diff --git a/.github/git-chglog/CHANGELOG.tpl.md b/.github/git-chglog/CHANGELOG.tpl.md index 20fc46e..0a206c3 100644 --- a/.github/git-chglog/CHANGELOG.tpl.md +++ b/.github/git-chglog/CHANGELOG.tpl.md @@ -13,4 +13,4 @@ Reverts {{- if .NoteGroups -}} {{ range .NoteGroups -}} {{ .Title }} -{{ range .Notes }} {{ .Body }} {{ end }} {{ end -}} {{ end -}} {{ end -}} \ No newline at end of file +{{ range .Notes }} {{ .Body }} {{ end }} {{ end -}} {{ end -}} {{ end -}} diff --git a/.github/git-chglog/config.yml b/.github/git-chglog/config.yml index 5ca1d2c..1c38253 100644 --- a/.github/git-chglog/config.yml +++ b/.github/git-chglog/config.yml @@ -23,4 +23,4 @@ options: - Subject notes: keywords: - - BREAKING CHANGE \ No newline at end of file + - BREAKING CHANGE diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml index 882c545..7d0b98f 100644 --- a/.github/workflows/ci-pull-request.yaml +++ b/.github/workflows/ci-pull-request.yaml @@ -51,4 +51,4 @@ jobs: run: | go install github.com/onsi/ginkgo/ginkgo@latest - name: Test - run: make test \ No newline at end of file + run: make test diff --git a/.github/workflows/pre-commit-check.yml b/.github/workflows/pre-commit-check.yml new file mode 100644 index 0000000..b0985ae --- /dev/null +++ b/.github/workflows/pre-commit-check.yml @@ -0,0 +1,32 @@ +name: Pre-commit Check + +on: + pull_request: + branches: [ main ] + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Get changed files + uses: tj-actions/changed-files@v41 + id: changed-files + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: latest + + - name: Install pre-commit + run: pip install pre-commit + + - name: Run pre-commit on changed files + run: | + pre-commit run --files ${{ steps.changed-files.outputs.all_changed_files }} --hook-stage push diff --git a/.gitignore b/.gitignore index 85ebeff..e4b812c 100644 --- a/.gitignore +++ b/.gitignore @@ -31,4 +31,4 @@ crash.log .envrc .direnv .DS_Store -.idea/ \ No newline at end of file +.idea/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..5fa29b8 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,22 @@ +repos: + - repo: local + hooks: + - id: terraform_clean + name: "Terraform Cleanup" + pass_filenames: false + language: system + entry: bash -c "find . \( -iname ".terraform*" ! -iname ".terraform-docs*" ! -path "*/test/*" \) -print0 | xargs -0 rm -r; true" + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.88.4 + hooks: + - id: terraform_fmt + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - id: check-merge-conflict + - id: no-commit-to-branch + args: [--branch, main, --pattern, ".*/.*"] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9b33fd6..ca32a5f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -31,4 +31,4 @@ It's recommended to use an .envrc file to keep environment variables under contr ## Release -- push a new tag and the Github Action will draft a release (with notes) \ No newline at end of file +- push a new tag and the Github Action will draft a release (with notes) diff --git a/LICENSE.txt b/LICENSE.txt index f49a4e1..261eeb9 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file + limitations under the License. diff --git a/Makefile b/Makefile index 06bdcdc..c931a2f 100644 --- a/Makefile +++ b/Makefile @@ -27,4 +27,4 @@ clean: .PHONY: test test: - $(MAKE) -C test test \ No newline at end of file + $(MAKE) -C test test diff --git a/modules/agentless-scanning/locals.tf b/modules/agentless-scanning/locals.tf index 4096dc3..e0649a5 100644 --- a/modules/agentless-scanning/locals.tf +++ b/modules/agentless-scanning/locals.tf @@ -9,10 +9,10 @@ data "aws_organizations_organization" "org" { locals { # check if both old and new org parameters are provided, we fail early both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && ( - length(var.include_ouids) > 0 || - length(var.exclude_ouids) > 0 || - length(var.include_accounts) > 0 || - length(var.exclude_accounts) > 0 + length(var.include_ouids) > 0 || + length(var.exclude_ouids) > 0 || + length(var.include_accounts) > 0 || + length(var.exclude_accounts) > 0 ) # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it @@ -25,14 +25,14 @@ locals { check "validate_org_configuration_params" { assert { - condition = length(var.org_units) == 0 # if this condition is false we throw warning + condition = length(var.org_units) == 0 # if this condition is false we throw warning error_message = <<-EOT WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead. EOT } assert { - condition = !local.both_org_configuration_params # if this condition is false we throw error + condition = !local.both_org_configuration_params # if this condition is false we throw error error_message = <<-EOT ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated, ONLY org_units will be considered. Please use only one of the two methods. @@ -70,19 +70,19 @@ locals { # case1 - if old method is used where ONLY org_units is provided, use those local.check_old_ouid_param ? ( "old_ouid_param" - ) : ( + ) : ( # case2 - if no include/exclude ous provided, include entire org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? ( "entire_org" - ) : ( + ) : ( # case3 - if only included ouids provided, include those ous only var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? ( "included_ous_only" - ) : ( + ) : ( # case4 - if only excluded ouids provided, exclude their accounts from rest of org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? ( "excluded_ous_only" - ) : ( + ) : ( # case5 - if both include and exclude ouids are provided, includes override excludes var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? ( "mixed_ous" @@ -99,7 +99,7 @@ locals { org_units_to_deploy = var.org_units } entire_org = { - org_units_to_deploy = local.root_org_unit + org_units_to_deploy = local.root_org_unit } included_ous_only = { org_units_to_deploy = var.include_ouids @@ -140,15 +140,15 @@ locals { # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop local.check_old_ouid_param ? ( "NONE" - ) : ( + ) : ( # case2 - if only included accounts provided, include those accts as well var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? ( "UNION" - ) : ( + ) : ( # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts - var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? ( + var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? ( "DIFFERENCE" - ) : ( + ) : ( # case4 - if both include and exclude accounts are provided, includes override excludes var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? ( "MIXED" @@ -158,30 +158,30 @@ locals { ) ) - ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ]) - accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) + ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]]) + accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) # switch cases for various user provided accounts configuration to be onboarded deployment_account_options = { NONE = { - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } UNION = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } DIFFERENCE = { - accounts_to_deploy = local.accounts_to_exclude + accounts_to_deploy = local.accounts_to_exclude account_filter_type = "DIFFERENCE" } MIXED = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } default = { # default when neither of include/exclude accounts are provided - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } } @@ -198,6 +198,6 @@ locals { # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. # i.e till we can't deploy UNION, we deploy it all - deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy + deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type -} \ No newline at end of file +} diff --git a/modules/agentless-scanning/main.tf b/modules/agentless-scanning/main.tf index 689d7d4..4c4232d 100644 --- a/modules/agentless-scanning/main.tf +++ b/modules/agentless-scanning/main.tf @@ -124,8 +124,8 @@ EOF } resource "aws_iam_role_policy_attachments_exclusive" "scanning_stackset_execution_role_managed_policy" { - count = !var.auto_create_stackset_roles ? 0 : 1 - role_name = aws_iam_role.scanning_stackset_execution_role[0].id + count = !var.auto_create_stackset_roles ? 