Version without so many variables

Author: miguelpais

modules/Makefile

@@ -4,10 +4,10 @@ S3_BUCKET ?= "s4c-cft"
 S3_PREFIX ?= "test"
 S3_REGION ?= eu-west-1
 STACK_NAME = Sysdig-Secure
-PARAM_NAME_SUFFIX ?= test
+PARAM_NAME_SUFFIX ?= abc1240
 PARAM_IS_ORGANIZATIONAL ?= false
 PARAM_EXTERNAL_ID ?= test
-PARAM_TRUSTED_IDENTITY ?= arn:aws:iam:::role/$(PARAM_NAME_SUFFIX)
+PARAM_TRUSTED_IDENTITY ?= arn:aws:iam::064689838359:role/us-east-1-integration01-secure-assume-role
 PARAM_TARGET_EVENT_BUS_ARN ?= arn:aws:events:us-east-1::event-bus/default
 PARAM_BUCKET_ARN ?= arn:aws:s3:::cloudtrail-$(PARAM_NAME_SUFFIX)
 PARAM_REGIONS ?= us-east-1
@@ -30,8 +30,7 @@ lint:
 	yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
 	yq '.Resources.AccountStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
 	yq '.Resources.OrganizationStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
-	yq '.Resources.ScanningOrgNoLambdaRoleStackSet.Properties.TemplateBody' vm_workload_scanning.cft.yaml | cfn-lint -
-	yq '.Resources.ScanningOrgWithLambdaRoleStackSet.Properties.TemplateBody' vm_workload_scanning.cft.yaml | cfn-lint -
+	yq '.Resources.ScanningOrgStackSet.Properties.TemplateBody' vm_workload_scanning.cft.yaml | cfn-lint -
 
 publish:
 	aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml
@@ -41,52 +40,7 @@ publish:
 	aws s3 cp vm_workload_scanning.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/vm_workload_scanning.cft.yaml
 
 deploy:
-	aws cloudformation deploy \
-		--stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX) \
-		--template-file foundational.cft.yaml \
-		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
-		--parameter-overrides \
-			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
-			"ExternalID=$(PARAM_EXTERNAL_ID)" \
-			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
-			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
-			"Partition=${PARAM_PARTITION}"
-	aws cloudformation deploy \
-		--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
-		--template-file log_ingestion.events.cft.yaml \
-		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
-		--parameter-overrides \
-			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
-			"ExternalID=$(PARAM_EXTERNAL_ID)" \
-			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
-			"Regions=$(PARAM_REGIONS)" \
-			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
-			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
-			"Partition=${PARAM_PARTITION}"
-	aws cloudformation deploy \
-		--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
-		--template-file log_ingestion.s3.cft.yaml \
-		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
-		--parameter-overrides \
-			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
-			"ExternalID=$(PARAM_EXTERNAL_ID)" \
-			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
-			"BucketARN=$(PARAM_BUCKET_ARN)" \
-			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
-	aws cloudformation deploy \
-		--stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \
-		--template-file volume_access.cft.yaml \
-		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
-		--parameter-overrides \
-			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
-			"ExternalID=$(PARAM_EXTERNAL_ID)" \
-			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
-			"Regions=$(PARAM_REGIONS)" \
-			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+
 
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \

modules/vm_workload_scanning.cft.yaml

@@ -65,35 +65,27 @@ Conditions:
     Fn::Equals:
       - Ref: IsOrganizational
       - 'false'
-  IsLambdaScanningEnabled:
-    Fn::Equals:
-      - Ref: LambdaScanningEnabled
-      - 'true'
-  NotLambdaScanningEnabled:
-    Fn::Equals:
-      - Ref: LambdaScanningEnabled
-      - 'false'
   IsOrganizationalAndLambdaEnabled:
     Fn::And:
-      - Condition: IsOrganizational
-      - Condition: IsLambdaScanningEnabled
-  IsOrganizationalAndNotLambdaEnabled:
-    Fn::And:
-      - Condition: IsOrganizational
-      - Condition: NotLambdaScanningEnabled
+      - Fn::Equals:
+        - Ref: IsOrganizational
+        - 'true'
+      - Fn::Equals:
+        - Ref: LambdaScanningEnabled
+        - 'true'
   IsNotOrganizationalAndLambdaEnabled:
     Fn::And:
-      - Condition: IsLambdaScanningEnabled
-      - Condition: IsNotOrganizational
-  IsNotOrganizationalAndNotLambdaEnabled:
-    Fn::And:
-      - Condition: NotLambdaScanningEnabled
-      - Condition: IsNotOrganizational
+      - Fn::Equals:
+        - Ref: IsOrganizational
+        - 'false'
+      - Fn::Equals:
+        - Ref: LambdaScanningEnabled
+        - 'true'
 
 Resources:
-  ScanningRoleWithLambda:
+  ScanningRole:
     Type: AWS::IAM::Role
-    Condition: IsNotOrganizationalAndLambdaEnabled
+    Condition: IsNotOrganizational
     Properties:
       RoleName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
       AssumeRolePolicyDocument:
@@ -108,164 +100,51 @@ Resources:
               StringEquals:
                 sts:ExternalId:
                   Ref: ExternalID
-      Policies:
-        - PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
-          PolicyDocument:
-            Version: '2012-10-17'
-            Statement:
-              - Effect: Allow
-                Action:
-                  - ecr:GetDownloadUrlForLayer
-                  - ecr:BatchGetImage
-                  - ecr:BatchCheckLayerAvailability
-                  - ecr:ListImages
-                  - ecr:GetAuthorizationToken
-                Resource: '*'
-              - Effect: Allow
-                Action:
-                  - lambda:GetFunction
-                  - lambda:GetFunctionConfiguration
-                  - lambda:GetRuntimeManagementConfig
-                  - lambda:ListFunctions
-                  - lambda:ListTagsForResource
-                  - lambda:GetLayerVersionByArn
-                  - lambda:GetLayerVersion
-                  - lambda:ListLayers
-                  - lambda:ListLayerVersions
-                Resource: '*'
-
-  ScanningRoleNoLambda:
-    Type: AWS::IAM::Role
-    Condition: IsNotOrganizationalAndNotLambdaEnabled
+  ECRPolicy:
+    Type: AWS::IAM::Policy
+    Condition: IsNotOrganizational
     Properties:
-      RoleName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
-      AssumeRolePolicyDocument:
+      PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-ecr
+      Roles:
+        - !Ref ScanningRole
+      PolicyDocument:
         Version: '2012-10-17'
         Statement:
           - Effect: Allow
-            Principal:
-              AWS:
-                Ref: TrustedIdentity
-            Action: [ 'sts:AssumeRole' ]
-            Condition:
-              StringEquals:
-                sts:ExternalId:
-                  Ref: ExternalID
-      Policies:
-        - PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
-          PolicyDocument:
-            Version: '2012-10-17'
-            Statement:
-              - Effect: Allow
-                Action:
-                  - ecr:GetDownloadUrlForLayer
-                  - ecr:BatchGetImage
-                  - ecr:BatchCheckLayerAvailability
-                  - ecr:ListImages
-                  - ecr:GetAuthorizationToken
-                Resource: '*'
-
-  ScanningOrgWithLambdaRoleStackSet:
-    Type: AWS::CloudFormation::StackSet
-    Condition: IsOrganizationalAndLambdaEnabled
+            Action:
+              - ecr:GetDownloadUrlForLayer
+              - ecr:BatchGetImage
+              - ecr:BatchCheckLayerAvailability
+              - ecr:ListImages
+              - ecr:GetAuthorizationToken
+            Resource: '*'
+  LambdaPolicy:
+    Type: AWS::IAM::Policy
+    Condition: IsNotOrganizationalAndLambdaEnabled
     Properties:
-      StackSetName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
-      Description: Creates IAM roles within an AWS organization for Agentless Workload Scanning
-      PermissionModel: SERVICE_MANAGED
-      Capabilities:
-        - CAPABILITY_NAMED_IAM
-      AutoDeployment:
-        Enabled: true
-        RetainStacksOnAccountRemoval: false
-      ManagedExecution:
-        Active: true
-      OperationPreferences:
-        MaxConcurrentPercentage: 100
-        FailureTolerancePercentage: 90
-        ConcurrencyMode: SOFT_FAILURE_TOLERANCE
-      Parameters:
-        - ParameterKey: NameSuffix
-          ParameterValue:
-            Ref: NameSuffix
-        - ParameterKey: TrustedIdentity
-          ParameterValue:
-            Ref: TrustedIdentity
-        - ParameterKey: ExternalID
-          ParameterValue:
-            Ref: ExternalID
-        - ParameterKey: LambdaScanningEnabled
-          ParameterValue:
-            Ref: LambdaScanningEnabled
-      StackInstancesGroup:
-        - DeploymentTargets:
-            OrganizationalUnitIds: !Ref OrganizationalUnitIDs
-          Regions:
-            - Ref: AWS::Region
-      TemplateBody: |
-        AWSTemplateFormatVersion: "2010-09-09"
-        Description: IAM Role for Agentless Workload Scanning
-        Parameters:
-          NameSuffix:
-            Type: String
-            Description: Suffix to append to the resource name identifiers
-            AllowedPattern: "[0-9a-z]+"
-            MaxLength: 8
-            MinLength: 4
-          TrustedIdentity:
-            Type: String
-            Description: Trusted identity
-          ExternalID:
-            Type: String
-            Description: external ID
-          LambdaScanningEnabled:
-            Type: String
-            Description: Enable Lambda function scanning
-            Default: 'false'
+      PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-lambda
+      Roles:
+        - !Ref ScanningRole
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - lambda:GetFunction
+              - lambda:GetFunctionConfiguration
+              - lambda:GetRuntimeManagementConfig
+              - lambda:ListFunctions
+              - lambda:ListTagsForResource
+              - lambda:GetLayerVersionByArn
+              - lambda:GetLayerVersion
+              - lambda:ListLayers
+              - lambda:ListLayerVersions
+            Resource: '*'
 
-        Resources:
-          ScanningRole:
-            Type: AWS::IAM::Role
-            Properties:
-              RoleName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
-              AssumeRolePolicyDocument:
-                Version: "2012-10-17"
-                Statement:
-                - Effect: "Allow"
-                  Action: "sts:AssumeRole"
-                  Principal:
-                    AWS: !Ref TrustedIdentity
-                  Condition:
-                    StringEquals:
-                      sts:ExternalId: !Ref ExternalID
-              Policies:
-              - PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
-                PolicyDocument:
-                  Version: "2012-10-17"
-                  Statement:
-                  - Effect: "Allow"
-                    Action:
-                    - ecr:GetDownloadUrlForLayer
-                    - ecr:BatchGetImage
-                    - ecr:BatchCheckLayerAvailability
-                    - ecr:ListImages
-                    - ecr:GetAuthorizationToken
-                    Resource: "*"
-                  - Effect: Allow
-                    Action:
-                    - lambda:GetFunction
-                    - lambda:GetFunctionConfiguration
-                    - lambda:GetRuntimeManagementConfig
-                    - lambda:ListFunctions
-                    - lambda:ListTagsForResource
-                    - lambda:GetLayerVersionByArn
-                    - lambda:GetLayerVersion
-                    - lambda:ListLayers
-                    - lambda:ListLayerVersions
-                    Resource: "*"
 
-  ScanningOrgNoLambdaRoleStackSet:
+  ScanningOrgStackSet:
     Type: AWS::CloudFormation::StackSet
-    Condition: IsOrganizationalAndNotLambdaEnabled
+    Condition: IsOrganizational
     Properties:
       StackSetName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
       Description: Creates IAM roles within an AWS organization for Agentless Workload Scanning
@@ -335,19 +214,47 @@ Resources:
                   Condition:
                     StringEquals:
                       sts:ExternalId: !Ref ExternalID
-              Policies:
-              - PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}
+            ECRPolicy:
+              Type: AWS::IAM::Policy
+              Condition: IsOrganizational
+              Properties:
+                PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-ecr
+                Roles:
+                  - !Ref ScanningRole
                 PolicyDocument:
-                  Version: "2012-10-17"
+                  Version: '2012-10-17'
                   Statement:
-                  - Effect: "Allow"
-                    Action:
-                    - ecr:GetDownloadUrlForLayer
-                    - ecr:BatchGetImage
-                    - ecr:BatchCheckLayerAvailability
-                    - ecr:ListImages
-                    - ecr:GetAuthorizationToken
-                    Resource: "*"
+                    - Effect: Allow
+                      Action:
+                        - ecr:GetDownloadUrlForLayer
+                        - ecr:BatchGetImage
+                        - ecr:BatchCheckLayerAvailability
+                        - ecr:ListImages
+                        - ecr:GetAuthorizationToken
+                      Resource: '*' 
+            LambdaPolicy:
+              Type: AWS::IAM::Policy
+              Condition: IsOrganizationalAndLambdaEnabled
+              Properties:
+                PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-lambda
+                Roles:
+                  - !Ref ScanningRole
+                PolicyDocument:
+                  Version: '2012-10-17'
+                  Statement:
+                    - Effect: Allow
+                      Action:
+                        - lambda:GetFunction
+                        - lambda:GetFunctionConfiguration
+                        - lambda:GetRuntimeManagementConfig
+                        - lambda:ListFunctions
+                        - lambda:ListTagsForResource
+                        - lambda:GetLayerVersionByArn
+                        - lambda:GetLayerVersion
+                        - lambda:ListLayers
+                        - lambda:ListLayerVersions
+                      Resource: '*'
+
 
 Outputs:
   ScanningRoleARN: