feat(modules): Support for Govcloud account/org

modules/Makefile

@@ -45,7 +45,8 @@ deploy:
 			"ExternalID=$(PARAM_EXTERNAL_ID)" \
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"Partition=${PARAM_PARTITION}"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-LogIngestion-EventBridge-$(PARAM_NAME_SUFFIX) \
 		--template-file log_ingestion.events.cft.yaml \
@@ -57,7 +58,8 @@ deploy:
 			"Regions=$(PARAM_REGIONS)" \
 			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
-			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)"
+			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
+			"Partition=${PARAM_PARTITION}"
 	aws cloudformation deploy \
 		--stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX) \
 		--template-file log_ingestion.s3.cft.yaml \

modules/foundational.cft.yaml

@@ -11,6 +11,7 @@ Metadata:
       - TrustedIdentity
       - IsOrganizational
       - OrganizationalUnitIDs
+      - Partition
     ParameterLabels:
       NameSuffix:
         default: Name Suffix
@@ -22,6 +23,8 @@ Metadata:
         default: Is Organizational
       OrganizationalUnitIDs:
         default: Organizational Unit IDs
+      Partition:
+        default: AWS Partition
 Parameters:
   NameSuffix:
     Type: String
@@ -45,6 +48,10 @@ Parameters:
   OrganizationalUnitIDs:
     Type: CommaDelimitedList
     Description: Comma separated list of organizational unit IDs to deploy
+  Partition:
+    Type: String
+    Description: AWS Partition of your account or organization to create resources in
+    Default: 'aws'
 Conditions:
   IsOrganizational:
     Fn::Equals:
@@ -68,7 +75,7 @@ Resources:
               sts:ExternalId:
                 Ref: ExternalID
       ManagedPolicyArns:
-      - arn:aws:iam::aws:policy/SecurityAudit
+      - !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
       Policies:
       - PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
         PolicyDocument:
@@ -82,8 +89,8 @@ Resources:
             - waf-regional:ListRules
             - waf-regional:ListRuleGroups
             Resource:
-            - arn:aws:waf-regional:*:*:rule/*
-            - arn:aws:waf-regional:*:*:rulegroup/*
+            - !Sub arn:${Partition}:waf-regional:*:*:rule/*
+            - !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
           - Effect: Allow
             Action: macie2:ListClassificationJobs
             Resource: '*'
@@ -114,9 +121,18 @@ Resources:
       ManagedPolicyArns:
         Fn::If:
         - IsOrganizational
-        - - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
-          - arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess
-        - - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
+        - - !Sub arn:${Partition}:iam::aws:policy/AWSOrganizationsReadOnlyAccess
+        - - !Ref AWS::NoValue
+      Policies:
+      - PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - account:Get*
+            - account:List*
+            Resource: '*'
   OrganizationStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
@@ -145,6 +161,9 @@ Resources:
       - ParameterKey: ExternalID
         ParameterValue:
           Ref: ExternalID
+      - ParameterKey: Partition
+        ParameterValue:
+          Ref: Partition
       StackInstancesGroup:
       - DeploymentTargets:
           OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -166,6 +185,9 @@ Resources:
           ExternalID:
             Type: String
             Description: external ID
+          Partition:
+            Type: String
+            Description: AWS Partition of your account or organization to create resources in
 
         Resources:
           ConfigPostureRole:
@@ -183,7 +205,7 @@ Resources:
                     StringEquals:
                       sts:ExternalId: !Ref ExternalID
               ManagedPolicyArns:
-              - arn:aws:iam::aws:policy/SecurityAudit
+              - !Sub arn:${Partition}:iam::aws:policy/SecurityAudit
               Policies:
               - PolicyName: !Sub sysdig-secure-posture-${NameSuffix}
                 PolicyDocument:
@@ -197,8 +219,8 @@ Resources:
                     - "waf-regional:ListRules"
                     - "waf-regional:ListRuleGroups"
                     Resource:
-                    - "arn:aws:waf-regional:*:*:rule/*"
-                    - "arn:aws:waf-regional:*:*:rulegroup/*"
+                    - !Sub arn:${Partition}:waf-regional:*:*:rule/*
+                    - !Sub arn:${Partition}:waf-regional:*:*:rulegroup/*
                   - Effect: "Allow"
                     Action: "macie2:ListClassificationJobs"
                     Resource: "*"
@@ -224,8 +246,16 @@ Resources:
                   Condition:
                     StringEquals:
                       sts:ExternalId: !Ref ExternalID
-              ManagedPolicyArns:
-                - arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess
+              Policies:
+              - PolicyName: !Sub sysdig-secure-onboarding-${NameSuffix}
+                PolicyDocument:
+                  Version: '2012-10-17'
+                  Statement:
+                  - Effect: Allow
+                    Action:
+                    - account:Get*
+                    - account:List*
+                    Resource: '*'
 