0 : 1 + role_name = aws_iam_role.scanning_stackset_execution_role[0].id policy_arns = [ "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser", "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess", @@ -182,7 +182,7 @@ Resources: Statement: - Sid: "Read" Effect: "Allow" - Action: + Action: - "ec2:Describe*" Resource: "*" Condition: @@ -273,7 +273,7 @@ Resources: - Sid: "SysdigAllowKms" Effect: "Allow" Principal: - AWS: + AWS: - "arn:aws:iam::${data.sysdig_secure_agentless_scanning_assets.assets.aws.account_id}:root" - !GetAtt ScanningRole.Arn Action: @@ -288,7 +288,7 @@ Resources: - Sid: "AllowCustomerManagement" Effect: "Allow" Principal: - AWS: + AWS: - "arn:aws:iam::${local.account_id}:root" - "${local.caller_arn}" - "arn:aws:iam::${local.account_id}:role/${local.execution_role_name}" @@ -310,8 +310,8 @@ TEMPLATE # stackset instance to deploy resources for agentless scanning, in all regions of given account resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance" { - for_each = local.region_set - stack_set_instance_region = each.key + for_each = local.region_set + stack_set_instance_region = each.key stack_set_name = aws_cloudformation_stack_set.primary_acc_stackset.name operation_preferences { @@ -365,4 +365,4 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_crypto_key" { } } }) -} \ No newline at end of file +} diff --git a/modules/agentless-scanning/organizational.tf b/modules/agentless-scanning/organizational.tf index 7ca743f..75b500c 100644 --- a/modules/agentless-scanning/organizational.tf +++ b/modules/agentless-scanning/organizational.tf @@ -59,7 +59,7 @@ Resources: Statement: - Sid: "Read" Effect: "Allow" - Action: + Action: - "ec2:Describe*" Resource: "*" Condition: @@ -150,7 +150,7 @@ Resources: - Sid: "SysdigAllowKms" Effect: "Allow" Principal: - AWS: + AWS: - "arn:aws:iam::${data.sysdig_secure_agentless_scanning_assets.assets.aws.account_id}:root" - !GetAtt ScanningRole.Arn Action: @@ -165,7 +165,7 @@ Resources: - Sid: "AllowCustomerManagement" Effect: "Allow" Principal: - AWS: + AWS: - !Sub "arn:aws:iam::$${AWS::AccountId}:root" - "${local.caller_arn}" - !Sub "arn:aws:iam::$${AWS::AccountId}:role/aws-service-role/member.org.stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgMember" @@ -188,8 +188,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" { "${pair[0]}-${pair[1]}" => pair } : {} - stack_set_instance_region = each.value[0] - stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name + stack_set_instance_region = each.value[0] + stack_set_name = aws_cloudformation_stack_set.ou_resources_stackset[0].name deployment_targets { organizational_unit_ids = [each.value[1]] accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy) diff --git a/modules/agentless-scanning/outputs.tf b/modules/agentless-scanning/outputs.tf index 8d98d80..a56b9ea 100644 --- a/modules/agentless-scanning/outputs.tf +++ b/modules/agentless-scanning/outputs.tf @@ -8,4 +8,4 @@ output "crypto_key_component_id" { value = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}" description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning" depends_on = [sysdig_secure_cloud_auth_account_component.aws_crypto_key] -} \ No newline at end of file +} diff --git a/modules/agentless-scanning/variables.tf b/modules/agentless-scanning/variables.tf index e70ae6b..c8ac57d 100644 --- a/modules/agentless-scanning/variables.tf +++ b/modules/agentless-scanning/variables.tf @@ -109,4 +109,4 @@ variable "exclude_accounts" { description = "(Optional) accounts to exclude for organization" type = set(string) default = [] -} \ No newline at end of file +} diff --git a/modules/config-posture/locals.tf b/modules/config-posture/locals.tf index b1b397f..b69796e 100644 --- a/modules/config-posture/locals.tf +++ b/modules/config-posture/locals.tf @@ -9,10 +9,10 @@ data "aws_organizations_organization" "org" { locals { # check if both old and new org parameters are provided, we fail early both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && ( - length(var.include_ouids) > 0 || - length(var.exclude_ouids) > 0 || - length(var.include_accounts) > 0 || - length(var.exclude_accounts) > 0 + length(var.include_ouids) > 0 || + length(var.exclude_ouids) > 0 || + length(var.include_accounts) > 0 || + length(var.exclude_accounts) > 0 ) # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it @@ -25,14 +25,14 @@ locals { check "validate_org_configuration_params" { assert { - condition = length(var.org_units) == 0 # if this condition is false we throw warning + condition = length(var.org_units) == 0 # if this condition is false we throw warning error_message = <<-EOT WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead. EOT } assert { - condition = !local.both_org_configuration_params # if this condition is false we throw error + condition = !local.both_org_configuration_params # if this condition is false we throw error error_message = <<-EOT ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated, ONLY org_units will be considered. Please use only one of the two methods. @@ -70,19 +70,19 @@ locals { # case1 - if old method is used where ONLY org_units is provided, use those local.check_old_ouid_param ? ( "old_ouid_param" - ) : ( + ) : ( # case2 - if no include/exclude ous provided, include entire org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? ( "entire_org" - ) : ( + ) : ( # case3 - if only included ouids provided, include those ous only var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? ( "included_ous_only" - ) : ( + ) : ( # case4 - if only excluded ouids provided, exclude their accounts from rest of org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? ( "excluded_ous_only" - ) : ( + ) : ( # case5 - if both include and exclude ouids are provided, includes override excludes var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? ( "mixed_ous" @@ -99,7 +99,7 @@ locals { org_units_to_deploy = var.org_units } entire_org = { - org_units_to_deploy = local.root_org_unit + org_units_to_deploy = local.root_org_unit } included_ous_only = { org_units_to_deploy = var.include_ouids @@ -119,7 +119,7 @@ locals { # final targets to deploy organizational resources in deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default) - + exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false } @@ -138,15 +138,15 @@ locals { # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop local.check_old_ouid_param ? ( "NONE" - ) : ( + ) : ( # case2 - if only included accounts provided, include those accts as well var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? ( "UNION" - ) : ( + ) : ( # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts - var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? ( + var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? ( "DIFFERENCE" - ) : ( + ) : ( # case4 - if both include and exclude accounts are provided, includes override excludes var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? ( "MIXED" @@ -156,30 +156,30 @@ locals { ) ) - ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ]) - accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) + ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]]) + accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) # switch cases for various user provided accounts configuration to be onboarded deployment_account_options = { NONE = { - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } UNION = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } DIFFERENCE = { - accounts_to_deploy = local.accounts_to_exclude + accounts_to_deploy = local.accounts_to_exclude account_filter_type = "DIFFERENCE" } MIXED = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } default = { # default when neither of include/exclude accounts are provided - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } } @@ -196,6 +196,6 @@ locals { # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. # i.e till we can't deploy UNION, we deploy it all - deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy + deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type -} \ No newline at end of file +} diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index edf384e..50e03e8 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -165,4 +165,4 @@ resource "sysdig_secure_cloud_auth_account_component" "config_posture_role" { role_name = local.config_posture_role_name } }) -} \ No newline at end of file +} diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf index ef89452..d13c82c 100644 --- a/modules/config-posture/organizational.tf +++ b/modules/config-posture/organizational.tf @@ -107,7 +107,7 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" { for_each = var.is_organizational ? toset(local.deployment_targets_org_units) : [] stack_set_instance_region = var.region == "" ? null : var.region - stack_set_name = aws_cloudformation_stack_set.stackset[0].name + stack_set_name = aws_cloudformation_stack_set.stackset[0].name