feat(event-bridge): change cft to create api dest (SSPROD-53940)

modules/Makefile

@@ -8,7 +8,9 @@ PARAM_NAME_SUFFIX ?= test
 PARAM_IS_ORGANIZATIONAL ?= false
 PARAM_EXTERNAL_ID ?= test
 PARAM_TRUSTED_IDENTITY ?= arn:aws:iam:::role/$(PARAM_NAME_SUFFIX)
-PARAM_TARGET_EVENT_BUS_ARN ?= arn:aws:events:us-east-1::event-bus/default
+PARAM_API_KEY ?= <your_api_key>
+PARAM_INGESTION_URL ?= https://app-staging.sysdigcloud.com/api/cloudingestion/webhooks/eventbridge/v1/64616366-3130-6163-3665-346636653537
+PARAM_RATE_LIMIT ?= 300
 PARAM_BUCKET_ARN ?= arn:aws:s3:::cloudtrail-$(PARAM_NAME_SUFFIX)
 PARAM_REGIONS ?= us-east-1
 PARAM_LAMBDA_SCANNING_ENABLED ?= true
@@ -64,7 +66,9 @@ deploy:
 			"ExternalID=$(PARAM_EXTERNAL_ID)" \
 			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
 			"Regions=$(PARAM_REGIONS)" \
-			"TargetEventBusARN=$(PARAM_TARGET_EVENT_BUS_ARN)" \
+			"ApiKey=$(PARAM_API_KEY)" \
+			"IngestionUrl=$(PARAM_INGESTION_URL)" \
+			"RateLimit=$(PARAM_RATE_LIMIT)" \
 			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
 			"OrganizationalUnitIDs=$(PARAM_ORGANIZATIONAL_UNIT_IDS)" \
 			"Partition=${PARAM_PARTITION}" \
@@ -125,5 +129,3 @@ clean:
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-LogIngestion-S3-$(PARAM_NAME_SUFFIX)
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VolumeAccess-$(PARAM_NAME_SUFFIX)
 	aws cloudformation delete-stack --stack-name $(STACK_NAME)-VMWorkloadScanning-$(PARAM_NAME_SUFFIX)
-
-

modules/log_ingestion.events.cft.yaml

@@ -7,13 +7,15 @@ Metadata:
         default: ""
       Parameters:
       - RuleEventPattern
+      - RateLimit
     - Label:
         default: "Sysdig Settings (Do not change)"
       Parameters:
       - NameSuffix
       - ExternalID
       - TrustedIdentity
-      - TargetEventBusARN
+      - ApiKey
+      - IngestionUrl
       - Regions
       - RuleState
       - IsOrganizational
@@ -30,8 +32,12 @@ Metadata:
         default: External ID
       TrustedIdentity:
         default: Trusted Identity
-      TargetEventBusARN:
-        default: Target Event Bus
+      ApiKey:
+        default: "API Key (Sysdig use only)"
+      IngestionUrl:
+        default: "Ingestion URL (Sysdig use only)"
+      RateLimit:
+        default: "Api Destinations Rate Limit"
       Regions:
         default: Instrumented Regions
       RuleState:
@@ -65,9 +71,16 @@ Parameters:
   TrustedIdentity:
     Type: String
     Description: The Role in Sysdig's AWS Account with permissions to your account
-  TargetEventBusARN:
+  ApiKey:
     Type: String
-    Description: The destination in Sysdig's AWS account where your events are sent
+    Description: API key for Sysdig Secure authentication
+  IngestionUrl:
+    Type: String
+    Description: Sysdig Secure API ingestion URL
+  RateLimit:
+    Type: Number
+    Description: Maximum invocations per second for the API destination
+    Default: 300
   Regions:
     Type: CommaDelimitedList
     Description: Comma separated list of regions to monitor with EventBridge
@@ -245,14 +258,22 @@ Resources:
           Version: "2012-10-17"
           Statement:
           - Effect: Allow
-            Action: 'events:PutEvents'
-            Resource: !Ref TargetEventBusARN
+            Action:
+              - "events:InvokeApiDestination"
+            Resource:
+              - !Sub "arn:${Partition}:events:*:*:api-destination/sysdig-secure-events-${NameSuffix}-destination/*"
           - Effect: Allow
             Action:
             - "events:DescribeRule"
             - "events:ListTargetsByRule"
             Resource:
             - !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
+          - Effect: Allow
+            Action:
+              - "events:DescribeApiDestination"
+              - "events:DescribeConnection"
+              - "cloudwatch:GetMetricStatistics"
+            Resource: "*"
   EventBridgeRuleStackSet:
     Type: AWS::CloudFormation::StackSet
     Metadata:
@@ -282,8 +303,12 @@ Resources:
       Parameters:
         - ParameterKey: Name
           ParameterValue: !Sub sysdig-secure-events-${NameSuffix}
-        - ParameterKey: TargetEventBusARN
-          ParameterValue: !Ref TargetEventBusARN
+        - ParameterKey: ApiKey
+          ParameterValue: !Ref ApiKey
+        - ParameterKey: IngestionUrl
+          ParameterValue: !Ref IngestionUrl
+        - ParameterKey: RateLimit
+          ParameterValue: !Ref RateLimit
         - ParameterKey: RuleState
           ParameterValue: !Ref RuleState
         - ParameterKey: RuleEventPattern
@@ -302,9 +327,15 @@ Resources:
           Name:
             Type: String
             Description: resource name identifier
-          TargetEventBusARN:
+          ApiKey:
             Type: String
-            Description: The destination in Sysdig's AWS account where your events are sent
+            Description: API key for authentication
+          IngestionUrl:
+            Type: String
+            Description: Target endpoint URL for the API destination
+          RateLimit:
+            Type: Number
+            Description: Maximum invocations per second for the API destination
           RuleState:
             Type: String
             Description: The state of the EventBridge Rule
@@ -320,17 +351,36 @@ Resources:
             Type: String
             Description: AWS Partition of your account or organization to create resources in
         Resources:           
+          EventBridgeConnection:
+            Type: AWS::Events::Connection
+            Properties:
+              Name: !Sub ${Name}-connection
+              AuthorizationType: API_KEY
+              AuthParameters:
+                ApiKeyAuthParameters:
+                  ApiKeyName: X-Api-Key
+                  ApiKeyValue: !Ref ApiKey
+
+          EventBridgeApiDestination:
+            Type: AWS::Events::ApiDestination
+            Properties:
+              Name: !Sub ${Name}-destination
+              ConnectionArn: !GetAtt EventBridgeConnection.Arn
+              InvocationEndpoint: !Ref IngestionUrl
+              HttpMethod: POST
+              InvocationRateLimitPerSecond: !Ref RateLimit
+
           EventBridgeRule:
-            Type: "AWS::Events::Rule"
+            Type: AWS::Events::Rule
             Properties:
-              Name: !Ref Name
-              Description: Capture all CloudTrail events
+              Name: !Sub ${Name}
+              Description: Forwards events to Sysdig via API Destination
               EventPattern: !Ref RuleEventPattern
-              State: !Sub ${RuleState}
+              State: !Ref RuleState
               Targets:
-                - Id: !Ref Name
-                  Arn: !Sub ${TargetEventBusARN}
-                  RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
+                - Id: !Sub ${Name}
+                  Arn: !GetAtt EventBridgeApiDestination.Arn
+                  RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
   OrganizationRoleStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
@@ -356,8 +406,12 @@ Resources:
         ParameterValue: !Ref TrustedIdentity
       - ParameterKey: ExternalID
         ParameterValue: !Ref ExternalID
-      - ParameterKey: TargetEventBusARN
-        ParameterValue: !Ref TargetEventBusARN
+      - ParameterKey: ApiKey
+        ParameterValue: !Ref ApiKey
+      - ParameterKey: IngestionUrl
+        ParameterValue: !Ref IngestionUrl
+      - ParameterKey: RateLimit
+        ParameterValue: !Ref RateLimit
       - ParameterKey: Partition
         ParameterValue: !Ref Partition
       StackInstancesGroup:
@@ -400,9 +454,15 @@ Resources:
           Name:
             Type: String
             Description: A unique identifier used to create and reference resources
-          TargetEventBusARN:
+          ApiKey:
+            Type: String
+            Description: API key for Sysdig Secure authentication
+          IngestionUrl:
             Type: String
-            Description: The destination in Sysdig's AWS account where your events are sent
+            Description: Sysdig Secure API endpoint URL
+          RateLimit:
+            Type: Number
+            Description: Maximum invocations per second for the API destination
           Partition:
             Type: String
             Description: AWS Partition of your account or organization to create resources in
@@ -430,15 +490,26 @@ Resources:
                 PolicyDocument:
                   Version: "2012-10-17"
                   Statement:
-                  - Effect: Allow
-                    Action: 'events:PutEvents'
-                    Resource: !Sub ${TargetEventBusARN}
-                  - Effect: Allow
-                    Action:
-                    - "events:DescribeRule"
-                    - "events:ListTargetsByRule"
-                    Resource:
-                    - !Sub arn:${Partition}:events:*:*:rule/${Name}
+                    - Sid: "InvokeApiDestination"
+                      Effect: Allow
+                      Action:
+                        - "events:InvokeApiDestination"
+                      Resource:
+                        - !Sub "arn:${Partition}:events:*:*:api-destination/${Name}-destination/*"
+                    - Sid: "CloudTrailEventRuleAccess"
+                      Effect: Allow
+                      Action:
+                        - "events:DescribeRule"
+                        - "events:ListTargetsByRule"
+                      Resource:
+                        - !Sub "arn:${Partition}:events:*:*:rule/${Name}"
+                    - Sid: "ValidationAccess"
+                      Effect: Allow
+                      Action:
+                        - "events:DescribeApiDestination"
+                        - "events:DescribeConnection"
+                        - "cloudwatch:GetMetricStatistics"
+                      Resource: "*"
   OrganizationRuleStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
@@ -463,8 +534,12 @@ Resources:
       Parameters:
       - ParameterKey: Name
         ParameterValue: !Sub sysdig-secure-events-${NameSuffix}
-      - ParameterKey: TargetEventBusARN
-        ParameterValue: !Ref TargetEventBusARN
+      - ParameterKey: ApiKey
+        ParameterValue: !Ref ApiKey
+      - ParameterKey: IngestionUrl
+        ParameterValue: !Ref IngestionUrl
+      - ParameterKey: RateLimit
+        ParameterValue: !Ref RateLimit
       - ParameterKey: RuleState
         ParameterValue: !Ref RuleState
       - ParameterKey: RuleEventPattern
@@ -505,9 +580,15 @@ Resources:
           Name:
             Type: String
             Description: A unique identifier used to create and reference resources
-          TargetEventBusARN:
+          ApiKey:
             Type: String
-            Description: The destination in Sysdig's AWS account where your events are sent
+            Description: API key for Sysdig Secure authentication
+          IngestionUrl:
+            Type: String
+            Description: Sysdig Secure API endpoint URL
+          RateLimit:
+            Type: Number
+            Description: Maximum invocations per second for the API destination
           RuleState:
             Type: String
             Description: The state of the EventBridge Rule
@@ -523,19 +604,38 @@ Resources:
             Type: String
             Description: AWS Partition of your account or organization to create resources in
         Resources:           
+          EventBridgeConnection:
+            Type: AWS::Events::Connection
+            Properties:
+              Name: !Sub ${Name}-connection
+              AuthorizationType: API_KEY
+              AuthParameters:
+                ApiKeyAuthParameters:
+                  ApiKeyName: X-Api-Key
+                  ApiKeyValue: !Ref ApiKey
+
+          EventBridgeApiDestination:
+            Type: AWS::Events::ApiDestination
+            Properties:
+              Name: !Sub ${Name}-destination
+              ConnectionArn: !GetAtt EventBridgeConnection.Arn
+              InvocationEndpoint: !Ref IngestionUrl
+              HttpMethod: POST
+              InvocationRateLimitPerSecond: !Ref RateLimit
+
           EventBridgeRule:
-            Type: "AWS::Events::Rule"
+            Type: AWS::Events::Rule
             Properties:
               Name: !Ref Name
-              Description: Capture all CloudTrail events
+              Description: Forwards events to Sysdig via API Destination for Sysdig Secure
               EventPattern: !Ref RuleEventPattern
               State: !Ref RuleState
               Targets:
                 - Id: !Ref Name
-                  Arn: !Ref TargetEventBusARN
+                  Arn: !GetAtt EventBridgeApiDestination.Arn
                   RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
 Outputs:
   EventBridgeRoleARN:
     Description: Sysdig Secure EventBridge Role ARN
     Value:
-      Fn::Sub: ${EventBridgeRole.Arn}
+      Fn::Sub: ${EventBridgeRole.Arn}