Skip to content

Commit 4c90e1d

Browse files
hayk99hayk99
authored
refactor: Deploy cloud-scanning along with cloud-connector (#55)
Deploy cloud-scanning along with cloud-connector.
1 parent b551b87 commit 4c90e1d

File tree

4 files changed

+136
-340
lines changed

4 files changed

+136
-340
lines changed

templates/CloudConnector.yaml

Lines changed: 128 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,23 @@ Parameters:
3030
- "Yes"
3131
- "No"
3232
Default: "Yes"
33+
BuildProject:
34+
Type: String
35+
Default: ""
3336
CloudTrailTopic:
3437
Type: String
3538
Description: ARN of the SNS Topic to subscribe
39+
DeployCloudScanning:
40+
Type: String
41+
AllowedValues:
42+
- "Yes"
43+
- "No"
44+
Default: "Yes"
45+
Description: Whether to deploy cloud scanning or not
3646

3747
Conditions:
38-
VerifySSL: !Equals [!Ref VerifySSL, "Yes"]
48+
VerifySSL: !Equals [ !Ref VerifySSL, "Yes" ]
49+
DeployCloudScanning: !Equals [ !Ref DeployCloudScanning, "Yes"]
3950

4051
Resources:
4152

@@ -83,57 +94,102 @@ Resources:
8394
Properties:
8495
AssumeRolePolicyDocument:
8596
Statement:
86-
- Effect: Allow
87-
Principal:
88-
Service: [ecs-tasks.amazonaws.com]
89-
Action: ['sts:AssumeRole']
97+
- Effect: Allow
98+
Principal:
99+
Service: [ ecs-tasks.amazonaws.com ]
100+
Action: [ 'sts:AssumeRole' ]
90101
Path: /
91102
Policies:
92103
- PolicyName: !Sub "${AWS::StackName}-TaskRolePolicy"
93104
PolicyDocument:
94105
Statement:
95-
- Effect: Allow
96-
Action:
97-
- "s3:GetObject"
98-
- "s3:ListBucket"
99-
- "s3:PutObject"
100-
Resource: '*'
101-
- Effect: Allow
102-
Action:
103-
- 'sqs:DeleteMessage'
104-
- 'sqs:DeleteMessageBatch'
105-
- 'sqs:ReceiveMessage'
106-
Resource:
107-
- !Sub "arn:aws:sqs:*:${AWS::AccountId}:*"
108-
106+
- Effect: Allow
107+
Action:
108+
- "s3:GetObject"
109+
- "s3:ListBucket"
110+
- "s3:PutObject"
111+
Resource: '*'
112+
- Effect: Allow
113+
Action:
114+
- 'sqs:DeleteMessage'
115+
- 'sqs:DeleteMessageBatch'
116+
- 'sqs:ReceiveMessage'
117+
Resource:
118+
- !Sub "arn:aws:sqs:*:${AWS::AccountId}:*"
119+
- PolicyName: !Sub "${AWS::StackName}-TriggerScan"
120+
PolicyDocument:
121+
Statement:
122+
- Effect: Allow
123+
Action:
124+
- "codebuild:StartBuild"
125+
Resource:
126+
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${BuildProject}"
127+
- PolicyName: TaskDefinitionReader
128+
PolicyDocument:
129+
Version: "2012-10-17"
130+
Statement:
131+
- Effect: Allow
132+
Action:
133+
- "ecs:DescribeTaskDefinition"
134+
Resource:
135+
- "*"
136+
- PolicyName: SecretsReader
137+
PolicyDocument:
138+
Version: "2012-10-17"
139+
Statement:
140+
- Effect: Allow
141+
Action:
142+
- "kms:Decrypt"
143+
- "secretsmanager:GetSecretValue"
144+
Resource:
145+
- "*"
146+
- PolicyName: ECRReader
147+
PolicyDocument:
148+
Version: "2012-10-17"
149+
Statement:
150+
- Effect: Allow
151+
Action:
152+
- "ecr:GetAuthorizationToken"
153+
- "ecr:BatchCheckLayerAvailability"
154+
- "ecr:GetDownloadUrlForLayer"
155+
- "ecr:GetRepositoryPolicy"
156+
- "ecr:DescribeRepositories"
157+
- "ecr:ListImages"
158+
- "ecr:DescribeImages"
159+
- "ecr:BatchGetImage"
160+
- "ecr:GetLifecyclePolicy"
161+
- "ecr:GetLifecyclePolicyPreview"
162+
- "ecr:ListTagsForResource"
163+
- "ecr:DescribeImageScanFindings"
164+
Resource: "*"
109165
ExecutionRole:
110166
Type: AWS::IAM::Role
111167
Properties:
112168
AssumeRolePolicyDocument:
113169
Statement:
114-
- Effect: Allow
115-
Principal:
116-
Service: [ecs-tasks.amazonaws.com]
117-
Action: ['sts:AssumeRole']
170+
- Effect: Allow
171+
Principal:
172+
Service: [ ecs-tasks.amazonaws.com ]
173+
Action: [ 'sts:AssumeRole' ]
118174
Path: /
119175
Policies:
120176
- PolicyName: !Sub "${AWS::StackName}-ExecutionRolePolicy"
121177
PolicyDocument:
122178
Statement:
123-
- Effect: Allow
124-
Action:
125-
- 'logs:CreateLogStream'
126-
- 'logs:PutLogEvents'
127-
Resource: '*'
179+
- Effect: Allow
180+
Action:
181+
- 'logs:CreateLogStream'
182+
- 'logs:PutLogEvents'
183+
Resource: '*'
128184
- PolicyName: !Sub "${AWS::StackName}-TaskReadParameters"
129185
PolicyDocument:
130186
Statement:
131-
- Effect: Allow
132-
Action:
133-
- "ssm:GetParameters"
134-
Resource:
135-
- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureEndpointSsm}
136-
- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureAPITokenSsm}
187+
- Effect: Allow
188+
Action:
189+
- "ssm:GetParameters"
190+
Resource:
191+
- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureEndpointSsm}
192+
- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureAPITokenSsm}
137193

