Merge remote-tracking branch 'origin' into add-bedrock-perm

Author: ismael-penacho-sysdig

.github/workflows/ci-modules.yaml

@@ -0,0 +1,77 @@
+name: CI - Modules
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'modules/**'
+  push:
+    branches:
+      - main
+    tags:
+      - 'v**'
+    paths:
+      - 'modules/**'
+
+jobs:
+  lint:
+    name: Lint Templates
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+      with:
+        version: "==1.18.3"
+
+    - name: Lint
+      working-directory: modules
+      run: make lint
+
+  validate:
+    name: Validate Templates
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+    
+    - name: Validate Templates
+      run: make validate
+      working-directory: modules
+      
+  publish:
+    name: Publish Templates
+    runs-on: ubuntu-latest
+    needs:
+    - lint
+    - validate
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Publish Templates
+      run: make publish
+      working-directory: modules
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: ${{ github.event_name == 'push' && ((contains(github.ref, '/tags/v') && github.ref_name) || 'main') || format('pr/{0}', github.event.pull_request.number)}}

modules/Makefile

@@ -0,0 +1,131 @@
+# requires AWS_PROFILE
+# bucket must exist, prefix will be created
+S3_BUCKET ?= "s4c-cft"
+S3_PREFIX ?= "test"
+S3_REGION ?= eu-west-1
+STACK_NAME = Sysdig-Secure
+PARAM_NAME_SUFFIX ?= test
+PARAM_IS_ORGANIZATIONAL ?= false
+PARAM_EXTERNAL_ID ?= test
+PARAM_TRUSTED_IDENTITY ?= arn:aws:iam:::role/$(PARAM_NAME_SUFFIX)
+PARAM_API_KEY ?= <your_api_key>
+PARAM_INGESTION_URL ?= https://app-staging.sysdigcloud.com/api/cloudingestion/webhooks/eventbridge/v1/64616366-3130-6163-3665-346636653537
+PARAM_RATE_LIMIT ?= 300
+PARAM_BUCKET_ARN ?= arn:aws:s3:::cloudtrail-$(PARAM_NAME_SUFFIX)
+PARAM_REGIONS ?= us-east-1
+PARAM_LAMBDA_SCANNING_ENABLED ?= true
+
+.PHONY: validate lint deploy test clean
+validate: export AWS_PAGER=""
+validate:
+	aws --region us-east-1 cloudformation validate-template --template-body file://./foundational.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.events.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./log_ingestion.s3.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./volume_access.cft.yaml
+	aws --region us-east-1 cloudformation validate-template --template-body file://./vm_workload_scanning.cft.yaml
+
+lint:
+	cfn-lint *.cft.yaml
+	yq '.Resources.OrganizationStackSet.Properties.TemplateBody' foundational.cft.yaml | cfn-lint -
+	yq '.Resources.EventBridgeRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationRuleStackSet.Properties.TemplateBody' log_ingestion.events.cft.yaml | cfn-lint -
+	yq '.Resources.AccountStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.OrganizationStackSet.Properties.TemplateBody' volume_access.cft.yaml | cfn-lint -
+	yq '.Resources.ScanningOrgStackSet.Properties.TemplateBody' vm_workload_scanning.cft.yaml | cfn-lint -
+
+publish:
+	aws s3 cp foundational.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/foundational.cft.yaml
+	aws s3 cp log_ingestion.s3.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.s3.cft.yaml
+	aws s3 cp log_ingestion.events.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/log_ingestion.events.cft.yaml
+	aws s3 cp volume_access.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/volume_access.cft.yaml
+	aws s3 cp vm_workload_scanning.cft.yaml s3://$(S3_BUCKET)/modules/$(S3_PREFIX)/vm_workload_scanning.cft.yaml
+
+deploy:
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX) \
+		--template-file foundational.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"Partition=${PARAM_PARTITION}" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
+		--template-file log_ingestion.events.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"Regions=$(PARAM_REGIONS)" \
+			"ApiKey=$(PARAM_API_KEY)" \
+			"IngestionUrl=$(PARAM_INGESTION_URL)" \
+			"RateLimit=$(PARAM_RATE_LIMIT)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"Partition=${PARAM_PARTITION}" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
+		--template-file log_ingestion.s3.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"BucketARN=$(PARAM_BUCKET_ARN)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX) \
+		--template-file volume_access.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"Regions=$(PARAM_REGIONS)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
+
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX) \
+		--template-file vm_workload_scanning.cft.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"LambdaScanningEnabled"=$(PARAM_LAMBDA_SCANNING_ENABLED) \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"RootOUID=$(PARAM_ROOT_OU_ID)" \
+			"IncludeOUIDs=$(PARAM_INCLUDE_OU_IDS)" \
+			"IncludeAccounts=$(PARAM_INCLUDE_ACCOUNTS)" \
+			"ExcludeAccounts=$(PARAM_EXCLUDE_ACCOUNTS)"
+
+clean:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-Foundational-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX)
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX)

modules/README.md

@@ -0,0 +1,25 @@
+# Sysdig Secure - Modular Templates
+
+Modular templates support cross sections of Sysdig Secure feature sets. Each template is intended to be installable alongside one another, and amongst multiple instances. 
+
+## Common parameters
+
+* `NameSuffix` - a unique string suffix given to named resources where applicable.
+* `TrustedIdentity` - a Sysdig owned identity trusted to assume a permission limited customer installed role
+* `ExternalID` - a Sysdig assigned value
+
+## Organizations
+
+Organizations are supported by setting the following template parameters
+* `IsOrganizational=true`
+* `OrganizationalUnitIDs=ou-...` (to be deprecated soon, please read below)
+
+### Organizational Install Configurations
+
+Following are the new parameters to configure organizational deployments on the cloud for Sysdig Secure for Cloud :-
+1. `RootOUID` - Root Organization Unit ID
+2. `IncludeOUIDs` - List of AWS Organizational Unit IDs to deploy the Sysdig Secure for Cloud resources in.
+3. `IncludeAccounts` - List of AWS Accounts to deploy the Sysdig Secure for Cloud resources in.
+4. `ExcludeAccounts` - List of AWS Accounts to exclude deploying the Sysdig Secure for Cloud resources in.
+
+**WARNING**: module template parameter `OrganizationalUnitIDs` will be DEPRECATED soon going forward. Please work with Sysdig to migrate your CFT based installs to use `IncludeOUIDs` instead to achieve the same deployment outcome.