feat(WIP): CFT App Runner (#68)

* feat(WIP): add apprunner templates

* feat: add cf templates for apprunner

* feat: add cf templates for apprunner

* ci: change bucket directory

* ci: upload apprunner templates to  bucket

* ci: remove upload apprunner files

* ci: upload apprunner templates to  bucket

* ci: fix wrong directory

* ci: fix wrong directory

Author: hayk99

.github/workflows/ci-pull-request.yaml

@@ -38,9 +38,9 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: eu-west-1
 
-    - name: Build and Upload
+    - name: Build and Upload ECS Templates
       run: make ci
-      working-directory: ./templates
+      working-directory: templates_apprunner
       env:
         S3_BUCKET: cf-templates-cloudvision-ci
-        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}
+        S3_PREFIX: pr/${{ github.event.pull_request.head.ref }}

templates/Makefile

@@ -5,6 +5,7 @@ S3_PREFIX ?= "test"
 # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
 S3_REGION ?= "eu-west-1" # ireland
 SECURE_API_TOKEN ?= ""
+STACK_NAME = "SecureForCloudECSTest"
 
 .PHONY: packaged-template.yaml
 
@@ -26,7 +27,7 @@ packaged-template.yaml:
 
 test: packaged-template.yaml
 	aws cloudformation deploy \
-		--stack-name "CloudVisionTest" \
+		--stack-name $(STACK_NAME) \
 		--template-file packaged-template.yaml \
 		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
 		--parameter-overrides \
@@ -38,7 +39,7 @@ ci: packaged-template.yaml
 	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/$(S3_PREFIX)/entry-point.yaml
 
 clean:
-	aws cloudformation delete-stack --stack-name "CloudVisionTest"
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)
 
 
 #	

templates_apprunner/CloudAgentlessRole.yaml

@@ -0,0 +1,32 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: IAM Role for Agentless
+Parameters:
+  SysdigRoleName:
+    Type: String
+    Default: "SysdigAgentlessRole"
+    Description: Unique role for monitoring AWS accounts
+  SysdigExternalID:
+    Type: String
+    Description: ExternalID required for the policy
+  SysdigTrustedIdentity:
+    Type: String
+    Description: Trusted identity required for policy
+
+Resources:
+  CloudAgentlessRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref SysdigRoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          -
+            Effect: "Allow"
+            Principal:
+              AWS: !Ref SysdigTrustedIdentity
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref SysdigExternalID
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/SecurityAudit

