creating cloudformation template for CSPM and Eventbridge (#84)

* adding eb templates

* adding full install template

* making changes as per PR comments

* move file

* renaming defaults

* adding changes as per design team

* renaming parameters

* adding github actions

* adding org templates

* adding ci and master templates

* added pr github action

* adding correct s3 directory

Author: sameer-in

.github/workflows/ci-master-cspm.yaml

@@ -0,0 +1,32 @@
+name: CI - Master CSPM
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'templates_cspm/**'
+
+
+jobs:
+  build:
+    name: Build and Upload
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload ECS templates
+      run: make ci
+      working-directory: ./templates_cspm
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: master

.github/workflows/ci-master-eventbridge.yaml

@@ -0,0 +1,32 @@
+name: CI - Master EventBridge
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'templates_eventbridge/**'
+
+
+jobs:
+  build:
+    name: Build and Upload
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload EventBridge templates
+      run: make ci
+      working-directory: ./templates_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: master

.github/workflows/ci-master-full-install.yaml

@@ -0,0 +1,32 @@
+name: CI - Master Full Install
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'templates_cspm_eventbridge/**'
+
+
+jobs:
+  build:
+    name: Build and Upload
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload Full install templates
+      run: make ci
+      working-directory: ./templates_cspm_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: master

.github/workflows/ci-pull-request-cspm.yaml

@@ -0,0 +1,48 @@
+name: CI - Pull Request CSPM
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'templates_cspm/**'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Print the Cloud Formation Linter Version & run Linter
+      run: |
+        cfn-lint --version
+        cfn-lint -t templates_cspm/**/*.yaml
+
+  build:
+    name: Build and Upload ECS templates
+    runs-on: ubuntu-latest
+    needs: [lint]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload CSPM Templates
+      run: make ci
+      working-directory: templates_cspm
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}

.github/workflows/ci-pull-request-eventbridge.yaml

@@ -0,0 +1,48 @@
+name: CI - Pull Request EventBridge
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'templates_eventbridge/**'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Print the Cloud Formation Linter Version & run Linter
+      run: |
+        cfn-lint --version
+        cfn-lint -t templates_eventbridge/**/*.yaml
+
+  build:
+    name: Build and Upload EventBridge templates
+    runs-on: ubuntu-latest
+    needs: [lint]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload EventBridge Templates
+      run: make ci
+      working-directory: templates_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}

.github/workflows/ci-pull-request-full-install.yaml

@@ -0,0 +1,48 @@
+name: CI - Pull Request Full Install
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'templates_cspm_eventbridge/**'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Print the Cloud Formation Linter Version & run Linter
+      run: |
+        cfn-lint --version
+        cfn-lint -t templates_cspm_eventbridge/**/*.yaml
+
+  build:
+    name: Build and Upload Full Install templates
+    runs-on: ubuntu-latest
+    needs: [lint]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Build and Upload Full Install Templates
+      run: make ci
+      working-directory: templates_cspm_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}

.github/workflows/release.yaml

@@ -76,3 +76,45 @@ jobs:
       env:
         S3_BUCKET: cf-templates-cloudvision-ci
         S3_PREFIX: latest
+
+    - name: Build and Upload CSPM Version
+      run: make ci
+      working-directory: ./templates_cspm
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: ${{ steps.prep.outputs.VERSION }}
+
+    - name: Build and Upload CSPM Latest
+      run: make ci
+      working-directory: ./templates_cspm
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: latest        
+
+    - name: Build and Upload EventBridge Version
+      run: make ci
+      working-directory: ./templates_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: ${{ steps.prep.outputs.VERSION }}
+
+    - name: Build and Upload EventBridge Latest
+      run: make ci
+      working-directory: ./templates_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: latest        
+
+    - name: Build and Upload full install Version
+      run: make ci
+      working-directory: ./templates_cspm_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: ${{ steps.prep.outputs.VERSION }}         
+
+    - name: Build and Upload full install Latest
+      run: make ci
+      working-directory: ./templates_cspm_eventbridge
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: latest                        

templates_cspm/CloudAgentlessRole.yaml

@@ -0,0 +1,53 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: IAM Role for Agentless
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: ""
+        Parameters:
+          - RoleName
+      - Label:
+          default: "Sysdig Settings (Do not change)"
+        Parameters:
+          - ExternalID
+          - TrustedIdentity
+
+    ParameterLabels:
+      RoleName:
+        default: "Role Name"
+      ExternalID:
+        default: "External ID (Sysdig use only)"
+      TrustedIdentity:
+        default: "Trusted Identity (Sysdig use only)"
+
+Parameters:
+  RoleName:
+    Type: String
+    Default: "sysdig-secure"
+    Description: The read-only IAM Role that Sysdig will create
+  ExternalID:
+    Type: String
+    Description: Sysdig generated token that proves you own this account
+  TrustedIdentity:
+    Type: String
+    Description: The Role in Sysdig’s AWS Account with permissions to your account
+
+Resources:
+  CloudAgentlessRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref RoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalID
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/SecurityAudit

templates_cspm/Makefile

@@ -0,0 +1,47 @@
+# requires AWS_PROFILE
+# bucket must exist, prefix will be created
+S3_BUCKET ?= "s4c-cft"
+S3_PREFIX ?= "test"
+# We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
+S3_REGION ?= "eu-west-1" # ireland
+SECURE_API_TOKEN ?= ""
+STACK_NAME = "CSPMTest"
+
+.PHONY: packaged-template.yaml
+
+validate:
+	aws cloudformation validate-template --template-body file://./CloudAgentlessRole.yaml
+
+lint:
+	cfn-lint *.yaml
+
+packaged-template.yaml:
+	aws s3 rm s3://$(S3_BUCKET)/ecs/$(S3_PREFIX) --recursive
+	aws cloudformation package \
+		--region $(S3_REGION) \
+		--template-file CloudAgentlessRole.yaml \
+		--s3-bucket $(S3_BUCKET) \
+		--s3-prefix cspm/$(S3_PREFIX) \
+		--force-upload \
+		--output-template-file packaged-template.yaml
+
+test: packaged-template.yaml
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME) \
+		--template-file packaged-template.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)" 
+
+ci: packaged-template.yaml
+	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/cspm/$(S3_PREFIX)/entry-point.yaml
+
+clean:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)
+	
+#
+# local-test-manual:
+# (have not found a way to do it via cli)
+# aws console > cloudformation > create new stack (template, upload template: select ./templates_ecs/Cloudvision.yaml)
+# note: this will upload the template into an s3 bucket, remember to delete it afterwards 
+#