diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index 3c069478..3e2949ce 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -179,9 +179,9 @@ $ terraform apply
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
| [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose. | `bool` | `true` | no |
+| [cloudtrail\_kms\_arn](#input\_cloudtrail\_kms\_arn) | ARN of a pre-existing KMS key for encrypting the Cloudtrail logs. Incompatible with var.cloudtrail\_kms\_enable when set to true | `string` | `null` | no |
| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
| [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
| [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
@@ -194,9 +194,10 @@ $ terraform apply
| [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. If defaulted a new VPC will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required | `string` | `"create"` | no |
| [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
-| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.
- cloudtrail\_s3\_arn: Mandatory ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"
- cloudtrail\_sns\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block
- cloudtrail\_s3\_role\_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature
- cloudtrail\_s3\_sns\_sqs\_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
- cloudtrail\_s3\_sns\_sqs\_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<
| object({
cloudtrail_s3_arn = optional(string)
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_role_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
cloudtrail_s3_sns_sqs_url = optional(string)
}) | {
"cloudtrail_s3_arn": "create",
"cloudtrail_s3_role_arn": null,
"cloudtrail_s3_sns_sqs_arn": null,
"cloudtrail_s3_sns_sqs_url": null,
"cloudtrail_sns_arn": "create"
} | no |
+| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.
- cloudtrail\_s3\_arn: Mandatory ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"
- cloudtrail\_kms\_arn: Optional. ARN of a cloudtrail KMS key used for encrypting the logs. Required in order to retrieve the encrypted logs from S3
- cloudtrail\_sns\_arn: Optional CloudTrail SNS. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block
- cloudtrail\_s3\_role\_arn: Optional. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature
- cloudtrail\_s3\_sns\_sqs\_arn: CloudTrail S3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
- cloudtrail\_s3\_sns\_sqs\_url: CloudTrail S3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<
| object({
cloudtrail_s3_arn = optional(string)
cloudtrail_kms_arn = optional(string)
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_role_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
cloudtrail_s3_sns_sqs_url = optional(string)
}) | {
"cloudtrail_kms_arn": null,
"cloudtrail_s3_arn": "create",
"cloudtrail_s3_role_arn": null,
"cloudtrail_s3_sns_sqs_arn": null,
"cloudtrail_s3_sns_sqs_url": null,
"cloudtrail_sns_arn": "create"
} | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
| [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
+| [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
## Outputs
diff --git a/examples/organizational/cloudtrail.tf b/examples/organizational/cloudtrail.tf
index 1dcd4fb0..697f9c32 100644
--- a/examples/organizational/cloudtrail.tf
+++ b/examples/organizational/cloudtrail.tf
@@ -17,6 +17,7 @@ module "cloudtrail" {
}
is_multi_region_trail = var.cloudtrail_is_multi_region_trail
cloudtrail_kms_enable = var.cloudtrail_kms_enable
+ cloudtrail_kms_arn = var.cloudtrail_kms_arn
tags = var.tags
}
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
index 2a49d225..033f4e6f 100644
--- a/examples/organizational/main.tf
+++ b/examples/organizational/main.tf
@@ -91,6 +91,7 @@ module "cloud_connector" {
existing_cloudtrail_config = {
cloudtrail_sns_arn = local.cloudtrail_sns_arn
+ cloudtrail_kms_arn = var.existing_cloudtrail_config.cloudtrail_kms_arn
cloudtrail_s3_sns_sqs_url = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_url
cloudtrail_s3_sns_sqs_arn = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_arn
}
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
index 92de72b5..a5a416e5 100644
--- a/examples/organizational/variables.tf
+++ b/examples/organizational/variables.tf
@@ -40,10 +40,16 @@ variable "cloudtrail_kms_enable" {
description = "true/false whether the created cloudtrail should deliver encrypted events to s3"
}
+variable "cloudtrail_kms_arn" {
+ type = string
+ default = null
+ description = "ARN of a pre-existing KMS key for encrypting the Cloudtrail logs. Incompatible with var.cloudtrail_kms_enable when set to true"
+}
variable "existing_cloudtrail_config" {
type = object({
cloudtrail_s3_arn = optional(string)
+ cloudtrail_kms_arn = optional(string)
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_role_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
@@ -51,6 +57,7 @@ variable "existing_cloudtrail_config" {
})
default = {
cloudtrail_s3_arn = "create"
+ cloudtrail_kms_arn = null
cloudtrail_sns_arn = "create"
cloudtrail_s3_role_arn = null
cloudtrail_s3_sns_sqs_arn = null
@@ -62,10 +69,11 @@ variable "existing_cloudtrail_config" {
If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.
- cloudtrail_s3_arn: Mandatory ARN of a pre-existing cloudtrail_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"
- - cloudtrail_sns_arn: Optional 1. ARN of a pre-existing cloudtrail_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns_permissions.tf block
- - cloudtrail_s3_role_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature
- - cloudtrail_s3_sns_sqs_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns
- - cloudtrail_s3_sns_sqs_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns<
+ - cloudtrail_kms_arn: Optional. ARN of a cloudtrail KMS key used for encrypting the logs. Required in order to retrieve the encrypted logs from S3
+ - cloudtrail_sns_arn: Optional CloudTrail SNS. ARN of a pre-existing cloudtrail_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns_permissions.tf block
+ - cloudtrail_s3_role_arn: Optional. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature
+ - cloudtrail_s3_sns_sqs_arn: CloudTrail S3. ARN of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns
+ - cloudtrail_s3_sns_sqs_url: CloudTrail S3. URL of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns<
EOT
}
diff --git a/examples/single-account-ecs/README.md b/examples/single-account-ecs/README.md
index e9c8543b..d33f7c93 100644
--- a/examples/single-account-ecs/README.md
+++ b/examples/single-account-ecs/README.md
@@ -98,7 +98,8 @@ $ terraform apply
|------|-------------|------|---------|:--------:|
| [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
-| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
+| [cloudtrail\_kms\_arn](#input\_cloudtrail\_kms\_arn) | When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs | `string` | `null` | no |
+| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created | `bool` | `true` | no |
| [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
| [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
diff --git a/examples/single-account-ecs/cloudtrail.tf b/examples/single-account-ecs/cloudtrail.tf
index 7540db3b..79307c37 100644
--- a/examples/single-account-ecs/cloudtrail.tf
+++ b/examples/single-account-ecs/cloudtrail.tf
@@ -10,6 +10,7 @@ module "cloudtrail" {
is_organizational = false
is_multi_region_trail = var.cloudtrail_is_multi_region_trail
cloudtrail_kms_enable = var.cloudtrail_kms_enable
+ cloudtrail_kms_arn = var.cloudtrail_kms_arn
tags = var.tags
}
diff --git a/examples/single-account-ecs/main.tf b/examples/single-account-ecs/main.tf
index 1d4ebfbf..6acfc708 100644
--- a/examples/single-account-ecs/main.tf
+++ b/examples/single-account-ecs/main.tf
@@ -52,10 +52,10 @@ module "cloud_connector" {
build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
existing_cloudtrail_config = {
+ cloudtrail_kms_arn = var.cloudtrail_kms_arn
cloudtrail_sns_arn = local.cloudtrail_sns_arn
}
-
ecs_cluster_name = local.ecs_cluster_name
ecs_vpc_id = local.ecs_vpc_id
ecs_vpc_subnets_private_ids = local.ecs_vpc_subnets_private_ids
diff --git a/examples/single-account-ecs/variables.tf b/examples/single-account-ecs/variables.tf
index dd9dd287..0ba864db 100644
--- a/examples/single-account-ecs/variables.tf
+++ b/examples/single-account-ecs/variables.tf
@@ -1,5 +1,3 @@
-
-
#---------------------------------
# optionals - with defaults
#---------------------------------
@@ -8,6 +6,18 @@
#
# cloudtrail configuration
#
+variable "cloudtrail_kms_enable" {
+ type = bool
+ default = true
+ description = "true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created"
+}
+
+variable "cloudtrail_kms_arn" {
+ type = string
+ default = null
+ description = "When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs"
+}
+
variable "cloudtrail_sns_arn" {
type = string
default = "create"
@@ -20,13 +30,6 @@ variable "cloudtrail_is_multi_region_trail" {
description = "true/false whether cloudtrail will ingest multiregional events"
}
-variable "cloudtrail_kms_enable" {
- type = bool
- default = true
- description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
-}
-
-
#
# ecs, security group, vpc
#
diff --git a/examples/single-account-k8s/cloudtrail.tf b/examples/single-account-k8s/cloudtrail.tf
index 0bd79c7d..49905aca 100644
--- a/examples/single-account-k8s/cloudtrail.tf
+++ b/examples/single-account-k8s/cloudtrail.tf
@@ -11,6 +11,7 @@ module "cloudtrail" {
is_organizational = false
is_multi_region_trail = var.cloudtrail_is_multi_region_trail
cloudtrail_kms_enable = var.cloudtrail_kms_enable
+ cloudtrail_kms_arn = var.cloudtrail_kms_arn
tags = var.tags
}
diff --git a/examples/single-account-k8s/variables.tf b/examples/single-account-k8s/variables.tf
index 6b59ee49..74d9a4ca 100644
--- a/examples/single-account-k8s/variables.tf
+++ b/examples/single-account-k8s/variables.tf
@@ -21,7 +21,13 @@ variable "cloudtrail_is_multi_region_trail" {
variable "cloudtrail_kms_enable" {
type = bool
default = true
- description = "true/false whether s3 should be encrypted. testing/economization purpose."
+ description = "true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created"
+}
+
+variable "cloudtrail_kms_arn" {
+ type = string
+ default = null
+ description = "When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs"
}
variable "name" {
diff --git a/modules/infrastructure/cloudtrail/README.md b/modules/infrastructure/cloudtrail/README.md
index 49bdbe21..09315a2e 100644
--- a/modules/infrastructure/cloudtrail/README.md
+++ b/modules/infrastructure/cloudtrail/README.md
@@ -41,7 +41,8 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted | `bool` | `true` | no |
+| [cloudtrail\_kms\_arn](#input\_cloudtrail\_kms\_arn) | When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs | `string` | `null` | no |
+| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created | `bool` | `true` | no |
| [is\_multi\_region\_trail](#input\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether cloudtrail is organizational or not | `bool` | `false` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
diff --git a/modules/infrastructure/cloudtrail/kms.tf b/modules/infrastructure/cloudtrail/kms.tf
index bcf8e4f4..b7e7fb09 100644
--- a/modules/infrastructure/cloudtrail/kms.tf
+++ b/modules/infrastructure/cloudtrail/kms.tf
@@ -1,5 +1,5 @@
resource "aws_kms_key" "cloudtrail_kms" {
- count = var.cloudtrail_kms_enable ? 1 : 0
+ count = local.create_kms_key ? 1 : 0
is_enabled = true
enable_key_rotation = true
policy = data.aws_iam_policy_document.cloudtrail_kms[0].json
@@ -9,13 +9,13 @@ resource "aws_kms_key" "cloudtrail_kms" {
}
resource "aws_kms_alias" "kms" {
- count = var.cloudtrail_kms_enable ? 1 : 0
+ count = local.create_kms_key ? 1 : 0
target_key_id = aws_kms_key.cloudtrail_kms[0].id
name = "alias/${var.name}"
}
data "aws_iam_policy_document" "cloudtrail_kms" {
- count = var.cloudtrail_kms_enable ? 1 : 0
+ count = local.create_kms_key ? 1 : 0
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
diff --git a/modules/infrastructure/cloudtrail/locals.tf b/modules/infrastructure/cloudtrail/locals.tf
new file mode 100644
index 00000000..6d3b3a5b
--- /dev/null
+++ b/modules/infrastructure/cloudtrail/locals.tf
@@ -0,0 +1,4 @@
+locals {
+ # We don't create the KMS key when an existing KMS key ARN is provided
+ create_kms_key = var.cloudtrail_kms_enable && (var.cloudtrail_kms_arn != null || var.cloudtrail_kms_arn != "")
+}
diff --git a/modules/infrastructure/cloudtrail/main.tf b/modules/infrastructure/cloudtrail/main.tf
index c644d4ce..c649e9fd 100644
--- a/modules/infrastructure/cloudtrail/main.tf
+++ b/modules/infrastructure/cloudtrail/main.tf
@@ -8,7 +8,7 @@ resource "aws_cloudtrail" "cloudtrail" {
s3_bucket_name = aws_s3_bucket.cloudtrail.id
is_multi_region_trail = var.is_multi_region_trail
- kms_key_id = var.cloudtrail_kms_enable ? aws_kms_key.cloudtrail_kms[0].arn : null
+ kms_key_id = var.cloudtrail_kms_enable ? (local.create_kms_key ? aws_kms_key.cloudtrail_kms[0].arn : var.var.cloudtrail_kms_arn) : null
sns_topic_name = aws_sns_topic.cloudtrail.id
enable_logging = true
diff --git a/modules/infrastructure/cloudtrail/variables.tf b/modules/infrastructure/cloudtrail/variables.tf
index ab09187b..d6028ed0 100644
--- a/modules/infrastructure/cloudtrail/variables.tf
+++ b/modules/infrastructure/cloudtrail/variables.tf
@@ -42,7 +42,13 @@ variable "s3_bucket_expiration_days" {
variable "cloudtrail_kms_enable" {
type = bool
default = true
- description = "true/false whether s3 should be encrypted"
+ description = "true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created"
+}
+
+variable "cloudtrail_kms_arn" {
+ type = string
+ default = null
+ description = "When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs"
}
variable "is_multi_region_trail" {
diff --git a/modules/services/cloud-connector-ecs/README.md b/modules/services/cloud-connector-ecs/README.md
index d1348288..816c20c8 100644
--- a/modules/services/cloud-connector-ecs/README.md
+++ b/modules/services/cloud-connector-ecs/README.md
@@ -38,6 +38,7 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| [aws_iam_role_policy.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.task_policy_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.task_policy_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.task_policy_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.task_policy_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
@@ -48,6 +49,7 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| [aws_iam_policy_document.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.execution_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.iam_role_task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.iam_role_task_policy_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.iam_role_task_policy_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.iam_role_task_policy_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -65,22 +67,22 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
|------|-------------|------|---------|:--------:|
| [build\_project\_arn](#input\_build\_project\_arn) | Code Build project arn | `string` | n/a | yes |
| [build\_project\_name](#input\_build\_project\_name) | Code Build project name | `string` | n/a | yes |
-| [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster | `string` | n/a | yes |
-| [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. | `string` | n/a | yes |
-| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. | `list(string)` | n/a | yes |
-| [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes |
| [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudConnector | `number` | `5` | no |
| [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
+| [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster | `string` | n/a | yes |
| [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |
| [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no |
-| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
If there's an existing cloudtrail, input mandatory attributes, and one of the 1 or 2 labeled optionals.
- cloudtrail\_sns\_arn: Optional 1. ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region
- cloudtrail\_s3\_sns\_sqs\_arn: Optional 2. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
- cloudtrail\_s3\_sns\_sqs\_url: Optional 2. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
sqs:ReceiveMessage and sqs:DeleteMessage permissions have to be provided to the compute role
| object({
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
cloudtrail_s3_sns_sqs_url = optional(string)
}) | {
"cloudtrail_s3_sns_sqs_arn": null,
"cloudtrail_s3_sns_sqs_url": null,
"cloudtrail_sns_arn": "create"
} | no |
+| [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. | `string` | n/a | yes |
+| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. | `list(string)` | n/a | yes |
+| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
If there's an existing cloudtrail, input mandatory attributes, and one of the 1 or 2 labeled optionals.
- cloudtrail\_kms\_arn: Optional. ARN of a cloudtrail KMS key used for encrypting the logs. Required in order to retrieve the encrypted logs from S3
- cloudtrail\_sns\_arn: Optional CloudTrail SNS. ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region
- cloudtrail\_s3\_sns\_sqs\_arn: Optional CloudTrail S3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
- cloudtrail\_s3\_sns\_sqs\_url: Optional CloudTrail S3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
sqs:ReceiveMessage and sqs:DeleteMessage permissions have to be provided to the compute role
| object({
cloudtrail_kms_arn = optional(string)
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
cloudtrail_s3_sns_sqs_url = optional(string)
}) | {
"cloudtrail_kms_arn": null,
"cloudtrail_s3_sns_sqs_arn": null,
"cloudtrail_s3_sns_sqs_url": null,
"cloudtrail_sns_arn": "create"
} | no |
| [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no |
| [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether `organizational_config` should be used to handle organizational setup | `bool` | `false` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudconnector"` | no |
| [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given
- `sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events
- `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role
- `organizational_role_per_account` is the name of the organizational role deployed by AWS in each account of the organization. used for image-scanning only
| object({
sysdig_secure_for_cloud_role_arn = string
organizational_role_per_account = string
connector_ecs_task_role_name = string
}) | {
"connector_ecs_task_role_name": null,
"organizational_role_per_account": null,
"sysdig_secure_for_cloud_role_arn": null
} | no |
+| [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
| [verify\_ssl](#input\_verify\_ssl) | true/false to determine ssl verification for sysdig\_secure\_url | `bool` | `true` | no |
diff --git a/modules/services/cloud-connector-ecs/permissions.tf b/modules/services/cloud-connector-ecs/permissions.tf
index 24d07ffe..2b1c97fc 100644
--- a/modules/services/cloud-connector-ecs/permissions.tf
+++ b/modules/services/cloud-connector-ecs/permissions.tf
@@ -63,6 +63,7 @@ resource "aws_iam_role_policy" "task_policy_s3" {
role = local.ecs_task_role_id
policy = data.aws_iam_policy_document.iam_role_task_policy_s3[0].json
}
+
data "aws_iam_policy_document" "iam_role_task_policy_s3" {
count = var.is_organizational ? 0 : 1
statement {
@@ -76,6 +77,24 @@ data "aws_iam_policy_document" "iam_role_task_policy_s3" {
}
}
+resource "aws_iam_role_policy" "task_policy_kms" {
+ count = var.existing_cloudtrail_config.cloudtrail_kms_arn == null ? 0 : 1
+ name = "${var.name}-AllowKMSDecryption"
+ role = local.ecs_task_role_id
+ policy = data.aws_iam_policy_document.iam_role_task_policy_kms[0].json
+}
+
+data "aws_iam_policy_document" "iam_role_task_policy_kms" {
+ count = var.existing_cloudtrail_config.cloudtrail_kms_arn == null ? 0 : 1
+ statement {
+ effect = "Allow"
+ actions = [
+ "kms:Decrypt"
+ ]
+ resources = [var.existing_cloudtrail_config.cloudtrail_kms_arn]
+ }
+}
+
resource "aws_iam_role_policy" "task_policy_assume_role" {
count = var.is_organizational ? 1 : 0
name = "${var.name}-AllowS3AssumeRole"
diff --git a/modules/services/cloud-connector-ecs/variables.tf b/modules/services/cloud-connector-ecs/variables.tf
index b5d7a138..fb808019 100644
--- a/modules/services/cloud-connector-ecs/variables.tf
+++ b/modules/services/cloud-connector-ecs/variables.tf
@@ -39,11 +39,13 @@ variable "ecs_vpc_subnets_private_ids" {
variable "existing_cloudtrail_config" {
type = object({
+ cloudtrail_kms_arn = optional(string)
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
cloudtrail_s3_sns_sqs_url = optional(string)
})
default = {
+ cloudtrail_kms_arn = null
cloudtrail_sns_arn = "create"
cloudtrail_s3_sns_sqs_arn = null
cloudtrail_s3_sns_sqs_url = null
@@ -53,15 +55,14 @@ variable "existing_cloudtrail_config" {
Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
If there's an existing cloudtrail, input mandatory attributes, and one of the 1 or 2 labeled optionals.
- - cloudtrail_sns_arn: Optional 1. ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region
- - cloudtrail_s3_sns_sqs_arn: Optional 2. ARN of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns
- - cloudtrail_s3_sns_sqs_url: Optional 2. URL of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns
sqs:ReceiveMessage and sqs:DeleteMessage permissions have to be provided to the compute role
+ - cloudtrail_kms_arn: Optional. ARN of a cloudtrail KMS key used for encrypting the logs. Required in order to retrieve the encrypted logs from S3
+ - cloudtrail_sns_arn: Optional CloudTrail SNS. ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region
+ - cloudtrail_s3_sns_sqs_arn: Optional CloudTrail S3. ARN of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns
+ - cloudtrail_s3_sns_sqs_url: Optional CloudTrail S3. URL of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns
sqs:ReceiveMessage and sqs:DeleteMessage permissions have to be provided to the compute role
EOT
}
-
-
#---------------------------------
# optionals - with default
#---------------------------------