Skip to content

Commit d5578ac

Browse files
author
iru
authored
chore: remove sns member policy when not-required (#116)
1 parent 72392e5 commit d5578ac

File tree

24 files changed

+37
-38
lines changed

24 files changed

+37
-38
lines changed

examples/organizational/README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -145,9 +145,9 @@ $ terraform apply
145145

146146
| Name | Version |
147147
|------|---------|
148-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
149-
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.21.0 |
150-
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
148+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
149+
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.22.0 |
150+
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
151151

152152
## Modules
153153

examples/single-account-apprunner/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ $ terraform apply
7272

7373
| Name | Version |
7474
|------|---------|
75-
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
75+
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
7676

7777
## Modules
7878

examples/single-account-ecs/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ $ terraform apply
7272

7373
| Name | Version |
7474
|------|---------|
75-
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
75+
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
7676

7777
## Modules
7878

examples/single-account-k8s/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,9 +84,9 @@ $ terraform apply
8484

8585
| Name | Version |
8686
|------|---------|
87-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
87+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
8888
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.6.0 |
89-
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
89+
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
9090

9191
## Modules
9292

examples/trigger-events/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ $ terraform apply
4949

5050
| Name | Version |
5151
|------|---------|
52-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
52+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
5353

5454
## Modules
5555

modules/infrastructure/cloudtrail/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
| Name | Version |
1414
|------|---------|
15-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
15+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
1616

1717
## Modules
1818

modules/infrastructure/cloudtrail/data.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
data "aws_caller_identity" "me" {}

modules/infrastructure/cloudtrail/main.tf

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,5 +23,3 @@ resource "aws_cloudtrail" "cloudtrail" {
2323
aws_sns_topic_policy.allow_cloudtrail_publish
2424
]
2525
}
26-
27-
data "aws_caller_identity" "me" {}

modules/infrastructure/cloudtrail/sns_permissions.tf

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
locals {
2+
cross_account = data.aws_caller_identity.me.account_id != var.organizational_config.sysdig_secure_for_cloud_member_account_id
3+
}
4+
5+
16
resource "aws_sns_topic_policy" "allow_cloudtrail_publish" {
27
arn = aws_sns_topic.cloudtrail.arn
38
policy = data.aws_iam_policy_document.cloudtrail_sns.json
@@ -20,18 +25,13 @@ data "aws_iam_policy_document" "cloudtrail_sns" {
2025
# Organizational Requirements
2126
# note; this statement is required to be on the SNS creation, don't move to other module as policies cannot be overriten/exteneded after creation
2227
dynamic "statement" {
23-
for_each = var.is_organizational ? [1] : []
28+
for_each = var.is_organizational && local.cross_account ? [1] : []
2429
content {
2530
sid = "AllowSysdigSecureForCloudSubscribe"
2631
effect = "Allow"
2732
principals {
28-
identifiers = [
29-
"arn:aws:iam::${var.organizational_config.sysdig_secure_for_cloud_member_account_id}:role/${var.organizational_config.organizational_role_per_account}"
30-
]
31-
type = "AWS"
32-
# more open policy but without requiring aws provider role
33-
# identifiers = ["sqs.amazonaws.com"]
34-
# type = "Service"
33+
identifiers = ["arn:aws:iam::${var.organizational_config.sysdig_secure_for_cloud_member_account_id}:role/${var.organizational_config.organizational_role_per_account}"]
34+
type = "AWS"
3535
}
3636
actions = ["sns:Subscribe"]
3737
resources = [aws_sns_topic.cloudtrail.arn]

modules/infrastructure/cloudtrail_s3-sns-sqs/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ EVENT FILTER/fine-tunning, regarding what we want to send to Sysdig Cloud-Connec
4646

4747
| Name | Version |
4848
|------|---------|
49-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
49+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.22.0 |
5050

5151
## Modules
5252

0 commit comments

Comments
 (0)