Add CloudLogs module for AWS Onboarding (#101)

Author: gi-erre

.github/workflows/ci-master-cloudlogs.yaml

@@ -0,0 +1,33 @@
+name: CI - Master CloudLogs
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'templates_cloudlogs/**'
+
+
+jobs:
+  build:
+    name: Build and Upload
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload Cloudlogs templates
+      run: make ci
+      working-directory: ./templates_cloudlogs
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: master
+

.github/workflows/ci-master-full-install-with-cloudlogs.yaml

@@ -0,0 +1,39 @@
+name: CI - Master Full Install
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'templates_cspm_cloudlogs/**'
+
+
+jobs:
+  build:
+    name: Build and Upload
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload Full install templates
+      run: make ci
+      working-directory: ./templates_cspm_cloudlogs
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: master
+
+    - name: Build and Upload Full install templates
+      run: make ci-org
+      working-directory: ./templates_cspm_cloudlogs
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: master        

.github/workflows/ci-pull-request-cloudlogs.yaml

@@ -0,0 +1,48 @@
+name: CI - Pull Request Cloudlogs
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'templates_cloudlogs/**'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Print the Cloud Formation Linter Version & run Linter
+      run: |
+        cfn-lint --version
+        cfn-lint -t templates_cloudlogs/**/*.yaml
+
+  build:
+    name: Build and Upload Cloudlogs templates
+    runs-on: ubuntu-latest
+    needs: [lint]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload Cloudlogs Templates
+      run: make ci
+      working-directory: templates_cloudlogs
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}

.github/workflows/ci-pull-request-full-install-with-cloudlogs.yaml

@@ -0,0 +1,55 @@
+name: CI - Pull Request Full Install
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'templates_cspm_cloudlogs/**'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Print the Cloud Formation Linter Version & run Linter
+      run: |
+        cfn-lint --version
+        cfn-lint -t templates_cspm_cloudlogs/**/*.yaml
+
+  build:
+    name: Build and Upload Full Install templates
+    runs-on: ubuntu-latest
+    needs: [lint]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload Full Install Templates
+      run: make ci
+      working-directory: templates_cspm_cloudlogs
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}
+
+    - name: Build and Upload Full Install Org Templates
+      run: make ci-org
+      working-directory: templates_cspm_cloudlogs
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}

templates_cloudlogs/CloudLogs.yaml

@@ -0,0 +1,74 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >
+  CloudFormation template for provisioning
+  the necessary resources for the `cloud-logs`
+  component.
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "Sysdig Settings (Do not change)"
+        Parameters:
+          - RoleName
+          - ExternalId
+          - TrustedIdentity
+          - BucketARN
+
+    ParameterLabels:
+      RoleName:
+        default: "Role Name (Sysdig use only)"
+      ExternalId:
+        default: "External ID (Sysdig use only)"
+      TrustedIdentity:
+        default: "Trusted Identity (Sysdig use only)"
+      BucketARN:
+        default: "Bucket ARN"
+
+Parameters:
+  RoleName:
+    Type: String
+    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
+  ExternalId:
+    Type: String
+    Description: Random string generated unique to a customer.
+  TrustedIdentity:
+    Type: String
+    Description: The name of Sysdig trusted identity.
+  BucketARN:
+    Type: String
+    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
+
+Resources:
+  CloudLogsRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref RoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action:
+              - "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                "sts:ExternalId": !Ref ExternalId
+  CloudLogsRolePolicies:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: "CloudlogsS3Access"
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: "CloudlogsS3Access"
+            Effect: "Allow"
+            Action:
+              - "s3:Get*"
+              - "s3:List*"
+            Resource:
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
+      Roles:
+        - Ref: "CloudLogsRole"

templates_cloudlogs/Makefile

@@ -0,0 +1,41 @@
+# requires AWS_PROFILE
+# bucket must exist, prefix will be created
+S3_BUCKET ?= "s4c-cft"
+S3_PREFIX ?= "test"
+# We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
+S3_REGION ?= "eu-west-1" # ireland
+SECURE_API_TOKEN ?= ""
+STACK_NAME = "CloudLogsTest"
+
+.PHONY: packaged-template.yaml
+
+validate:
+	aws cloudformation validate-template --template-body file://./CloudLogs.yaml
+
+lint:
+	cfn-lint *.yaml
+
+packaged-template.yaml:
+	aws s3 rm s3://$(S3_BUCKET)/cloudlogs/$(S3_PREFIX) --recursive
+
+	aws cloudformation package \
+		--region $(S3_REGION) \
+		--template-file CloudLogs.yaml \
+		--s3-bucket $(S3_BUCKET) \
+		--s3-prefix cspm/$(S3_PREFIX) \
+		--force-upload \
+		--output-template-file packaged-template.yaml
+
+test: packaged-template.yaml
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME) \
+		--template-file packaged-template.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)"
+
+ci: packaged-template.yaml
+	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/cloudlogs/$(S3_PREFIX)/entry-point.yaml
+
+clean:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)

templates_cspm_cloudlogs/FullInstall.yaml

@@ -0,0 +1,94 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: IAM Roles for CSPM and Cloudlogs used by Sysdig Secure
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "Sysdig Settings (Do not change)"
+        Parameters:
+          - CSPMRoleName
+          - CloudLogsRoleName
+          - ExternalId
+          - TrustedIdentity
+          - BucketARN
+
+    ParameterLabels:
+      CSPMRoleName:
+        default: "CSPM Role Name (Sysdig use only)"
+      CloudLogsRoleName:
+        default: "CloudLogs Role Name (Sysdig use only)"
+      ExternalId:
+        default: "External ID (Sysdig use only)"
+      TrustedIdentity:
+        default: "Trusted Identity (Sysdig use only)"
+      BucketARN:
+        default: "Bucket ARN"
+
+Parameters:
+  CSPMRoleName:
+    Type: String
+    Description: The read-only IAM Role that Sysdig will create
+  CloudLogsRoleName:
+    Type: String
+    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
+  ExternalId:
+    Type: String
+    Description: Sysdig ExternalID required for the policy creation
+  TrustedIdentity:
+    Type: String
+    Description: The name of Sysdig trusted identity.
+  BucketARN:
+    Type: String
+    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
+
+Resources:
+  CloudAgentlessRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref CSPMRoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          -
+            Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalId
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/SecurityAudit
+  CloudLogsRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref CloudLogsRoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action:
+              - "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                "sts:ExternalId": !Ref ExternalId
+  CloudLogsRolePolicies:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: "CloudlogsS3Access"
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: "CloudlogsS3Access"
+            Effect: "Allow"
+            Action:
+              - "s3:Get*"
+              - "s3:List*"
+            Resource:
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
+      Roles:
+        - Ref: "CloudLogsRole"