Revamp cloudformation templates for Cloudlogs module (#106)

Author: gi-erre

templates_cloudlogs/CloudLogs.yaml

@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: >
-  CloudFormation template for provisioning
+  CloudFormation single template for provisioning
   the necessary resources for the `cloud-logs`
   component.
 

templates_cloudlogs/Makefile

@@ -5,18 +5,21 @@ S3_PREFIX ?= "test"
 # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
 S3_REGION ?= "eu-west-1" # ireland
 SECURE_API_TOKEN ?= ""
-STACK_NAME = "CloudLogsTest"
+STACK_NAME = "CloudlogsTest"
+STACK_NAME_ORG = "OrgCloudlogsTest"
 
 .PHONY: packaged-template.yaml
+.PHONY: packaged-template-org.yaml
 
 validate:
 	aws cloudformation validate-template --template-body file://./CloudLogs.yaml
+	aws cloudformation validate-template --template-body file://./OrgCloudLogs.yaml
 
 lint:
 	cfn-lint *.yaml
 
 packaged-template.yaml:
-	aws s3 rm s3://$(S3_BUCKET)/cloudlogs/$(S3_PREFIX) --recursive
+	aws s3 rm s3://$(S3_BUCKET)/cloudlogs/single/$(S3_PREFIX) --recursive
 
 	aws cloudformation package \
 		--region $(S3_REGION) \
@@ -35,7 +38,31 @@ test: packaged-template.yaml
 			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)"
 
 ci: packaged-template.yaml
-	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/cloudlogs/$(S3_PREFIX)/entry-point.yaml
+	aws s3 cp ./packaged-template.yaml s3://$(S3_BUCKET)/cloudlogs/single/$(S3_PREFIX)/entry-point.yaml
 
 clean:
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)
+
+packaged-template-org.yaml:
+	aws s3 rm s3://$(S3_BUCKET)/cloudlogs/org/$(S3_PREFIX) --recursive
+	aws cloudformation package \
+		--region $(S3_REGION) \
+		--template-file OrgCloudlogs.yaml \
+		--s3-bucket $(S3_BUCKET) \
+		--s3-prefix cspm/$(S3_PREFIX) \
+		--force-upload \
+		--output-template-file packaged-template-org.yaml
+
+test-org: packaged-template-org.yaml
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME_ORG) \
+		--template-file packaged-template-org.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"SysdigSecureAPIToken=$(SECURE_API_TOKEN)"
+
+ci-org: packaged-template-org.yaml
+	aws s3 cp ./packaged-template-org.yaml s3://$(S3_BUCKET)/cloudlogs/org/$(S3_PREFIX)/entry-point.yaml
+
+clean-org:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME_ORG)

templates_cloudlogs/OrgCloudLogs.yaml

@@ -0,0 +1,97 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >
+  CloudFormation organizational template for provisioning
+  the necessary resources for the `cloud-logs`
+  component and the read-only role required to itneract with
+  the target organizational environment.
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "Sysdig Settings (Do not change)"
+        Parameters:
+          - CSPMRoleName
+          - CloudLogsRoleName
+          - ExternalID
+          - TrustedIdentity
+          - BucketARN
+
+    ParameterLabels:
+      CSPMRoleName:
+        default: "CSPM Role Name (Sysdig use only)"
+      CloudLogsRoleName:
+        default: "CloudLogs Role Name (Sysdig use only)"
+      ExternalID:
+        default: "External ID (Sysdig use only)"
+      TrustedIdentity:
+        default: "Trusted Identity (Sysdig use only)"
+      BucketARN:
+        default: "Bucket ARN"
+
+Parameters:
+  CSPMRoleName:
+    Type: String
+    Description: The name of the read-only IAM Role that Sysdig will use to interact with the target environment
+  CloudLogsRoleName:
+    Type: String
+    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
+  ExternalID:
+    Type: String
+    Description: Random string generated unique to a customer.
+  TrustedIdentity:
+    Type: String
+    Description: The name of Sysdig trusted identity.
+  BucketARN:
+    Type: String
+    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
+
+Resources:
+  CloudLogsRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref CloudLogsRoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action:
+              - "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                "sts:ExternalId": !Ref ExternalID
+  CloudLogsRolePolicies:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: "CloudlogsS3Access"
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: "CloudlogsS3Access"
+            Effect: "Allow"
+            Action:
+              - "s3:Get*"
+              - "s3:List*"
+            Resource:
+              - !Sub '${BucketARN}'
+              - !Sub '${BucketARN}/*'
+      Roles:
+        - Ref: "CloudLogsRole"
+  CloudAgentlessRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref CSPMRoleName
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: !Ref TrustedIdentity
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalID
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/SecurityAudit

templates_cspm_cloudlogs/OrgFullInstall.yaml

@@ -112,14 +112,10 @@ Resources:
       Parameters:
         - ParameterKey: CSPMRoleName
           ParameterValue: !Ref CSPMRoleName
-        - ParameterKey: CloudLogsRoleName
-          ParameterValue: !Ref CloudLogsRoleName
         - ParameterKey: TrustedIdentity
           ParameterValue: !Ref TrustedIdentity
         - ParameterKey: ExternalID
           ParameterValue: !Ref ExternalID
-        - ParameterKey: BucketARN
-          ParameterValue: !Ref BucketARN
       StackInstancesGroup:
         - DeploymentTargets:
             OrganizationalUnitIds: !Split [ ",", !Ref OrganizationUnitIDs]
@@ -131,15 +127,9 @@ Resources:
           CSPMRoleName:
             Type: String
             Description: A unique identifier used to create an IAM Role
-          CloudLogsRoleName:
-            Type: String
-            Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
           TrustedIdentity:
             Type: String
             Description: The Role in Sysdig's AWS Account with permissions to your account
-          BucketARN:
-            Type: String
-            Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
           ExternalID:
             Type: String
             Description: Sysdig ExternalID required for the policy creation
@@ -160,35 +150,3 @@ Resources:
                         sts:ExternalId: !Sub ${ExternalID}
               ManagedPolicyArns:
                 - arn:aws:iam::aws:policy/SecurityAudit
-          CloudLogsRole:
-            Type: "AWS::IAM::Role"
-            Properties:
-              RoleName: !Ref CloudLogsRoleName
-              AssumeRolePolicyDocument:
-                Version: "2012-10-17"
-                Statement:
-                  - Effect: "Allow"
-                    Principal:
-                      AWS: !Ref TrustedIdentity
-                    Action:
-                      - "sts:AssumeRole"
-                    Condition:
-                      StringEquals:
-                        "sts:ExternalId": !Ref ExternalID
-          CloudLogsRolePolicies:
-            Type: "AWS::IAM::Policy"
-            Properties:
-              PolicyName: "CloudlogsS3Access"
-              PolicyDocument:
-                Version: "2012-10-17"
-                Statement:
-                  - Sid: "CloudlogsS3Access"
-                    Effect: "Allow"
-                    Action:
-                      - "s3:Get*"
-                      - "s3:List*"
-                    Resource:
-                      - !Sub '${BucketARN}'
-                      - !Sub '${BucketARN}/*'
-              Roles:
-                - Ref: "CloudLogsRole"