single onboarding changes

Author: lorenzo-merici

templates_cloudlogs/CloudLogs.yaml

@@ -1,8 +1,8 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: >
-  CloudFormation single template for provisioning
-  the necessary resources for the `cloud-logs`
-  component.
+  CloudFormation template for provisioning the necessary resources for the
+  `cloud-logs` component. This includes IAM roles, policies, and optional SNS
+  topic and subscription for CloudTrail notifications.
 
 Metadata:
   AWS::CloudFormation::Interface:
@@ -14,6 +14,9 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
+          - CreateTopic
+          - TopicARN
+          - Endpoint
 
     ParameterLabels:
       CloudLogsRoleName:
@@ -24,22 +27,50 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
+      CreateTopic:
+        default: "Create SNS Topic"
+      TopicARN:
+        default: "SNS Topic ARN"
+      Endpoint:
+        default: "Sysdig Secure endpoint"
 
 Parameters:
   CloudLogsRoleName:
     Type: String
-    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
+    Description: The name of the IAM Role that will enable access to the CloudTrail logs.
+
   ExternalID:
     Type: String
     Description: Random string generated unique to a customer.
+
   TrustedIdentity:
     Type: String
-    Description: The name of Sysdig trusted identity.
+    Description: The name of Sysdig's trusted identity.
+
   BucketARN:
     Type: String
-    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
+    Description: The ARN of your S3 bucket associated with your CloudTrail trail.
+
+  CreateTopic:
+    Type: String
+    AllowedValues:
+      - "true"
+      - "false"
+    Default: "false"
+    Description: "Whether to create a new SNS Topic for CloudTrail notifications."
+
+  TopicARN:
+    Type: String
+    Default: ""
+    Description: "The ARN of an existing SNS Topic. Ignored if CreateTopic is set to true."
+
+  Endpoint:
+    Type: String
+    Default: ""
+    Description: "Sysdig Secure endpoint to receive CloudTrail notifications."
 
 Resources:
+  # IAM Role
   CloudLogsRole:
     Type: "AWS::IAM::Role"
     Properties:
@@ -55,6 +86,8 @@ Resources:
             Condition:
               StringEquals:
                 "sts:ExternalId": !Ref ExternalID
+
+  # IAM Policy
   CloudLogsRolePolicies:
     Type: "AWS::IAM::Policy"
     Properties:
@@ -77,4 +110,48 @@ Resources:
               - !Sub '${BucketARN}'
               - !Sub '${BucketARN}/*'
       Roles:
-        - Ref: "CloudLogsRole"
+        - !Ref CloudLogsRole
+
+  # SNS Topic (optional creation)
+  CloudTrailNotificationsTopic:
+    Condition: CreateSNSTopic
+    Type: "AWS::SNS::Topic"
+    Properties:
+      TopicName: !Sub "${AWS::StackName}-CloudTrailNotifications"
+      DisplayName: "CloudTrail Notifications for Sysdig"
+
+  CloudTrailNotificationsSubscription:
+    Condition: CreateSNSTopic
+    Type: "AWS::SNS::Subscription"
+    Properties:
+      TopicArn: !Ref CloudTrailNotificationsTopic
+      Protocol: "https"
+      Endpoint: '${Endpoint}'
+
+  CloudTrailNotificationsPolicy:
+    Condition: CreateSNSTopic
+    Type: "AWS::SNS::TopicPolicy"
+    Properties:
+      Topics:
+        - !Ref CloudTrailNotificationsTopic
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: "AllowCloudTrailPublish"
+            Effect: "Allow"
+            Principal:
+              Service: "cloudtrail.amazonaws.com"
+            Action: "SNS:Publish"
+            Resource: !Ref CloudTrailNotificationsTopic
+
+Conditions:
+  CreateSNSTopic: !Equals [!Ref CreateTopic, "true"]
+
+Outputs:
+  RoleARN:
+    Description: "The ARN of the IAM Role created for CloudTrail logs."
+    Value: !GetAtt CloudLogsRole.Arn
+
+  TopicARN:
+    Description: "The ARN of the SNS Topic created for CloudTrail notifications."
+    Value: !If [CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN]