modular templates (#127)

* add foundational module

* fix(foundational): single account

* feat(modules): foundational org template

* use yaml shorthand

* feat(modules): combine org and single templates

* feat(modules): add log ingestion eventbridge

* feat(modules): add log ingestion s3

* feat(modules): add volume access

* feat(modules): consolidate ci

* rolls up all modules into single CI workflow
* extend deploy target for all modules

* fix(modules): add `posture` to cspm role name

* fix(modules): tight execution role permissions

Author: cgeers

.github/workflows/ci-modules.yaml

@@ -0,0 +1,73 @@
+name: CI - Modules
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'modules/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'modules/**'
+
+jobs:
+  lint:
+    name: Lint Templates
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Lint
+      working-directory: modules
+      run: make lint
+  
+  validate:
+    name: Validate Templates
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+    
+    - name: Validate Templates
+      run: make validate
+      working-directory: modules
+      
+  publish:
+    name: Publish Templates
+    runs-on: ubuntu-latest
+    needs:
+    - lint
+    - validate
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Publish Templates
+      run: make publish
+      working-directory: modules
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: ${{ github.event.name == 'push' && 'main' || format('pr/{0}', github.event.pull_request.number)}}

modules/Makefile

@@ -0,0 +1,91 @@
+# requires AWS_PROFILE
+# bucket must exist, prefix will be created
+S3_BUCKET ?= "s4c-cft"
+S3_PREFIX ?= "test"
+S3_REGION ?= eu-west-1
+STACK_NAME = Sysdig-Secure
+PARAM_NAME_SUFFIX ?= test
+PARAM_IS_ORGANIZATIONAL ?= false
+PARAM_EXTERNAL_ID ?= test
+PARAM_TRUSTED_IDENTITY ?= arn:aws:iam:::role/$(PARAM_NAME_SUFFIX)
+PARAM_TARGET_EVENT_BUS_ARN ?= arn:aws:events:us-east-1::event-bus/default
+PARAM_BUCKET_ARN ?= arn:aws:s3:::cloudtrail-$(PARAM_NAME_SUFFIX)
+PARAM_REGIONS ?= us-east-1
+
+.PHONY: validate lint deploy test clean
+validate: export AWS_PAGER=""
+validate:
+	aws cloudformation validate-template --template-body file://./foundational.cft.yaml
+	aws cloudformation validate-template --template-body file://./log_ingestion.events.cft.yaml
+	aws cloudformation validate-template --template-body file://./log_ingestion.s3.cft.yaml
+	aws cloudformation validate-template --template-body file://./volume_access.cft.yaml
+
+lint:
+	cfn-lint *.cft.yaml
+	yq '.Resources.OrganizationStackSet.Properties.TemplateBody' foundational.cft.yaml | cfn-lint -
+	yq '.Resources.EventBridgeRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
+	yq '.Resources.ScanningKmsKeyStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationKMSKeyStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+
+publish:
+	aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml
+	aws s3 cp log_ingestion.s3.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.s3.cft.yaml
+	aws s3 cp log_ingestion.events.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.events.cft.yaml
+	aws s3 cp volume_access.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/volume_access.cft.yaml
+
+deploy:
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX) \
+		--template-file foundational.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
+		--template-file log_ingestion.events.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"Regions=$(PARAM_REGIONS)" \
+			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
+		--template-file log_ingestion.s3.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"BucketARN=$(PARAM_BUCKET_ARN)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \
+		--template-file volume_access.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"Regions=$(PARAM_REGIONS)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+
+clean:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX)
+
+

modules/README.md

@@ -0,0 +1,15 @@
+# Sysdig Secure - Modular Templates
+
+Modular templates support cross sections of Sysdig Secure feature sets. Each template is intended to be installable alongside one another, and amongst multiple instances. 
+
+## Common parameters
+
+* `NameSuffix` - a unique string suffix given to named resources where applicable.
+* `TrustedIdentity` - a Sysdig owned identity trusted to assume a permission limited customer installed role
+* `ExternalID` - a Sysdig assigned value
+
+## Organizations
+
+Organizations are supported by setting the following template parameters
+* `IsOrganizational=true`
+* `OrganizationalUnitsIDs=ou-...`