templates_apprunner/CloudConnector.yaml

@@ -0,0 +1,223 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Cloud Connector for AWS
+
+Parameters:
+  LogRetention:
+    Type: Number
+    Default: 5
+    Description: Days to keep logs from CloudConnector
+  SysdigSecureEndpoint:
+    Type: String
+    Description: "Sysdig Secure Endpoint URL"
+  SysdigSecureAPIToken:
+    Type: String
+    Description: "Name of the parameter in SSM containing the Sysdig Secure API Token"
+  SysdigSecureAPITokenSsm:
+    Type: AWS::SSM::Parameter::Name
+    Description: "Name of the parameter in SSM containing the Sysdig Secure API Token"
+  S3ConfigBucket:
+    Type: String
+    Description: Name of a bucket (must exist) where the configuration YAML files will be stored
+  VerifySSL:
+    Type: String
+    AllowedValues:
+      - "Yes"
+      - "No"
+    Default: "Yes"
+  BuildProject:
+    Type: String
+    Default: ""
+  CloudTrailTopic:
+    Type: String
+    Description: ARN of the SNS Topic to subscribe
+  DeployCloudScanning:
+    Type: String
+    AllowedValues:
+      - "Yes"
+      - "No"
+    Default: "Yes"
+    Description: Whether to deploy cloud scanning or not
+  ECRImageScanningDeploy:
+    Type: String
+    AllowedValues:
+      - "Yes"
+      - "No"
+    Default: "Yes"
+    Description: Whether to deploy ECR Image Scanning or not
+  ECSImageScanningDeploy:
+    Type: String
+    AllowedValues:
+      - "Yes"
+      - "No"
+    Default: "Yes"
+    Description: Whether to deploy ECS Image Scanning or not
+
+Conditions:
+  VerifySSL: !Equals [ !Ref VerifySSL, "Yes" ]
+  DeployCloudScanning: !Equals [ !Ref DeployCloudScanning, "Yes"]
+  ECRImageScanningDeploy: !Equals [ !Ref ECRImageScanningDeploy, "Yes"]
+  ECSImageScanningDeploy: !Equals [ !Ref ECSImageScanningDeploy, "Yes"]
+
+Resources:
+
+  CloudTrailQueue:
+    Type: AWS::SQS::Queue
+
+  CloudTrailQueuePolicy:
+    Type: AWS::SQS::QueuePolicy
+    Properties:
+      Queues:
+        - !Ref CloudTrailQueue
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Sid: Allow CloudTrail to send messages
+            Effect: Allow
+            Principal:
+              Service: sns.amazonaws.com
+            Action:
+              - sqs:SendMessage
+              - sqs:SendMessageBatch
+            Resource: !GetAtt CloudTrailQueue.Arn
+
+  Subscription:
+    Type: AWS::SNS::Subscription
+    Properties:
+      Protocol: sqs
+      Endpoint: !GetAtt CloudTrailQueue.Arn
+      TopicArn: !Ref CloudTrailTopic
+
+  LogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Ref AWS::StackName
+      RetentionInDays: !Ref LogRetention
+
+  AlertsLogStream:
+    Type: AWS::Logs::LogStream
+    Properties:
+      LogGroupName: !Ref LogGroup
+      LogStreamName: alerts
+
+  CloudConnectorAppRunner:
+    Type: AWS::AppRunner::Service
+    Properties:
+      ServiceName: "CloudConnector_AppRunner"
+      InstanceConfiguration:
+        InstanceRoleArn: !GetAtt AppRunnerRole.Arn
+      SourceConfiguration:
+        AutoDeploymentsEnabled: false
+        ImageRepository:
+          ImageConfiguration:
+            Port: "5000"
+            RuntimeEnvironmentVariables:
+              - Name: CONFIG
+                Value:
+                  "Fn::Base64":
+                    !Sub
+                    - |
+                      logging: info
+                      rules: []
+                      ingestors:
+                        - cloudtrail-sns-sqs:
+                            queueURL: ${CloudTrailQueue}
+                      scanners: ${Scanners}
+                    - S3ConfigBucket: !Ref S3ConfigBucket
+                      CloudTrailQueue: !Ref CloudTrailQueue
+                      Scanners:
+                        'Fn::If':
+                          - DeployCloudScanning
+                          - !Sub
+                            - |
+
+                              ${ECRCode}
+                              ${ECSCode}
+                            - ECRCode:
+                                'Fn::If':
+                                  - ECRImageScanningDeploy
+                                  - !Sub |
+
+                                    - aws-ecr:
+                                          codeBuildProject: ${BuildProject}
+                                          secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
+                                  - ""
+                              ECSCode:
+                                'Fn::If':
+                                  - ECSImageScanningDeploy
+                                  - !Sub |
+
+                                    - aws-ecs:
+                                          codeBuildProject: ${BuildProject}
+                                          secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
+                                  - ""
+                          - "[]"
+
+              - Name: SECURE_API_TOKEN
+                Value: !Ref SysdigSecureAPIToken
+              - Name: SECURE_URL
+                Value: !Ref SysdigSecureEndpoint
+              - Name: VERIFY_SSL
+                Value: !If [ VerifySSL, "true", "false" ]
+              - Name: TELEMETRY_DEPLOYMENT_METHOD
+                Value: "cft_aws_apprunner_single"
+          ImageIdentifier: "public.ecr.aws/o5x4u2t4/cloud-connector:latest"
+          ImageRepositoryType: "ECR_PUBLIC"
+      Tags:
+        - Key: Name
+          Value: !Sub "${AWS::StackName}-CloudConnector"
+
+  AppRunnerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: [ tasks.apprunner.amazonaws.com ]
+            Action: [ 'sts:AssumeRole' ]
+      Path: /
+      Policies:
+        - PolicyName: !Sub "${AWS::StackName}-AppRunnerPolicy"
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "s3:GetObject"
+                  - "s3:ListBucket"
+                Resource: '*'
+              - Effect: Allow
+                Action:
+                  - 'sqs:GetQueueUrl'
+                  - 'sqs:ListQueues'
+                  - 'sqs:DeleteMessage'
+                  - 'sqs:ReceiveMessage'
+                Resource:
+                  - !Sub "arn:aws:sqs:*:${AWS::AccountId}:*"
+        - PolicyName: !Sub "${AWS::StackName}-TriggerScan"
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "codebuild:StartBuild"
+                Resource:
+                  - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${BuildProject}"
+        - PolicyName: !Sub "${AWS::StackName}-ECRReader"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "ecr:GetAuthorizationToken"
+                  - "ecr:BatchCheckLayerAvailability"
+                  - "ecr:GetDownloadUrlForLayer"
+                  - "ecr:DescribeImages"
+                  - "ecr:BatchGetImage"
+                Resource: "*"
+        - PolicyName: !Sub "${AWS::StackName}-SSMReader"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "ssm:GetParameters"
+                Resource: "*"