 Outputs:
   ConfigPostureRoleARN:

modules/log_ingestion.events.cft.yaml

@@ -15,25 +15,28 @@ Metadata:
       - RuleEventPattern
       - IsOrganizational
       - OrganizationalUnitIDs
+      - Partition
     ParameterLabels:  
       NameSuffix:
         default: Name Suffix
       ExternalID:
-        default: "External ID"
+        default: External ID
       TrustedIdentity:
-        default: "Trusted Identity"
+        default: Trusted Identity
       TargetEventBusARN:
-        default: "Target Event Bus"
+        default: Target Event Bus
       Regions:
-        default: "Instrumented Regions"
+        default: Instrumented Regions
       RuleState:
-        default: "EventBridge Rule state"
+        default: EventBridge Rule state
       RuleEventPattern:
-        default: "EventBridge Rule event pattern"
+        default: EventBridge Rule event pattern
       IsOrganizational:
         default: Is Organizational
       OrganizationalUnitIDs:
-        default: "Organizational Unit IDs"
+        default: Organizational Unit IDs
+      Partition:
+        default: AWS Partition
 Parameters:
   NameSuffix:
     Type: String
@@ -93,6 +96,10 @@ Parameters:
     AllowedValues:
     - 'true'
     - 'false'
+  Partition:
+    Type: String
+    Description: AWS Partition of your account or organization to create resources in
+    Default: 'aws'
 Conditions:
   IsOrganizational:
     Fn::Equals:
@@ -120,7 +127,7 @@ Resources:
             Action:
             - sts:AssumeRole
             Resource:
-            - !Sub arn:aws:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
+            - !Sub arn:${Partition}:iam:::role/sysdig-secure-events-stackset-execution-${NameSuffix}
   ExecutionRole:
     Type: AWS::IAM::Role   
     Properties:
@@ -135,8 +142,8 @@ Resources:
           Action:
           - sts:AssumeRole
       ManagedPolicyArns:
-      - arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess
-      - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
+      - !Sub arn:${Partition}:iam::aws:policy/AmazonEventBridgeFullAccess
+      - !Sub arn:${Partition}:iam::aws:policy/AWSCloudFormationFullAccess
   EventBridgeRole:
     Type: AWS::IAM::Role
     Properties:
@@ -168,7 +175,7 @@ Resources:
             - "events:DescribeRule"
             - "events:ListTargetsByRule"
             Resource:
-            - !Sub arn:aws:events:*:*:rule/sysdig-secure-events-${NameSuffix}
+            - !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
   EventBridgeRuleStackSet:
     Type: AWS::CloudFormation::StackSet
     Metadata:
@@ -203,7 +210,9 @@ Resources:
         - ParameterKey: RuleState
           ParameterValue: !Ref RuleState
         - ParameterKey: RuleEventPattern
-          ParameterValue: !Ref RuleEventPattern                     
+          ParameterValue: !Ref RuleEventPattern
+        - ParameterKey: Partition
+          ParameterValue: !Ref Partition
       StackInstancesGroup:
         - DeploymentTargets:
             Accounts: 
@@ -230,6 +239,9 @@ Resources:
           RuleEventPattern:
             Type: String
             Description: JSON pattern for the EventBridge rule's event pattern
+          Partition:
+            Type: String
+            Description: AWS Partition of your account or organization to create resources in
         Resources:           
           EventBridgeRule:
             Type: "AWS::Events::Rule"
@@ -241,7 +253,7 @@ Resources:
               Targets:
                 - Id: !Ref Name
                   Arn: !Sub ${TargetEventBusARN}
-                  RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${Name}
+                  RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
   OrganizationRoleStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
@@ -269,6 +281,8 @@ Resources:
         ParameterValue: !Ref ExternalID
       - ParameterKey: TargetEventBusARN
         ParameterValue: !Ref TargetEventBusARN
+      - ParameterKey: Partition
+        ParameterValue: !Ref Partition
       StackInstancesGroup:
       - DeploymentTargets:
           OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -288,7 +302,10 @@ Resources:
             Description: A unique identifier used to create and reference resources
           TargetEventBusARN:
             Type: String
-            Description: The destination in Sysdig's AWS account where your events are sent                        
+            Description: The destination in Sysdig's AWS account where your events are sent
+          Partition:
+            Type: String
+            Description: AWS Partition of your account or organization to create resources in
         Resources:
           EventBridgeRole:
             Type: AWS::IAM::Role
@@ -321,7 +338,7 @@ Resources:
                     - "events:DescribeRule"
                     - "events:ListTargetsByRule"
                     Resource:
-                    - !Sub arn:aws:events:*:*:rule/${Name}
+                    - !Sub arn:${Partition}:events:*:*:rule/${Name}
   OrganizationRuleStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
@@ -352,6 +369,8 @@ Resources:
         ParameterValue: !Ref RuleState
       - ParameterKey: RuleEventPattern
         ParameterValue: !Ref RuleEventPattern
+      - ParameterKey: Partition
+        ParameterValue: !Ref Partition
       StackInstancesGroup:
       - DeploymentTargets:
           OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -377,6 +396,9 @@ Resources:
           RuleEventPattern:
             Type: String
             Description: JSON pattern for the EventBridge rule's event pattern
+          Partition:
+            Type: String
+            Description: AWS Partition of your account or organization to create resources in
         Resources:           
           EventBridgeRule:
             Type: "AWS::Events::Rule"
@@ -388,7 +410,7 @@ Resources:
               Targets:
                 - Id: !Ref Name
                   Arn: !Ref TargetEventBusARN
-                  RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${Name}"
+                  RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
 Outputs:
   EventBridgeRoleARN:
     Description: Sysdig Secure EventBridge Role ARN

modules/log_ingestion.s3.cft.yaml

@@ -20,11 +20,11 @@ Metadata:
       NameSuffix:
         default: Name Suffix
       ExternalID:
-        default: "External ID"
+        default: External ID
       TrustedIdentity:
-        default: "Trusted Identity"
+        default: Trusted Identity
       BucketARN:
-        default: "Bucket ARN"
+        default: Bucket ARN
 
 Parameters:
   NameSuffix: