Skip to content

Commit 57c2dcc

Browse files
ravinadhruve10ravinadhruve10
authored
feat(modules): Support for Govcloud account/org (#138)
* feat(modules): Support for Govcloud account/org Change summary: ---------------- - Added support to install govcloud single account and org in foundational template. - Added same support in log_ingestion event-bridge template. - For log_ingestion s3, no changes required to the template. Added minor nits. * Fix param name * Update makefile * Use Partition param instead
1 parent cbb6be4 commit 57c2dcc

File tree

4 files changed

+86
-32
lines changed

4 files changed

+86
-32
lines changed

modules/Makefile

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,8 @@ deploy:
4545
"ExternalID=$(PARAM_EXTERNAL_ID)" \
4646
"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
4747
"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
48-
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
48+
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
49+
"Partition=${PARAM_PARTITION}"
4950
aws cloudformation deploy \
5051
--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
5152
--template-file log_ingestion.events.cft.yaml \
@@ -57,7 +58,8 @@ deploy:
5758
"Regions=$(PARAM_REGIONS)" \
5859
"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
5960
"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
60-
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
61+
"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
62+
"Partition=${PARAM_PARTITION}"
6163
aws cloudformation deploy \
6264
--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
6365
--template-file log_ingestion.s3.cft.yaml \

modules/foundational.cft.yaml

Lines changed: 41 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ Metadata:
1111
- TrustedIdentity
1212
- IsOrganizational
1313
- OrganizationalUnitIDs
14+
- Partition
1415
ParameterLabels:
1516
NameSuffix:
1617
default: Name Suffix
@@ -22,6 +23,8 @@ Metadata:
2223
default: Is Organizational
2324
OrganizationalUnitIDs:
2425
default: Organizational Unit IDs
26+
Partition:
27+
default: AWS Partition
2528
Parameters:
2629
NameSuffix:
2730
Type: String
@@ -45,6 +48,10 @@ Parameters:
4548
OrganizationalUnitIDs:
4649
Type: CommaDelimitedList
4750
Description: Comma separated list of organizational unit IDs to deploy
51+
Partition:
52+
Type: String
53+
Description: AWS Partition of your account or organization to create resources in
54+
Default: 'aws'
4855
Conditions:
4956
IsOrganizational:
5057
Fn::Equals:
@@ -68,7 +75,7 @@ Resources:
6875
sts:ExternalId:
6976
Ref: ExternalID
7077
ManagedPolicyArns:
71-
- arn:aws:iam::aws:policy/SecurityAudit
78+
- !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
7279
Policies:
7380
- PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
7481
PolicyDocument:
@@ -82,8 +89,8 @@ Resources:
8289
- waf-regional:ListRules
8390
- waf-regional:ListRuleGroups
8491
Resource:
85-
- arn:aws:waf-regional:*:*:rule/*
86-
- arn:aws:waf-regional:*:*:rulegroup/*
92+
- !Sub arn:${Partition}:waf-regional:*:*:rule/*
93+
- !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
8794
- Effect: Allow
8895
Action: macie2:ListClassificationJobs
8996
Resource: '*'
@@ -114,9 +121,18 @@ Resources:
114121
ManagedPolicyArns:
115122
Fn::If:
116123
- IsOrganizational
117-
- - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
118-
- arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess
119-
- - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
124+
- - !Sub arn:${Partition}:iam::aws:policy/AWSOrganizationsReadOnlyAccess
125+
- - !Ref AWS::NoValue
126+
Policies:
127+
- PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
128+
PolicyDocument:
129+
Version: '2012-10-17'
130+
Statement:
131+
- Effect: Allow
132+
Action:
133+
- account:Get*
134+
- account:List*
135+
Resource: '*'
120136
OrganizationStackSet:
121137
Type: AWS::CloudFormation::StackSet
122138
Condition: IsOrganizational
@@ -145,6 +161,9 @@ Resources:
145161
- ParameterKey: ExternalID
146162
ParameterValue:
147163
Ref: ExternalID
164+
- ParameterKey: Partition
165+
ParameterValue:
166+
Ref: Partition
148167
StackInstancesGroup:
149168
- DeploymentTargets:
150169
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -166,6 +185,9 @@ Resources:
166185
ExternalID:
167186
Type: String
168187
Description: external ID
188+
Partition:
189+
Type: String
190+
Description: AWS Partition of your account or organization to create resources in
169191
170192
Resources:
171193
ConfigPostureRole:
@@ -183,7 +205,7 @@ Resources:
183205
StringEquals:
184206
sts:ExternalId: !Ref ExternalID
185207
ManagedPolicyArns:
186-
- arn:aws:iam::aws:policy/SecurityAudit
208+
- !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
187209
Policies:
188210
- PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
189211
PolicyDocument:
@@ -197,8 +219,8 @@ Resources:
197219
- "waf-regional:ListRules"
198220
- "waf-regional:ListRuleGroups"
199221
Resource:
200-
- "arn:aws:waf-regional:*:*:rule/*"
201-
- "arn:aws:waf-regional:*:*:rulegroup/*"
222+
- !Sub arn:${Partition}:waf-regional:*:*:rule/*
223+
- !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
202224
- Effect: "Allow"
203225
Action: "macie2:ListClassificationJobs"
204226
Resource: "*"
@@ -224,8 +246,16 @@ Resources:
224246
Condition:
225247
StringEquals:
226248
sts:ExternalId: !Ref ExternalID
227-
ManagedPolicyArns:
228-
- arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
249+
Policies:
250+
- PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
251+
PolicyDocument:
252+
Version: '2012-10-17'
253+
Statement:
254+
- Effect: Allow
255+
Action:
256+
- account:Get*
257+
- account:List*
258+
Resource: '*'
229259
230260
Outputs:
231261
ConfigPostureRoleARN:

modules/log_ingestion.events.cft.yaml

Lines changed: 38 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -15,25 +15,28 @@ Metadata:
1515
- RuleEventPattern
1616
- IsOrganizational
1717
- OrganizationalUnitIDs
18+
- Partition
1819
ParameterLabels:
1920
NameSuffix:
2021
default: Name Suffix
2122
ExternalID:
22-
default: "External ID"
23+
default: External ID
2324
TrustedIdentity:
24-
default: "Trusted Identity"
25+
default: Trusted Identity
2526
TargetEventBusARN:
26-
default: "Target Event Bus"
27+
default: Target Event Bus
2728
Regions:
28-
default: "Instrumented Regions"
29+
default: Instrumented Regions
2930
RuleState:
30-
default: "EventBridge Rule state"
31+
default: EventBridge Rule state
3132
RuleEventPattern:
32-
default: "EventBridge Rule event pattern"
33+
default: EventBridge Rule event pattern
3334
IsOrganizational:
3435
default: Is Organizational
3536
OrganizationalUnitIDs:
36-
default: "Organizational Unit IDs"
37+
default: Organizational Unit IDs
38+
Partition:
39+
default: AWS Partition
3740
Parameters:
3841
NameSuffix:
3942
Type: String
@@ -93,6 +96,10 @@ Parameters:
9396
AllowedValues:
9497
- 'true'
9598
- 'false'
99+
Partition:
100+
Type: String
101+
Description: AWS Partition of your account or organization to create resources in
102+
Default: 'aws'
96103
Conditions:
97104
IsOrganizational:
98105
Fn::Equals:
@@ -120,7 +127,7 @@ Resources:
120127
Action:
121128
- sts:AssumeRole
122129
Resource:
123-
- !Sub arn:aws:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
130+
- !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
124131
ExecutionRole:
125132
Type: AWS::IAM::Role
126133
Properties:
@@ -135,8 +142,8 @@ Resources:
135142
Action:
136143
- sts:AssumeRole
137144
ManagedPolicyArns:
138-
- arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess
139-
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
145+
- !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess
146+
- !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess
140147
EventBridgeRole:
141148
Type: AWS::IAM::Role
142149
Properties:
@@ -168,7 +175,7 @@ Resources:
168175
- "events:DescribeRule"
169176
- "events:ListTargetsByRule"
170177
Resource:
171-
- !Sub arn:aws:events:*:*:rule/sysdig-secure-events-${NameSuffix}
178+
- !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
172179
EventBridgeRuleStackSet:
173180
Type: AWS::CloudFormation::StackSet
174181
Metadata:
@@ -203,7 +210,9 @@ Resources:
203210
- ParameterKey: RuleState
204211
ParameterValue: !Ref RuleState
205212
- ParameterKey: RuleEventPattern
206-
ParameterValue: !Ref RuleEventPattern
213+
ParameterValue: !Ref RuleEventPattern
214+
- ParameterKey: Partition
215+
ParameterValue: !Ref Partition
207216
StackInstancesGroup:
208217
- DeploymentTargets:
209218
Accounts:
@@ -230,6 +239,9 @@ Resources:
230239
RuleEventPattern:
231240
Type: String
232241
Description: JSON pattern for the EventBridge rule's event pattern
242+
Partition:
243+
Type: String
244+
Description: AWS Partition of your account or organization to create resources in
