[SSPROD-48724] AWS Modular Onboarding for VM Workload Scanning (#25)

* First version of VM Workload Scanning component for AWS

* Small fixes to examples

* With lambda included

* Some fixes

* Some changes

* Workload scanning for AWS without EKS

* Corrections from testing onboarding

* Examples fix

* Comments from chris geers

Author: miguelpais

modules/config-posture/README.md

@@ -63,6 +63,9 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_config_posture_component_id"></a> [config_posture_component_id](#output_config_posture_component_id) | Component identifier of trusted identity created in Sysdig Backend for Config Posture |
+| <a name="output_cspm_role_arn"></a> [cspm_role_arn](#output_cspm_role_arn) | The ARN of the CSPM role |
+| <a name="output_sysdig_secure_account_id"></a> [sysdig_secure_account_id](#output_sysdig_secure_account_id) | ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) |
 | <a name="output_config_posture_component_id"></a> [config\_posture\_component\_id](#output\_config\_posture\_component\_id) | The component id of the config posture trusted identity |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

modules/config-posture/outputs.tf

@@ -2,4 +2,15 @@ output "config_posture_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}"
   description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture"
   depends_on  = [sysdig_secure_cloud_auth_account_component.config_posture_role]
+}
+
+output "cspm_role_arn" {
+  value       = aws_iam_role.cspm_role.arn
+  description = "The ARN of the CSPM role"
+  depends_on  = [aws_iam_role.cspm_role]
+}
+
+output "sysdig_secure_account_id" {
+    value       = var.sysdig_secure_account_id
+    description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)"
 }

modules/vm-workload-scanning/README.md

@@ -0,0 +1,77 @@
+# AWS VM Workload Scanning Module
+
+This Module creates the resources required to perform agentless workload scanning operations.
+By default, it will create a role with permissions necessary to access and pull ECR images in the account where it is deployed. 
+Combined with the base onboarding, this allows for scanning ECS Services and Tasks pointing to ECR images.
+Also public docker images and private repos are supported, as long as private repository permissions are granted to Sysdig using the Registry Credentials UI.
+
+Optional, if AWS Lambda is enabled, we will have visibility on a set of Lambda functions in the account and be able to scan its resources.
+
+The following resources will be created in each instrumented account:
+- An IAM Role and associated policies that allows Sysdig to perform tasks necessary for vm agentless workload scanning, i.e.
+pull images from ECR, optionally obtain lambda function code and details.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name                                                                      | Version   |
+|---------------------------------------------------------------------------|-----------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.7    |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 5.60.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~> 1.37   |
+
+## Providers
+
+| Name                                                       | Version  |
+|------------------------------------------------------------|----------|
+| <a name="provider_aws"></a> [aws](#provider\_aws)          | >= 5.60.0 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.37  |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdig/sysdig/latest/docs/data-sources/tenant_external_id) | data source |
+| [aws_iam_policy.ecr_scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [sysdig_secure_cloud_auth_account_component.vm_workload_scanning_account_component](https://registry.terraform.io/providers/sysdig/sysdig/latest/docs/resources/cloud_auth_account_component) | resource |
+| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.scanning_role_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+
+
+## Inputs
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_tags"></a> [tags](#input_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>"product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_is_organizational"></a> [is_organizational](#input_is_organizational) | Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
+| <a name="input_organizational_units_ids"></a> [organizational_units_ids](#input_org_units) | List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
+| <a name="input_timeout"></a> [timeout](#input_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
+| <a name="input_failure_tolerance_percentage"></a> [failure_tolerance_percentage](#input_failure_tolerance_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
+| <a name="input_lambda_scanning_enabled"></a> [lambda_scanning_enabled](#input_lambda_scanning_enabled) | Set this field to 'true' to deploy Agentless Workload Scanning for Lambda functions | `bool` | `false` | no |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig_secure_account_id](#input_sysdig_secure_account_id) | ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role_arn](#output_role_arn) | Role used by Sysdig Platform for Agentless Workload Scanning |
+| <a name="output_vm_workload_scanning_component_id"></a> [vm_workload_scanning_component_id](#output_vm_workload_scanning_component_id) | Component identifier of trusted identity created in Sysdig Backend for VM Workload Scanning |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/vm-workload-scanning/locals.tf

@@ -0,0 +1,9 @@
+// generate a random suffix for the config-posture role name
+
+resource "random_id" "suffix" {
+  byte_length = 3
+}
+
+locals {
+  ecr_role_name = "sysdig-vm-workload-scanning-${random_id.suffix.hex}"
+}

modules/vm-workload-scanning/main.tf

@@ -0,0 +1,161 @@
+data "sysdig_secure_tenant_external_id" "cloud_auth_external_id" {}
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "aws"
+}
+
+###########################################
+# Workload Controller IAM roles and stuff #
+###########################################
+
+#-----------------------------------------------------------------------------------------------------------------------
+# Determine if this is an Organizational install, or a single account install. For Single Account installs, resources
+# are created directly using the AWS Terraform Provider (This is the default behaviour). For Organizational installs,
+# see organizational.tf, and the resources in this file are used to instrument the management account (StackSets do not
+# include the management account they are created in, even if this account is within the target Organization).
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# These resources create an Agentless Workload Scanning IAM Role and IAM Policy in the account.
+#-----------------------------------------------------------------------------------------------------------------------
+
+data "aws_iam_policy_document" "scanning" {
+  # General ECR read permission, necessary for the fetching artifacts.
+  statement {
+    sid = "EcrReadPermissions"
+
+    effect = "Allow"
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:ListImages",
+      "ecr:GetAuthorizationToken",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "functions" {
+  count = var.lambda_scanning_enabled ? 1 : 0
+
+  statement {
+    sid = "SysdigWorkloadFunctionsScanning"
+
+    effect = "Allow"
+
+    actions = [
+      "lambda:GetFunction",
+      "lambda:GetFunctionConfiguration",
+      "lambda:GetRuntimeManagementConfig",
+      "lambda:ListFunctions",
+      "lambda:ListTagsForResource",
+      "lambda:GetLayerVersionByArn",
+      "lambda:GetLayerVersion",
+      "lambda:ListLayers",
+      "lambda:ListLayerVersions"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ecr_scanning" {
+  count = var.is_organizational ? 0 : 1
+
+  name        = "${local.ecr_role_name}-ecr"
+  description = "Grants Sysdig Secure access to ECR images"
+  policy      = data.aws_iam_policy_document.scanning.json
+  tags        = var.tags
+}
+
+resource "aws_iam_policy" "functions_scanning" {
+  count = var.lambda_scanning_enabled && !var.is_organizational? 1 : 0
+
+  name        = "${local.ecr_role_name}-functions"
+  description = "Grants Sysdig Secure access to AWS Lambda"
+  policy      = data.aws_iam_policy_document.functions[0].json
+  tags        = var.tags
+}
+
+data "aws_iam_policy_document" "scanning_assume_role_policy" {
+  statement {
+    sid = "SysdigWorkloadScanning"
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [data.sysdig_secure_tenant_external_id.cloud_auth_external_id.external_id]
+    }
+  }
+}
+
+resource "aws_iam_role" "scanning" {
+  count = var.is_organizational ? 0 : 1
+
+  name               = local.ecr_role_name
+  tags               = var.tags
+  assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy.json
+}
+
+resource "aws_iam_policy_attachment" "scanning" {
+  count = var.is_organizational ? 0 : 1
+
+  name       = local.ecr_role_name
+  roles      = [aws_iam_role.scanning[0].name]
+  policy_arn = aws_iam_policy.ecr_scanning[0].arn
+}
+
+resource "aws_iam_policy_attachment" "functions" {
+  count = var.lambda_scanning_enabled && !var.is_organizational ? 1 : 0
+
+  name       = local.ecr_role_name
+  roles      = [aws_iam_role.scanning[0].name]
+  policy_arn = aws_iam_policy.functions_scanning[0].arn
+}
+
+#--------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the trusted role for Config Posture to the Sysdig Cloud Account
+#
+# Note (optional): To ensure this gets called after all cloud resources are created, add
+# explicit dependency using depends_on
+#--------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "vm_workload_scanning_account_component" {
+  account_id = var.sysdig_secure_account_id
+
+  type       = "COMPONENT_TRUSTED_ROLE"
+  instance   = "secure-vm-workload-scanning"
+  version    = "v0.1.0"
+  trusted_role_metadata = jsonencode({
+    aws = {
+      role_name = aws_iam_role.scanning[0].name
+    }
+  })
+
+  depends_on = [
+    aws_iam_policy.ecr_scanning,
+    aws_iam_role.scanning,
+    aws_iam_policy_attachment.scanning,
+    aws_cloudformation_stack_set.scanning_role_stackset,
+    aws_cloudformation_stack_set_instance.scanning_role_stackset_instance,
+    aws_iam_policy.functions_scanning,
+    aws_iam_policy_attachment.functions,
+  ]
+}