+# explicit dependency using depends_on
+#-----------------------------------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
+ account_id = var.sysdig_secure_account_id
+ type = "COMPONENT_CLOUD_LOGS"
+ instance = "secure-runtime"
+ version = "v0.1.0"
+ cloud_logs_metadata = jsonencode({
+ aws = {
+ cloudtrailS3Bucket = {
+ folder_arn = var.folder_arn
+ role_name = local.role_name
+ }
+ }
+ })
+}
diff --git a/modules/integrations/cloud-logs/outputs.tf b/modules/integrations/cloud-logs/outputs.tf
new file mode 100644
index 0000000..35b6b1e
--- /dev/null
+++ b/modules/integrations/cloud-logs/outputs.tf
@@ -0,0 +1,5 @@
+output "cloud_logs_component_id" {
+ value = "${sysdig_secure_cloud_auth_account_component.aws_cloud_logs.type}/${sysdig_secure_cloud_auth_account_component.aws_cloud_logs.instance}"
+ description = "Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion"
+ depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
+}
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
new file mode 100644
index 0000000..78129d9
--- /dev/null
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -0,0 +1,24 @@
+variable "sysdig_secure_account_id" {
+ type = string
+ description = "ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account)"
+}
+
+variable "folder_arn" {
+ description = "(Required) The ARN of your CloudTrail Bucket Folder"
+ type = string
+}
+
+variable "tags" {
+ type = map(string)
+ description = "(Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
+
+ default = {
+ "product" = "sysdig-secure-for-cloud"
+ }
+}
+
+variable "name" {
+ description = "(Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
+ type = string
+ default = "sysdig-secure-cloudlogs"
+}
diff --git a/modules/integrations/cloud-logs/versions.tf b/modules/integrations/cloud-logs/versions.tf
new file mode 100644
index 0000000..2d0b887
--- /dev/null
+++ b/modules/integrations/cloud-logs/versions.tf
@@ -0,0 +1,17 @@
+terraform {
+ required_version = ">= 1.0.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.60.0"
+ }
+ sysdig = {
+ source = "sysdiglabs/sysdig"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 3.1"
+ }
+ }
+}