233245
Resources:
234246
EventBridgeRule:
235247
Type: "AWS::Events::Rule"
@@ -241,7 +253,7 @@ Resources:
241253
Targets:
242254
- Id: !Ref Name
243255
Arn: !Sub ${TargetEventBusARN}
244-
RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${Name}
256+
RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
245257
OrganizationRoleStackSet:
246258
Type: AWS::CloudFormation::StackSet
247259
Condition: IsOrganizational
@@ -269,6 +281,8 @@ Resources:
269281
ParameterValue: !Ref ExternalID
270282
- ParameterKey: TargetEventBusARN
271283
ParameterValue: !Ref TargetEventBusARN
284+
- ParameterKey: Partition
285+
ParameterValue: !Ref Partition
272286
StackInstancesGroup:
273287
- DeploymentTargets:
274288
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -288,7 +302,10 @@ Resources:
288302
Description: A unique identifier used to create and reference resources
289303
TargetEventBusARN:
290304
Type: String
291-
Description: The destination in Sysdig's AWS account where your events are sent
305+
Description: The destination in Sysdig's AWS account where your events are sent
306+
Partition:
307+
Type: String
308+
Description: AWS Partition of your account or organization to create resources in
292309
Resources:
293310
EventBridgeRole:
294311
Type: AWS::IAM::Role
@@ -321,7 +338,7 @@ Resources:
321338
- "events:DescribeRule"
322339
- "events:ListTargetsByRule"
323340
Resource:
324-
- !Sub arn:aws:events:*:*:rule/${Name}
341+
- !Sub arn:${Partition}:events:*:*:rule/${Name}
325342
OrganizationRuleStackSet:
326343
Type: AWS::CloudFormation::StackSet
327344
Condition: IsOrganizational
@@ -352,6 +369,8 @@ Resources:
352369
ParameterValue: !Ref RuleState
353370
- ParameterKey: RuleEventPattern
354371
ParameterValue: !Ref RuleEventPattern
372+
- ParameterKey: Partition
373+
ParameterValue: !Ref Partition
355374
StackInstancesGroup:
356375
- DeploymentTargets:
357376
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -377,6 +396,9 @@ Resources:
377396
RuleEventPattern:
378397
Type: String
379398
Description: JSON pattern for the EventBridge rule's event pattern
399+
Partition:
400+
Type: String
401+
Description: AWS Partition of your account or organization to create resources in
380402
Resources:
381403
EventBridgeRule:
382404
Type: "AWS::Events::Rule"
@@ -388,7 +410,7 @@ Resources:
388410
Targets:
389411
- Id: !Ref Name
390412
Arn: !Ref TargetEventBusARN
391-
RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${Name}"
413+
RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
392414
Outputs:
393415
EventBridgeRoleARN:
394416
Description: Sysdig Secure EventBridge Role ARN

modules/log_ingestion.s3.cft.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,11 +20,11 @@ Metadata:
2020
NameSuffix:
2121
default: Name Suffix
2222
ExternalID:
23-
default: "External ID"
23+
default: External ID
2424
TrustedIdentity:
25-
default: "Trusted Identity"
25+
default: Trusted Identity
2626
BucketARN:
27-
default: "Bucket ARN"
27+
default: Bucket ARN
2828

2929
Parameters:
3030
NameSuffix:

0 commit comments

Comments
 (0)