feat(event-bridge): add api destinations (SSPROD-53940)

templates_cspm_eventbridge/FullInstall.yaml

@@ -10,7 +10,9 @@ Metadata:
           - RoleName
           - ExternalID
           - TrustedIdentity
-          - EventBusARN
+          - ApiKey
+          - IngestionUrl
+          - RateLimit
           - EventBridgeRoleName
           - EventBridgeState
           - EventBridgeEventPattern
@@ -22,8 +24,12 @@ Metadata:
         default: "External ID (Sysdig use only)"
       TrustedIdentity:
         default: "Trusted Identity (Sysdig use only)"
-      EventBusARN:
-        default: "Target Event Bus (Sysdig use only)"
+      ApiKey:
+        default: "API Key (Sysdig use only)"
+      IngestionUrl:
+        default: "Ingestion URL (Sysdig use only)"
+      RateLimit:
+        default: "Rate Limit (Sysdig use only)"
       EventBridgeRoleName:
         default: "Integration Name (Sysdig use only)"
       EventBridgeState:
@@ -44,9 +50,16 @@ Parameters:
   TrustedIdentity:
     Type: String
     Description: The Role in Sysdig's AWS Account with permissions to your account
-  EventBusARN:
+  ApiKey:
     Type: String
-    Description: The destination in Sysdig's AWS account where your events are sent
+    Description: API key for Sysdig Secure authentication
+  IngestionUrl:
+    Type: String
+    Description: Sysdig Secure API ingestion URL
+  RateLimit:
+    Type: Number
+    Description: Maximum invocations per second for the API destination
+    Default: 300
   EventBridgeState:
     Type: String
     Description: The state of the EventBridge Rule
@@ -122,6 +135,26 @@ Resources:
               - Effect: "Allow"
                 Action: "account:GetContactInformation"
                 Resource: "*"
+
+  EventBridgeConnection:
+    Type: AWS::Events::Connection
+    Properties:
+      Name: !Sub ${EventBridgeRoleName}-connection
+      AuthorizationType: API_KEY
+      AuthParameters:
+        ApiKeyAuthParameters:
+          ApiKeyName: X-Api-Key
+          ApiKeyValue: !Ref ApiKey
+
+  EventBridgeApiDestination:
+    Type: AWS::Events::ApiDestination
+    Properties:
+      Name: !Sub ${EventBridgeRoleName}-destination
+      ConnectionArn: !GetAtt EventBridgeConnection.Arn
+      InvocationEndpoint: !Ref IngestionUrl
+      HttpMethod: POST
+      InvocationRateLimitPerSecond: !Ref RateLimit
+
   EventBridgeRole:
     Type: AWS::IAM::Role
     Properties:
@@ -138,21 +171,30 @@ Resources:
             Action: "sts:AssumeRole"
             Condition:
               StringEquals:
-                sts:ExternalId: !Ref ExternalID             
+                sts:ExternalId: !Ref ExternalID
       Policies:
         - PolicyName: !Ref EventBridgeRoleName
           PolicyDocument:
             Version: "2012-10-17"
             Statement:
-              - Effect: Allow
-                Action: 'events:PutEvents'
-                Resource: !Ref EventBusARN
-              - Effect: Allow
+              - Sid: "InvokeApiDestination"
+                Effect: Allow
+                Action: "events:InvokeApiDestination"
+                Resource: !GetAtt EventBridgeApiDestination.Arn
+              - Sid: "CloudTrailEventRuleAccess"
+                Effect: Allow
                 Action:
                   - "events:DescribeRule"
                   - "events:ListTargetsByRule"
-                Resource:
-                  - !Sub arn:aws:events:*:*:rule/${EventBridgeRoleName}
+                Resource: !Sub "arn:aws:events:*:*:rule/${EventBridgeRoleName}"
+              - Sid: "ValidationAccess"
+                Effect: Allow
+                Action:
+                  - "events:DescribeApiDestination"
+                  - "events:DescribeConnection"
+                  - "cloudwatch:GetMetricStatistics"
+                Resource: "*"
+
   EventBridgeRule:
     Type: AWS::Events::Rule
     Properties:
@@ -162,7 +204,5 @@ Resources:
       State: !Ref EventBridgeState
       Targets:
         - Id: !Ref EventBridgeRoleName
-          Arn: !Ref EventBusARN
-          RoleArn: !GetAtt
-            - EventBridgeRole
-            - Arn
+          Arn: !GetAtt EventBridgeApiDestination.Arn
+          RoleArn: !GetAtt EventBridgeRole.Arn