138194
TaskDefinition:
139195
Type: AWS::ECS::TaskDefinition
@@ -155,18 +211,40 @@ Resources:
155211
Value: cloud-connector.yaml
156212
- Name: OUTPUT
157213
Value: /tmp/cloud-connector.yaml
214+
- Name: SECURE_API_TOKEN_SECRET
215+
Value: !Sub ${SysdigSecureAPITokenSsm}
158216
- Name: CONFIG
159217
Value:
160218
"Fn::Base64":
161-
!Sub |
162-
rules:
163-
- s3:
164-
bucket: ${S3ConfigBucket}
165-
path: rules
166-
ingestors:
167-
- cloudtrail-sns-sqs:
168-
queueURL: ${CloudTrailQueue}
219+
!Sub
220+
- |
221+
rules:
222+
- s3:
223+
bucket: ${S3ConfigBucket}
224+
path: rules
225+
ingestors:
226+
- cloudtrail-sns-sqs:
227+
queueURL: ${CloudTrailQueue}
228+
scanners: ${Scanners}
229+
- S3ConfigBucket: !Ref S3ConfigBucket
230+
CloudTrailQueue: !Ref CloudTrailQueue
231+
Scanners:
232+
'Fn::If':
233+
- DeployCloudScanning
234+
- !Sub |
169235
236+
- aws-ecr:
237+
codeBuildProject: ${BuildProject}
238+
secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
239+
- aws-ecs:
240+
codeBuildProject: ${BuildProject}
241+
secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
242+
- "[]"
243+
Secrets:
244+
- Name: SECURE_URL
245+
ValueFrom: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureEndpointSsm}
246+
- Name: SECURE_API_TOKEN
247+
ValueFrom: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureAPITokenSsm}
170248
Image: quay.io/sysdig/cloud-connector-s3-bucket-config:latest
171249
Essential: false
172250
LogConfiguration:
@@ -177,6 +255,14 @@ Resources:
177255
awslogs-stream-prefix: "ecs"
178256
- Name: CloudConnector
179257
Environment:
258+
- Name: SQS_QUEUE_URL
259+
Value: !Ref CloudTrailQueue
260+
- Name: SQS_QUEUE_INTERVAL
261+
Value: 30s
262+
- Name: CODEBUILD_PROJECT
263+
Value: !Sub ${BuildProject}
264+
- Name: SECURE_API_TOKEN_SECRET
265+
Value: !Sub ${SysdigSecureAPITokenSsm}
180266
- Name: VERIFY_SSL
181267
Value: !If [ VerifySSL, "true", "false" ]
182268
- Name: TELEMETRY_DEPLOYMENT_METHOD
@@ -221,7 +307,6 @@ Resources:
221307
IpProtocol: "tcp"
222308
FromPort: 5000
223309
ToPort: 5000
224-
225310
Tags:
226311
- Key: Name
227312
Value: !Sub "${AWS::StackName}-CloudConnector"

0 commit comments

Comments
 (0)