deployment_targets { organizational_unit_ids = [each.value] accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy) diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf index 0c34e93..27c402a 100644 --- a/modules/config-posture/outputs.tf +++ b/modules/config-posture/outputs.tf @@ -11,6 +11,6 @@ output "cspm_role_arn" { } output "sysdig_secure_account_id" { - value = var.sysdig_secure_account_id - description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)" -} \ No newline at end of file + value = var.sysdig_secure_account_id + description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)" +} diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index 553c861..0870a24 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -77,4 +77,4 @@ variable "exclude_accounts" { description = "(Optional) accounts to exclude for organization" type = set(string) default = [] -} \ No newline at end of file +} diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf index 2df5b91..aeb00ef 100644 --- a/modules/integrations/cloud-logs/main.tf +++ b/modules/integrations/cloud-logs/main.tf @@ -36,8 +36,8 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { data "sysdig_secure_tenant_external_id" "external_id" {} data "sysdig_secure_cloud_ingestion_assets" "assets" { - cloud_provider = "aws" - cloud_provider_id = data.aws_caller_identity.current.account_id + cloud_provider = "aws" + cloud_provider_id = data.aws_caller_identity.current.account_id } #---------------------------------------------------------- @@ -65,28 +65,28 @@ locals { trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity - routing_key = data.sysdig_secure_cloud_ingestion_assets.assets.aws.sns_routing_key - ingestion_url = data.sysdig_secure_cloud_ingestion_assets.assets.aws.sns_routing_url + routing_key = data.sysdig_secure_cloud_ingestion_assets.assets.aws.sns_routing_key + ingestion_url = data.sysdig_secure_cloud_ingestion_assets.assets.aws.sns_routing_url # Topic variables - topic_name = split(":", var.topic_arn)[5] - topic_region = split(":", var.topic_arn)[3] - topic_account_id = split(":", var.topic_arn)[4] + topic_name = split(":", var.topic_arn)[5] + topic_region = split(":", var.topic_arn)[3] + topic_account_id = split(":", var.topic_arn)[4] is_cross_account_topic = local.topic_account_id != data.aws_caller_identity.current.account_id # Bucket variables bucket_account_id = var.bucket_account_id != null ? var.bucket_account_id : data.aws_caller_identity.current.account_id - is_cross_account = var.bucket_account_id != null && var.bucket_account_id != data.aws_caller_identity.current.account_id + is_cross_account = var.bucket_account_id != null && var.bucket_account_id != data.aws_caller_identity.current.account_id # KMS variables - kms_account_id = var.kms_key_arn != null && var.kms_key_arn != "" ? split(":", var.kms_key_arn)[3] : null + kms_account_id = var.kms_key_arn != null && var.kms_key_arn != "" ? split(":", var.kms_key_arn)[3] : null need_kms_policy = var.bucket_account_id != null && local.kms_account_id != null && var.bucket_account_id != local.kms_account_id # Role variables role_name = var.role_name != null ? var.role_name : split("/", var.role_arn)[1] - role_arn = var.role_arn != null ? var.role_arn : "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}" + role_arn = var.role_arn != null ? var.role_arn : "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}" - account_id_hash = substr(md5(local.bucket_account_id), 0, 4) + account_id_hash = substr(md5(local.bucket_account_id), 0, 4) # StackSet configuration stackset_name = "sysdig-secure-cloudlogs-${random_id.suffix.hex}-${local.account_id_hash}-stackset" @@ -114,7 +114,7 @@ resource "aws_iam_role" "cloudlogs_s3_access" { lifecycle { precondition { - condition = var.role_arn == null || split(":", var.role_arn)[4] == local.bucket_account_id + condition = var.role_arn == null || split(":", var.role_arn)[4] == local.bucket_account_id error_message = "Role and Bucket must be in the same account. Check that the Role ARN is in the Bucket account ID." } } @@ -174,13 +174,13 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" { for_each = var.kms_key_arn != null && var.kms_key_arn != "" ? [1] : [] content { sid = "CloudlogsKMSDecrypt" - + effect = "Allow" - + actions = [ "kms:Decrypt" ] - + resources = [var.kms_key_arn] } } @@ -190,16 +190,16 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" { # SNS Topic and Subscription for CloudTrail notifications #----------------------------------------------------------------------------------------------------------------------- resource "aws_sns_topic" "cloudtrail_notifications" { - count = var.create_topic ? 1 : 0 + count = var.create_topic ? 1 : 0 provider = aws.sns - name = local.topic_name - tags = var.tags + name = local.topic_name + tags = var.tags } resource "aws_sns_topic_policy" "cloudtrail_notifications" { - count = var.create_topic ? 1 : 0 + count = var.create_topic ? 1 : 0 provider = aws.sns - arn = aws_sns_topic.cloudtrail_notifications[0].arn + arn = aws_sns_topic.cloudtrail_notifications[0].arn policy = jsonencode({ Version = "2012-10-17" Statement = [ @@ -217,9 +217,9 @@ resource "aws_sns_topic_policy" "cloudtrail_notifications" { } resource "aws_sns_topic_subscription" "cloudtrail_notifications" { - count = !local.is_cross_account_topic ? 1 : 0 + count = !local.is_cross_account_topic ? 1 : 0 topic_arn = var.topic_arn - provider = aws.sns + provider = aws.sns protocol = "https" endpoint = local.ingestion_url @@ -232,31 +232,31 @@ resource "aws_sns_topic_subscription" "cloudtrail_notifications" { resource "aws_cloudformation_stack_set" "cloudlogs_s3_access" { count = local.is_cross_account ? 1 : 0 - name = local.stackset_name - description = "StackSet to configure S3 bucket and KMS permissions for Sysdig Cloud Logs integration" - template_body = templatefile("${path.module}/templates/stackset_template_body.tpl", { - bucket_arn = var.bucket_arn + name = local.stackset_name + description = "StackSet to configure S3 bucket and KMS permissions for Sysdig Cloud Logs integration" + template_body = templatefile("${path.module}/templates/stackset_template_body.tpl", { + bucket_arn = var.bucket_arn kms_key_arn = var.kms_key_arn }) parameters = { - RoleName = local.role_name - BucketAccountId = local.bucket_account_id - TopicAccountId = local.topic_account_id + RoleName = local.role_name + BucketAccountId = local.bucket_account_id + TopicAccountId = local.topic_account_id SysdigTrustedIdentity = local.trusted_identity - SysdigExternalId = data.sysdig_secure_tenant_external_id.external_id.external_id - KmsKeyArn = var.kms_key_arn - TopicArn = var.topic_arn - IngestionUrl = local.ingestion_url + SysdigExternalId = data.sysdig_secure_tenant_external_id.external_id.external_id + KmsKeyArn = var.kms_key_arn + TopicArn = var.topic_arn + IngestionUrl = local.ingestion_url } - permission_model = "SERVICE_MANAGED" - capabilities = ["CAPABILITY_NAMED_IAM"] - call_as = "SELF" + permission_model = "SERVICE_MANAGED" + capabilities = ["CAPABILITY_NAMED_IAM"] + call_as = "SELF" # Explicitly set auto_deployment to disabled auto_deployment { - enabled = false + enabled = false retain_stacks_on_account_removal = false } @@ -272,11 +272,11 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_bucket" { count = local.is_cross_account ? 1 : 0 stack_set_name = aws_cloudformation_stack_set.cloudlogs_s3_access[0].name - + deployment_targets { organizational_unit_ids = local.root_org_unit - account_filter_type = "INTERSECTION" - accounts = [local.bucket_account_id] + account_filter_type = "INTERSECTION" + accounts = [local.bucket_account_id] } stack_set_instance_region = data.aws_region.current.name @@ -293,11 +293,11 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_topic" { count = local.is_cross_account ? 1 : 0 stack_set_name = aws_cloudformation_stack_set.cloudlogs_s3_access[0].name - + deployment_targets { organizational_unit_ids = local.root_org_unit - account_filter_type = "INTERSECTION" - accounts = [local.topic_account_id] + account_filter_type = "INTERSECTION" + accounts = [local.topic_account_id] } stack_set_instance_region = local.topic_region @@ -313,10 +313,10 @@ resource "aws_cloudformation_stack_set_instance" "cloudlogs_s3_access_topic" { # Call Sysdig Backend to add the cloud logs integration #----------------------------------------------------------------------------------------------------------------------------------------- resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" { - account_id = var.sysdig_secure_account_id - type = "COMPONENT_CLOUD_LOGS" - instance = "secure-runtime" - version = "v1.0.1" + account_id = var.sysdig_secure_account_id + type = "COMPONENT_CLOUD_LOGS" + instance = "secure-runtime" + version = "v1.0.1" cloud_logs_metadata = jsonencode({ aws = { cloudtrailSns = { diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf index deed12f..8675ec1 100644 --- a/modules/integrations/cloud-logs/variables.tf +++ b/modules/integrations/cloud-logs/variables.tf @@ -72,8 +72,8 @@ variable "role_arn" { default = null validation { - condition = var.role_arn == null || can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn)) - error_message = "Role ARN must be a valid IAM ARN format" + condition = var.role_arn == null || can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn)) + error_message = "Role ARN must be a valid IAM ARN format" } } diff --git a/modules/integrations/cloud-logs/versions.tf b/modules/integrations/cloud-logs/versions.tf index 107c0f7..1a49519 100644 --- a/modules/integrations/cloud-logs/versions.tf +++ b/modules/integrations/cloud-logs/versions.tf @@ -8,7 +8,7 @@ terraform { configuration_aliases = [aws.sns] } sysdig = { - source = "sysdiglabs/sysdig" + source = "sysdiglabs/sysdig" version = "~> 1.56" } random = { diff --git a/modules/integrations/cross-account-event-bridge/locals.tf b/modules/integrations/cross-account-event-bridge/locals.tf index 0a674a5..dd0b791 100644 --- a/modules/integrations/cross-account-event-bridge/locals.tf +++ b/modules/integrations/cross-account-event-bridge/locals.tf @@ -9,10 +9,10 @@ data "aws_organizations_organization" "org" { locals { # check if both old and new org parameters are provided, we fail early both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && ( - length(var.include_ouids) > 0 || - length(var.exclude_ouids) > 0 || - length(var.include_accounts) > 0 || - length(var.exclude_accounts) > 0 + length(var.include_ouids) > 0 || + length(var.exclude_ouids) > 0 || + length(var.include_accounts) > 0 || + length(var.exclude_accounts) > 0 ) # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it @@ -25,14 +25,14 @@ locals { check "validate_org_configuration_params" { assert { - condition = length(var.org_units) == 0 # if this condition is false we throw warning + condition = length(var.org_units) == 0 # if this condition is false we throw warning error_message = <<-EOT WARNING: TO BE DEPRECATED 'org_units': Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead. EOT } assert { - condition = !local.both_org_configuration_params # if this condition is false we throw error + condition = !local.both_org_configuration_params # if this condition is false we throw error error_message = <<-EOT ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated, ONLY org_units will be considered. Please use only one of the two methods. @@ -70,19 +70,19 @@ locals { # case1 - if old method is used where ONLY org_units is provided, use those local.check_old_ouid_param ? ( "old_ouid_param" - ) : ( + ) : ( # case2 - if no include/exclude ous provided, include entire org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? ( "entire_org" - ) : ( + ) : ( # case3 - if only included ouids provided, include those ous only var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? ( "included_ous_only" - ) : ( + ) : ( # case4 - if only excluded ouids provided, exclude their accounts from rest of org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? ( "excluded_ous_only" - ) : ( + ) : ( # case5 - if both include and exclude ouids are provided, includes override excludes var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? ( "mixed_ous" @@ -99,7 +99,7 @@ locals { org_units_to_deploy = var.org_units } entire_org = { - org_units_to_deploy = local.root_org_unit + org_units_to_deploy = local.root_org_unit } included_ous_only = { org_units_to_deploy = var.include_ouids @@ -119,7 +119,7 @@ locals { # final targets to deploy organizational resources in deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default) - + exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false } @@ -139,15 +139,15 @@ locals { # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop local.check_old_ouid_param ? ( "NONE" - ) : ( + ) : ( # case2 - if only included accounts provided, include those accts as well var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? ( "UNION" - ) : ( + ) : ( # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts - var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? ( + var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? ( "DIFFERENCE" - ) : ( + ) : ( # case4 - if both include and exclude accounts are provided, includes override excludes var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? ( "MIXED" @@ -157,30 +157,30 @@ locals { ) ) - ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ]) - accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) + ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]]) + accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) # switch cases for various user provided accounts configuration to be onboarded deployment_account_options = { NONE = { - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } UNION = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } DIFFERENCE = { - accounts_to_deploy = local.accounts_to_exclude + accounts_to_deploy = local.accounts_to_exclude account_filter_type = "DIFFERENCE" } MIXED = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } default = { # default when neither of include/exclude accounts are provided - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } } @@ -197,6 +197,6 @@ locals { # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. # i.e till we can't deploy UNION, we deploy it all - deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy + deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type } diff --git a/modules/integrations/cross-account-event-bridge/main.tf b/modules/integrations/cross-account-event-bridge/main.tf index d7617ef..b12dacd 100644 --- a/modules/integrations/cross-account-event-bridge/main.tf +++ b/modules/integrations/cross-account-event-bridge/main.tf @@ -204,7 +204,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" { # Target forwards all CloudTrail events to Sysdig's EventBridge Bus. # See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target#cross-account-event-bus-target # -# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions +# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions #----------------------------------------------------------------------------------------------------------------------------------------- resource "aws_cloudformation_stack_set" "primary-acc-stackset" { diff --git a/modules/integrations/event-bridge/locals.tf b/modules/integrations/event-bridge/locals.tf index c5cd52e..982499c 100644 --- a/modules/integrations/event-bridge/locals.tf +++ b/modules/integrations/event-bridge/locals.tf @@ -9,10 +9,10 @@ data "aws_organizations_organization" "org" { locals { # check if both old and new org parameters are provided, we fail early both_org_configuration_params = var.is_organizational && length(var.org_units) > 0 && ( - length(var.include_ouids) > 0 || - length(var.exclude_ouids) > 0 || - length(var.include_accounts) > 0 || - length(var.exclude_accounts) > 0 + length(var.include_ouids) > 0 || + length(var.exclude_ouids) > 0 || + length(var.include_accounts) > 0 || + length(var.exclude_accounts) > 0 ) # check if old org_units parameter is provided, for backwards compatibility we will always give preference to it @@ -25,14 +25,14 @@ locals { check "validate_org_configuration_params" { assert { - condition = length(var.org_units) == 0 # if this condition is false we throw warning + condition = length(var.org_units) == 0 # if this condition is false we throw warning error_message = <<-EOT WARNING: TO BE DEPRECATED 'org_units' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead. EOT } assert { - condition = !local.both_org_configuration_params # if this condition is false we throw error + condition = !local.both_org_configuration_params # if this condition is false we throw error error_message = <<-EOT ERROR: If both org_units and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated, ONLY org_units will be considered. Please use only one of the two methods. @@ -70,19 +70,19 @@ locals { # case1 - if old method is used where ONLY org_units is provided, use those local.check_old_ouid_param ? ( "old_ouid_param" - ) : ( + ) : ( # case2 - if no include/exclude ous provided, include entire org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? ( "entire_org" - ) : ( + ) : ( # case3 - if only included ouids provided, include those ous only var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? ( "included_ous_only" - ) : ( + ) : ( # case4 - if only excluded ouids provided, exclude their accounts from rest of org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? ( "excluded_ous_only" - ) : ( + ) : ( # case5 - if both include and exclude ouids are provided, includes override excludes var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? ( "mixed_ous" @@ -99,7 +99,7 @@ locals { org_units_to_deploy = var.org_units } entire_org = { - org_units_to_deploy = local.root_org_unit + org_units_to_deploy = local.root_org_unit } included_ous_only = { org_units_to_deploy = var.include_ouids @@ -119,7 +119,7 @@ locals { # final targets to deploy organizational resources in deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default) - + exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false } @@ -139,15 +139,15 @@ locals { # case1 - if old method is used where ONLY org_units is provided, this configuration is a noop local.check_old_ouid_param ? ( "NONE" - ) : ( + ) : ( # case2 - if only included accounts provided, include those accts as well var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? ( "UNION" - ) : ( + ) : ( # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts - var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? ( + var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? ( "DIFFERENCE" - ) : ( + ) : ( # case4 - if both include and exclude accounts are provided, includes override excludes var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? ( "MIXED" @@ -157,30 +157,30 @@ locals { ) ) - ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ]) - accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) + ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]]) + accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) # switch cases for various user provided accounts configuration to be onboarded deployment_account_options = { NONE = { - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } UNION = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } DIFFERENCE = { - accounts_to_deploy = local.accounts_to_exclude + accounts_to_deploy = local.accounts_to_exclude account_filter_type = "DIFFERENCE" } MIXED = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } default = { # default when neither of include/exclude accounts are provided - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } } @@ -197,6 +197,6 @@ locals { # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. # i.e till we can't deploy UNION, we deploy it all - deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy + deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type -} \ No newline at end of file +} diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf index 815a711..29b5922 100644 --- a/modules/integrations/event-bridge/main.tf +++ b/modules/integrations/event-bridge/main.tf @@ -15,9 +15,9 @@ data "aws_caller_identity" "current" {} data "sysdig_secure_cloud_ingestion_assets" "assets" { - cloud_provider = "aws" - cloud_provider_id = data.aws_caller_identity.current.account_id - component_type = local.component_type + cloud_provider = "aws" + cloud_provider_id = data.aws_caller_identity.current.account_id + component_type = local.component_type } data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { @@ -27,12 +27,12 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { data "sysdig_secure_tenant_external_id" "external_id" {} locals { - region_set = toset(var.regions) - trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity - arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws" - component_type = "COMPONENT_WEBHOOK_DATASOURCE" - account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4) - eb_resource_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}" + region_set = toset(var.regions) + trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws" + component_type = "COMPONENT_WEBHOOK_DATASOURCE" + account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4) + eb_resource_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}" } #----------------------------------------------------------------------------------------------------------------------- @@ -199,7 +199,7 @@ resource "aws_iam_role_policy" "event_bridge_api_destination_policy" { Action = [ "cloudwatch:GetMetricStatistics" ] - Effect = "Allow" + Effect = "Allow" Resource = "*" } ] @@ -215,7 +215,7 @@ resource "aws_iam_role_policy" "event_bridge_api_destination_policy" { # 2. API Destination - Forwards events to Sysdig's webhook ingestion endpoint # 3. EventBridge Rule - Captures events matching the specified pattern and targets the API destination # -# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions +# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions #----------------------------------------------------------------------------------------------------------------------------------------- resource "aws_cloudformation_stack_set" "eb_rule_and_api_dest_stackset" { name = join("-", [local.eb_resource_name, "EBRuleAndApiDestination"]) @@ -251,9 +251,9 @@ resource "aws_cloudformation_stack_set" "eb_rule_and_api_dest_stackset" { } resource "aws_cloudformation_stack_set_instance" "eb_rule_and_api_dest_stackset_instance" { - for_each = local.region_set + for_each = local.region_set stack_set_instance_region = each.key - stack_set_name = aws_cloudformation_stack_set.eb_rule_and_api_dest_stackset.name + stack_set_name = aws_cloudformation_stack_set.eb_rule_and_api_dest_stackset.name operation_preferences { max_concurrent_percentage = 100 diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf index f8f3ca4..8b1d1e3 100644 --- a/modules/integrations/event-bridge/organizational.tf +++ b/modules/integrations/event-bridge/organizational.tf @@ -57,10 +57,10 @@ resource "aws_cloudformation_stack_set" "eb_role_stackset" { } template_body = templatefile("${path.module}/stackset_template_org_policies.tpl", { - name = local.eb_resource_name + name = local.eb_resource_name trusted_identity = local.trusted_identity - external_id = data.sysdig_secure_tenant_external_id.external_id.external_id - arn_prefix = local.arn_prefix + external_id = data.sysdig_secure_tenant_external_id.external_id.external_id + arn_prefix = local.arn_prefix }) } @@ -70,8 +70,8 @@ resource "aws_cloudformation_stack_set_instance" "eb_rule_api_dest_instance" { "${pair[0]}-${pair[1]}" => pair } : {} - stack_set_instance_region = each.value[0] - stack_set_name = aws_cloudformation_stack_set.eb_rule_api_dest_stackset[0].name + stack_set_instance_region = each.value[0] + stack_set_name = aws_cloudformation_stack_set.eb_rule_api_dest_stackset[0].name deployment_targets { organizational_unit_ids = [each.value[1]] accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy) diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index a6749f1..139c4fd 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -93,4 +93,3 @@ Module is maintained by [Sysdig](https://sysdig.com). ## License Apache 2 Licensed. See LICENSE for full details. - diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf index 6580adb..0cb7aac 100644 --- a/modules/onboarding/locals.tf +++ b/modules/onboarding/locals.tf @@ -9,10 +9,10 @@ data "aws_organizations_organization" "org" { locals { # check if both old and new org parameters are used, we fail early both_org_configuration_params = var.is_organizational && length(var.organizational_unit_ids) > 0 && ( - length(var.include_ouids) > 0 || - length(var.exclude_ouids) > 0 || - length(var.include_accounts) > 0 || - length(var.exclude_accounts) > 0 + length(var.include_ouids) > 0 || + length(var.exclude_ouids) > 0 || + length(var.include_accounts) > 0 || + length(var.exclude_accounts) > 0 ) # check if old organizational_unit_ids parameter is provided, for backwards compatibility we will always give preference to it @@ -25,14 +25,14 @@ locals { check "validate_org_configuration_params" { assert { - condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning + condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning error_message = <<-EOT WARNING: TO BE DEPRECATED 'organizational_unit_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead. EOT } assert { - condition = !local.both_org_configuration_params # if this condition is false we throw error + condition = !local.both_org_configuration_params # if this condition is false we throw error error_message = <<-EOT ERROR: If both organizational_unit_ids and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated, ONLY organizational_unit_ids will be considered. Please use only one of the two methods. @@ -70,19 +70,19 @@ locals { # case1 - if old method is used where ONLY organizational_unit_ids is provided, use those local.check_old_ouid_param ? ( "old_ouid_param" - ) : ( + ) : ( # case2 - if no include/exclude ous provided, include entire org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? ( "entire_org" - ) : ( + ) : ( # case3 - if only included ouids provided, include those ous only var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? ( "included_ous_only" - ) : ( + ) : ( # case4 - if only excluded ouids provided, exclude their accounts from rest of org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? ( "excluded_ous_only" - ) : ( + ) : ( # case5 - if both include and exclude ouids are provided, includes override excludes var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? ( "mixed_ous" @@ -99,7 +99,7 @@ locals { org_units_to_deploy = var.organizational_unit_ids } entire_org = { - org_units_to_deploy = local.root_org_unit + org_units_to_deploy = local.root_org_unit } included_ous_only = { org_units_to_deploy = var.include_ouids @@ -119,7 +119,7 @@ locals { # final targets to deploy organizational resources in deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default) - + exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false } @@ -139,15 +139,15 @@ locals { # case1 - if old method is used where ONLY organizational_unit_ids is provided, this configuration is a noop local.check_old_ouid_param ? ( "NONE" - ) : ( + ) : ( # case2 - if only included accounts provided, include those accts as well var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? ( "UNION" - ) : ( + ) : ( # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts - var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? ( + var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? ( "DIFFERENCE" - ) : ( + ) : ( # case4 - if both include and exclude accounts are provided, includes override excludes var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? ( "MIXED" @@ -157,30 +157,30 @@ locals { ) ) - ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ]) - accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) + ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]]) + accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) # switch cases for various user provided accounts configuration to be onboarded deployment_account_options = { NONE = { - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } UNION = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } DIFFERENCE = { - accounts_to_deploy = local.accounts_to_exclude + accounts_to_deploy = local.accounts_to_exclude account_filter_type = "DIFFERENCE" } MIXED = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } default = { # default when neither of include/exclude accounts are provided - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } } @@ -197,6 +197,6 @@ locals { # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. # i.e till we can't deploy UNION, we deploy it all - deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy + deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type -} \ No newline at end of file +} diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 5c2ed00..3de1e0e 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -56,8 +56,8 @@ EOF } resource "aws_iam_role_policy" "onboarding_role_policy" { - name = local.onboarding_role_name - role = aws_iam_role.onboarding_role.id + name = local.onboarding_role_name + role = aws_iam_role.onboarding_role.id policy = jsonencode({ Statement = [ { @@ -66,7 +66,7 @@ resource "aws_iam_role_policy" "onboarding_role_policy" { "account:Get*", "account:List*", ] - Effect = "Allow" + Effect = "Allow" Resource = "*" }, ] @@ -84,11 +84,11 @@ resource "aws_iam_role_policy_attachments_exclusive" "onboarding_role_managed_po data "aws_caller_identity" "current" {} resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" { - enabled = true - provider_id = data.aws_caller_identity.current.account_id - provider_type = "PROVIDER_AWS" - provider_alias = var.account_alias - provider_partition = var.is_gov_cloud_onboarding ? "PROVIDER_PARTITION_AWS_GOVCLOUD" : "" + enabled = true + provider_id = data.aws_caller_identity.current.account_id + provider_type = "PROVIDER_AWS" + provider_alias = var.account_alias + provider_partition = var.is_gov_cloud_onboarding ? "PROVIDER_PARTITION_AWS_GOVCLOUD" : "" component { type = "COMPONENT_TRUSTED_ROLE" diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index 6cf22d2..c621318 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -8,7 +8,7 @@ resource "aws_cloudformation_stack_set" "stackset" { name = local.onboarding_role_name tags = var.tags permission_model = "SERVICE_MANAGED" - capabilities = ["CAPABILITY_NAMED_IAM"] + capabilities = ["CAPABILITY_NAMED_IAM"] managed_execution { active = true @@ -57,7 +57,7 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" { for_each = var.is_organizational ? toset(local.deployment_targets_org_units) : [] stack_set_instance_region = var.region == "" ? null : var.region - stack_set_name = aws_cloudformation_stack_set.stackset[0].name + stack_set_name = aws_cloudformation_stack_set.stackset[0].name deployment_targets { organizational_unit_ids = [each.value] accounts = local.check_old_ouid_param ? null : (local.deployment_targets_accounts_filter == "NONE" ? null : local.deployment_targets_accounts.accounts_to_deploy) diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index 7b5a4c9..0269a43 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -20,20 +20,20 @@ output "is_gov_cloud_onboarding" { output "include_ouids" { description = "ouids to include for organization" - value = var.include_ouids + value = var.include_ouids } output "exclude_ouids" { description = "ouids to exclude for organization" - value = var.exclude_ouids + value = var.exclude_ouids } output "include_accounts" { description = "accounts to include for organization" - value = var.include_accounts + value = var.include_accounts } output "exclude_accounts" { description = "accounts to exclude for organization" - value = var.exclude_accounts -} \ No newline at end of file + value = var.exclude_accounts +} diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index 0dba8bc..94a8696 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -85,4 +85,4 @@ variable "enable_automatic_onboarding" { type = bool default = false description = "true/false whether Sysdig should automatically discover latest set of accounts in onboarded organization or not" -} \ No newline at end of file +} diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 9a69a51..3f5445e 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -15,4 +15,3 @@ terraform { } } } - diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md index 9d69f28..e4226c2 100644 --- a/modules/vm-workload-scanning/README.md +++ b/modules/vm-workload-scanning/README.md @@ -1,7 +1,7 @@ # AWS VM Workload Scanning Module This Module creates the resources required to perform agentless workload scanning operations. -By default, it will create a role with permissions necessary to access and pull ECR images in the account where it is deployed. +By default, it will create a role with permissions necessary to access and pull ECR images in the account where it is deployed. Combined with the base onboarding, this allows for scanning ECS Services and Tasks pointing to ECR images. Also public docker images and private repos are supported, as long as private repository permissions are granted to Sysdig using the Registry Credentials UI. diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf index 68e173a..fb28a23 100644 --- a/modules/vm-workload-scanning/locals.tf +++ b/modules/vm-workload-scanning/locals.tf @@ -23,10 +23,10 @@ data "aws_organizations_organization" "org" { locals { # check if both old and new org parameters are used, we fail early both_org_configuration_params = var.is_organizational && length(var.organizational_unit_ids) > 0 && ( - length(var.include_ouids) > 0 || - length(var.exclude_ouids) > 0 || - length(var.include_accounts) > 0 || - length(var.exclude_accounts) > 0 + length(var.include_ouids) > 0 || + length(var.exclude_ouids) > 0 || + length(var.include_accounts) > 0 || + length(var.exclude_accounts) > 0 ) # check if old organizational_unit_ids parameter is provided, for backwards compatibility we will always give preference to it @@ -39,14 +39,14 @@ locals { check "validate_org_configuration_params" { assert { - condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning + condition = length(var.organizational_unit_ids) == 0 # if this condition is false we throw warning error_message = <<-EOT WARNING: TO BE DEPRECATED 'organizational_unit_ids' on 30th November, 2025. Please work with Sysdig to migrate your Terraform installs to use 'include_ouids' instead. EOT } assert { - condition = !local.both_org_configuration_params # if this condition is false we throw error + condition = !local.both_org_configuration_params # if this condition is false we throw error error_message = <<-EOT ERROR: If both organizational_unit_ids and include_ouids/exclude_ouids/include_accounts/exclude_accounts variables are populated, ONLY organizational_unit_ids will be considered. Please use only one of the two methods. @@ -84,19 +84,19 @@ locals { # case1 - if old method is used where ONLY organizational_unit_ids is provided, use those local.check_old_ouid_param ? ( "old_ouid_param" - ) : ( + ) : ( # case2 - if no include/exclude ous provided, include entire org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) == 0 ? ( "entire_org" - ) : ( + ) : ( # case3 - if only included ouids provided, include those ous only var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) == 0 ? ( "included_ous_only" - ) : ( + ) : ( # case4 - if only excluded ouids provided, exclude their accounts from rest of org var.is_organizational && length(var.include_ouids) == 0 && length(var.exclude_ouids) > 0 ? ( "excluded_ous_only" - ) : ( + ) : ( # case5 - if both include and exclude ouids are provided, includes override excludes var.is_organizational && length(var.include_ouids) > 0 && length(var.exclude_ouids) > 0 ? ( "mixed_ous" @@ -113,7 +113,7 @@ locals { org_units_to_deploy = var.organizational_unit_ids } entire_org = { - org_units_to_deploy = local.root_org_unit + org_units_to_deploy = local.root_org_unit } included_ous_only = { org_units_to_deploy = var.include_ouids @@ -154,15 +154,15 @@ locals { # case1 - if old method is used where ONLY organizational_unit_ids is provided, this configuration is a noop local.check_old_ouid_param ? ( "NONE" - ) : ( + ) : ( # case2 - if only included accounts provided, include those accts as well var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) == 0 ? ( "UNION" - ) : ( + ) : ( # case3 - if only excluded accounts or only excluded ouids provided, exclude those accounts - var.is_organizational && length(var.include_accounts) == 0 && ( length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only" ) ? ( + var.is_organizational && length(var.include_accounts) == 0 && (length(var.exclude_accounts) > 0 || local.org_configuration == "excluded_ous_only") ? ( "DIFFERENCE" - ) : ( + ) : ( # case4 - if both include and exclude accounts are provided, includes override excludes var.is_organizational && length(var.include_accounts) > 0 && length(var.exclude_accounts) > 0 ? ( "MIXED" @@ -172,30 +172,30 @@ locals { ) ) - ou_accounts_to_exclude = flatten([ for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude: [ ou_accounts.accounts[*].id ] ]) - accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) + ou_accounts_to_exclude = flatten([for ou_accounts in data.aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude : [ou_accounts.accounts[*].id]]) + accounts_to_exclude = setunion(local.ou_accounts_to_exclude, var.exclude_accounts) # switch cases for various user provided accounts configuration to be onboarded deployment_account_options = { NONE = { - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } UNION = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } DIFFERENCE = { - accounts_to_deploy = local.accounts_to_exclude + accounts_to_deploy = local.accounts_to_exclude account_filter_type = "DIFFERENCE" } MIXED = { - accounts_to_deploy = var.include_accounts + accounts_to_deploy = var.include_accounts account_filter_type = "UNION" } default = { # default when neither of include/exclude accounts are provided - accounts_to_deploy = [] + accounts_to_deploy = [] account_filter_type = "NONE" } } @@ -212,6 +212,6 @@ locals { # XXX: due to AWS bug of not having UNION filter fully working, there is no way to add those extra accounts requested. # to not miss out on those extra accounts, deploy the cloud resources across entire org and noop the UNION filter. # i.e till we can't deploy UNION, we deploy it all - deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy + deployment_targets_org_units = local.deployment_targets_accounts.account_filter_type == "UNION" ? local.root_org_unit : local.deployment_targets_ous.org_units_to_deploy deployment_targets_accounts_filter = local.deployment_targets_accounts.account_filter_type == "UNION" ? "NONE" : local.deployment_targets_accounts.account_filter_type -} \ No newline at end of file +} diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf index 0636e71..89ce3de 100644 --- a/modules/vm-workload-scanning/main.tf +++ b/modules/vm-workload-scanning/main.tf @@ -134,9 +134,9 @@ resource "aws_iam_policy_attachment" "functions" { resource "sysdig_secure_cloud_auth_account_component" "vm_workload_scanning_account_component" { account_id = var.sysdig_secure_account_id - type = "COMPONENT_TRUSTED_ROLE" - instance = "secure-vm-workload-scanning" - version = "v0.1.0" + type = "COMPONENT_TRUSTED_ROLE" + instance = "secure-vm-workload-scanning" + version = "v0.1.0" trusted_role_metadata = jsonencode({ aws = { role_name = aws_iam_role.scanning.name diff --git a/test/examples/organization/agentless_scanning.tf b/test/examples/organization/agentless_scanning.tf index 6b3eb90..3a9c382 100644 --- a/test/examples/organization/agentless_scanning.tf +++ b/test/examples/organization/agentless_scanning.tf @@ -12,8 +12,8 @@ module "agentless-scanning" { # org_units = module.onboarding.organizational_unit_ids # include/exclude org install params - include_ouids = module.onboarding.include_ouids - exclude_ouids = module.onboarding.exclude_ouids + include_ouids = module.onboarding.include_ouids + exclude_ouids = module.onboarding.exclude_ouids include_accounts = module.onboarding.include_accounts exclude_accounts = module.onboarding.exclude_accounts } @@ -24,4 +24,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "agentless_scanning" { enabled = true components = [module.agentless-scanning.scanning_role_component_id, module.agentless-scanning.crypto_key_component_id] depends_on = [module.agentless-scanning] -} \ No newline at end of file +} diff --git a/test/examples/organization/cloud_logs_gov.tf b/test/examples/organization/cloud_logs_gov.tf index d34838c..078e787 100644 --- a/test/examples/organization/cloud_logs_gov.tf +++ b/test/examples/organization/cloud_logs_gov.tf @@ -24,7 +24,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.cloud-logs.cloud_logs_component_id]) depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/organization/event_bridge.tf b/test/examples/organization/event_bridge.tf index dfbe851..08a6aeb 100644 --- a/test/examples/organization/event_bridge.tf +++ b/test/examples/organization/event_bridge.tf @@ -12,8 +12,8 @@ module "event-bridge" { # org_units = module.onboarding.organizational_unit_ids # include/exclude org install params - include_ouids = module.onboarding.include_ouids - exclude_ouids = module.onboarding.exclude_ouids + include_ouids = module.onboarding.include_ouids + exclude_ouids = module.onboarding.exclude_ouids include_accounts = module.onboarding.include_accounts exclude_accounts = module.onboarding.exclude_accounts } @@ -32,7 +32,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id]) depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/organization/event_bridge_gov.tf b/test/examples/organization/event_bridge_gov.tf index c6f7137..7ade5c6 100644 --- a/test/examples/organization/event_bridge_gov.tf +++ b/test/examples/organization/event_bridge_gov.tf @@ -26,7 +26,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id]) depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/organization/onboarding_with_cspm.tf b/test/examples/organization/onboarding_with_cspm.tf index 773fbdf..060565e 100644 --- a/test/examples/organization/onboarding_with_cspm.tf +++ b/test/examples/organization/onboarding_with_cspm.tf @@ -9,7 +9,7 @@ terraform { provider "sysdig" { sysdig_secure_url = "https://secure-staging.sysdig.com" - sysdig_secure_api_token = "" + sysdig_secure_api_token = "" } provider "aws" { @@ -18,13 +18,13 @@ provider "aws" { } module "onboarding" { - source = "../../../modules/onboarding" - is_organizational = true + source = "../../../modules/onboarding" + is_organizational = true # legacy org install # organizational_unit_ids = ["ou-ks5g-dofso0kc"] # include/exclude org install params - include_ouids = ["ou-1", "ou-2"] + include_ouids = ["ou-1", "ou-2"] exclude_accounts = ["123456789101", "123456789101", "123456789101", "123456789101"] include_accounts = ["123456789101", "123456789101"] @@ -40,8 +40,8 @@ module "config-posture" { # org_units = ["ou-ks5g-dofso0kc"] # include/exclude org install params - include_ouids = module.onboarding.include_ouids - exclude_ouids = module.onboarding.exclude_ouids + include_ouids = module.onboarding.include_ouids + exclude_ouids = module.onboarding.exclude_ouids include_accounts = module.onboarding.include_accounts exclude_accounts = module.onboarding.exclude_accounts } @@ -61,7 +61,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" components = [module.config-posture.config_posture_component_id] depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture] flags = { - "CIEM_FEATURE_MODE": "basic" + "CIEM_FEATURE_MODE" : "basic" } lifecycle { diff --git a/test/examples/organization/onboarding_with_cspm_gov.tf b/test/examples/organization/onboarding_with_cspm_gov.tf index f166d0b..e7e7fa7 100644 --- a/test/examples/organization/onboarding_with_cspm_gov.tf +++ b/test/examples/organization/onboarding_with_cspm_gov.tf @@ -9,7 +9,7 @@ terraform { provider "sysdig" { sysdig_secure_url = "https://secure-staging.sysdig.com" - sysdig_secure_api_token = "" + sysdig_secure_api_token = "" } provider "aws" { @@ -18,9 +18,9 @@ provider "aws" { } module "onboarding" { - source = "../../../modules/onboarding" + source = "../../../modules/onboarding" organizational_unit_ids = ["ou-ks5g-dofso0kc"] - is_organizational = true + is_organizational = true is_gov_cloud_onboarding = true } @@ -47,7 +47,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" components = [module.config-posture.config_posture_component_id] depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture] flags = { - "CIEM_FEATURE_MODE": "basic" + "CIEM_FEATURE_MODE" : "basic" } lifecycle { diff --git a/test/examples/organization/vm-workload-scanning-ecs.tf b/test/examples/organization/vm-workload-scanning-ecs.tf index e05ef24..7fcc53d 100644 --- a/test/examples/organization/vm-workload-scanning-ecs.tf +++ b/test/examples/organization/vm-workload-scanning-ecs.tf @@ -1,13 +1,13 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" + source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id is_organizational = module.onboarding.is_organizational # legacy org install # organizational_unit_ids = module.onboarding.organizational_unit_ids # include/exclude org install params - include_ouids = module.onboarding.include_ouids - exclude_ouids = module.onboarding.exclude_ouids + include_ouids = module.onboarding.include_ouids + exclude_ouids = module.onboarding.exclude_ouids include_accounts = module.onboarding.include_accounts exclude_accounts = module.onboarding.exclude_accounts } diff --git a/test/examples/organization/vm-workload-scanning-lambda.tf b/test/examples/organization/vm-workload-scanning-lambda.tf index e5e98e7..3691824 100644 --- a/test/examples/organization/vm-workload-scanning-lambda.tf +++ b/test/examples/organization/vm-workload-scanning-lambda.tf @@ -1,13 +1,13 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" + source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id is_organizational = module.onboarding.is_organizational # legacy org install # organizational_unit_ids = module.onboarding.organizational_unit_ids # include/exclude org install params - include_ouids = module.onboarding.include_ouids - exclude_ouids = module.onboarding.exclude_ouids + include_ouids = module.onboarding.include_ouids + exclude_ouids = module.onboarding.exclude_ouids include_accounts = module.onboarding.include_accounts exclude_accounts = module.onboarding.exclude_accounts diff --git a/test/examples/single_account/agentless_scanning.tf b/test/examples/single_account/agentless_scanning.tf index 8f96ed8..5005706 100644 --- a/test/examples/single_account/agentless_scanning.tf +++ b/test/examples/single_account/agentless_scanning.tf @@ -15,4 +15,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "agentless_scanning" { enabled = true components = [module.agentless-scanning.scanning_role_component_id, module.agentless-scanning.crypto_key_component_id] depends_on = [module.agentless-scanning] -} \ No newline at end of file +} diff --git a/test/examples/single_account/cloud_logs_gov.tf b/test/examples/single_account/cloud_logs_gov.tf index d34838c..078e787 100644 --- a/test/examples/single_account/cloud_logs_gov.tf +++ b/test/examples/single_account/cloud_logs_gov.tf @@ -24,7 +24,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.cloud-logs.cloud_logs_component_id]) depends_on = [module.cloud-logs, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/single_account/event_bridge.tf b/test/examples/single_account/event_bridge.tf index 702b236..dc622af 100644 --- a/test/examples/single_account/event_bridge.tf +++ b/test/examples/single_account/event_bridge.tf @@ -23,7 +23,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id]) depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/single_account/event_bridge_gov.tf b/test/examples/single_account/event_bridge_gov.tf index 98e32c2..5d08dc1 100644 --- a/test/examples/single_account/event_bridge_gov.tf +++ b/test/examples/single_account/event_bridge_gov.tf @@ -24,7 +24,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc enabled = true components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id]) depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic] - flags = {"CIEM_FEATURE_MODE": "advanced"} + flags = { "CIEM_FEATURE_MODE" : "advanced" } lifecycle { ignore_changes = [flags, components] diff --git a/test/examples/single_account/onboarding_with_cspm.tf b/test/examples/single_account/onboarding_with_cspm.tf index bd7010a..5bcfb9a 100644 --- a/test/examples/single_account/onboarding_with_cspm.tf +++ b/test/examples/single_account/onboarding_with_cspm.tf @@ -9,7 +9,7 @@ terraform { provider "sysdig" { sysdig_secure_url = "https://secure-staging.sysdig.com" - sysdig_secure_api_token = "" + sysdig_secure_api_token = "" } provider "aws" { @@ -18,7 +18,7 @@ provider "aws" { } module "onboarding" { - source = "../../../modules/onboarding" + source = "../../../modules/onboarding" } module "config-posture" { @@ -41,7 +41,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" components = [module.config-posture.config_posture_component_id] depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture] flags = { - "CIEM_FEATURE_MODE": "basic" + "CIEM_FEATURE_MODE" : "basic" } lifecycle { diff --git a/test/examples/single_account/onboarding_with_cspm_gov.tf b/test/examples/single_account/onboarding_with_cspm_gov.tf index c67011d..b01befa 100644 --- a/test/examples/single_account/onboarding_with_cspm_gov.tf +++ b/test/examples/single_account/onboarding_with_cspm_gov.tf @@ -9,7 +9,7 @@ terraform { provider "sysdig" { sysdig_secure_url = "https://secure-staging.sysdig.com" - sysdig_secure_api_token = "" + sysdig_secure_api_token = "" } provider "aws" { @@ -43,7 +43,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_basic" components = [module.config-posture.config_posture_component_id] depends_on = [module.config-posture, sysdig_secure_cloud_auth_account_feature.config_posture] flags = { - "CIEM_FEATURE_MODE": "basic" + "CIEM_FEATURE_MODE" : "basic" } lifecycle { diff --git a/test/examples/single_account/vm-workload-scanning-ecs.tf b/test/examples/single_account/vm-workload-scanning-ecs.tf index 2c96d29..adcf4ba 100644 --- a/test/examples/single_account/vm-workload-scanning-ecs.tf +++ b/test/examples/single_account/vm-workload-scanning-ecs.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" + source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id } diff --git a/test/examples/single_account/vm-workload-scanning-lambda.tf b/test/examples/single_account/vm-workload-scanning-lambda.tf index 5540653..94ce1b9 100644 --- a/test/examples/single_account/vm-workload-scanning-lambda.tf +++ b/test/examples/single_account/vm-workload-scanning-lambda.tf @@ -1,5 +1,5 @@ module "vm_workload_scanning" { - source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" + source = "sysdiglabs/secure/aws//modules/vm-workload-scanning" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id