-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: workload scanning initial commit
- Loading branch information
Showing
7 changed files
with
340 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# AWS Agentless Scanning Module | ||
|
||
This Module creates the resources required to perform agentless workload (ECR) scanning. | ||
|
||
The following resources will be created in each instrumented account: | ||
- An IAM Role and associated policies that allows Sysdig to perform tasks necessary for agentless workload scanning, i.e. | ||
pull images from ECR. | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|-----------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.39.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.39.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------| | ||
| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource | | ||
| [aws_cloudformation_stack_set_registry.scanning_role_stackset_registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource | | ||
| [aws_iam_policy.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | ||
| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | ||
| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | ||
| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:| | ||
| <a name="input_deploy_global_resources"></a> [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no | | ||
| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes | | ||
| <a name="input_regions"></a> [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Workload Scanning | `set(string)` | `[]` | no | | ||
| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false | `string` | `""` | no | | ||
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no | | ||
| <a name="input_name"></a> [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-workload-scanning"` | no | | ||
| <a name="input_org_units"></a> [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no | | ||
| <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|---------------------------------------------------------------------| | ||
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Workload Scanning | | ||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
|
||
## Authors | ||
|
||
Module is maintained by [Sysdig](https://sysdig.com). | ||
|
||
## License | ||
|
||
Apache 2 Licensed. See LICENSE for full details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
########################################### | ||
# Workload Controller IAM roles and stuff # | ||
########################################### | ||
|
||
#----------------------------------------------------------------------------------------------------------------------- | ||
# Determine if this is an Organizational install, or a single account install. For Single Account installs, resources | ||
# are created directly using the AWS Terraform Provider (This is the default behaviour). For Organizational installs, | ||
# see organizational.tf, and the resources in this file are used to instrument the management account (StackSets do not | ||
# include the management account they are created in, even if this account is within the target Organization). | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
#----------------------------------------------------------------------------------------------------------------------- | ||
# We have two types of resources. global and regional. Global resources are deployed only once (mostly in the primary | ||
# region). We use deploy_global_resources boolean to determine that. | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
#----------------------------------------------------------------------------------------------------------------------- | ||
# These resources create an Agentless Workload Scanning IAM Role and IAM Policy in the account. | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
data "aws_iam_policy_document" "scanning" { | ||
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0 | ||
|
||
# General ECR read permission, necessary for the fetching artifacts. | ||
statement { | ||
sid = "EcrReadPermissions" | ||
|
||
effect = "Allow" | ||
|
||
actions = [ | ||
"ecr:GetDownloadUrlForLayer", | ||
"ecr:BatchGetImage", | ||
"ecr:BatchCheckLayerAvailability", | ||
"ecr:GetRepositoryPolicy", | ||
"ecr:DescribeRepositories", | ||
"ecr:ListImages", | ||
"ecr:DescribeImages", | ||
"ecr:ListTagsForResource", | ||
"ecr:GetAuthorizationToken", | ||
] | ||
|
||
resources = [ | ||
"*", | ||
] | ||
} | ||
} | ||
|
||
resource "aws_iam_policy" "scanning" { | ||
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0 | ||
|
||
name = var.name | ||
description = "Grants Sysdig Secure access to volumes and snapshots" | ||
policy = data.aws_iam_policy_document.scanning[0].json | ||
tags = var.tags | ||
} | ||
|
||
data "aws_iam_policy_document" "scanning_assume_role_policy" { | ||
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0 | ||
|
||
statement { | ||
sid = "SysdigWorkloadScanning" | ||
|
||
actions = [ | ||
"sts:AssumeRole" | ||
] | ||
|
||
principals { | ||
type = "AWS" | ||
identifiers = [ | ||
var.trusted_identity, | ||
] | ||
} | ||
|
||
condition { | ||
test = "StringEquals" | ||
variable = "sts:ExternalId" | ||
values = [var.external_id] | ||
} | ||
} | ||
} | ||
|
||
resource "aws_iam_role" "scanning" { | ||
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0 | ||
|
||
name = var.name | ||
tags = var.tags | ||
assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy[0].json | ||
} | ||
|
||
resource "aws_iam_policy_attachment" "scanning" { | ||
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0 | ||
|
||
name = var.name | ||
roles = [aws_iam_role.scanning[0].name] | ||
policy_arn = aws_iam_policy.scanning[0].arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
# Determine if this is an Organizational install, or a single account install. For Organizational installs, resources | ||
# are created using CloudFormation StackSet. For Single Account installs see main.tf. | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
data "aws_organizations_organization" "org" { | ||
count = var.is_organizational ? 1 : 0 | ||
} | ||
|
||
locals { | ||
organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units) | ||
region_set = toset(var.regions) | ||
} | ||
|
||
#----------------------------------------------------------------------------------------------------------------------- | ||
# The resources in this file set up an Agentless Workload Scanning IAM Role and Policies in all accounts | ||
# in an AWS Organization via a CloudFormation StackSet. | ||
# Global resources: IAM Role and Policy | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
#----------------------------------------------------------------------------------------------------------------------- | ||
# stackset and stackset instance deployed in organization units for Agentless Scanning IAM Role, Policies | ||
#----------------------------------------------------------------------------------------------------------------------- | ||
|
||
# stackset to deploy agentless workload scanning role in organization unit | ||
resource "aws_cloudformation_stack_set" "scanning_role_stackset" { | ||
count = var.is_organizational ? 1 : 0 | ||
|
||
name = join("-", [var.name, "ScanningRoleOrg"]) | ||
tags = var.tags | ||
permission_model = "SERVICE_MANAGED" | ||
capabilities = ["CAPABILITY_NAMED_IAM"] | ||
|
||
auto_deployment { | ||
enabled = true | ||
retain_stacks_on_account_removal = false | ||
} | ||
|
||
lifecycle { | ||
ignore_changes = [administration_role_arn] | ||
} | ||
|
||
template_body = <<TEMPLATE | ||
Resources: | ||
AgentlessWorkloadRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
RoleName: ${var.name} | ||
AssumeRolePolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Sid: "SysdigSecureScanning" | ||
Effect: "Allow" | ||
Action: "sts:AssumeRole" | ||
Principal: | ||
AWS: "${var.trusted_identity}" | ||
Condition: | ||
StringEquals: | ||
sts:ExternalId: "${var.external_id}" | ||
Policies: | ||
- PolicyName: ${var.name} | ||
PolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Sid: "EcrReadPermissions" | ||
Effect: "Allow" | ||
Action: | ||
- "ecr:GetDownloadUrlForLayer" | ||
- "ecr:BatchGetImage" | ||
- "ecr:BatchCheckLayerAvailability" | ||
- "ecr:GetRepositoryPolicy" | ||
- "ecr:DescribeRepositories" | ||
- "ecr:ListImages" | ||
- "ecr:DescribeImages" | ||
- "ecr:ListTagsForResource" | ||
- "ecr:GetAuthorizationToken" | ||
Resource: "*" | ||
TEMPLATE | ||
} | ||
|
||
# stackset instance to deploy agentless scanning role, in all organization units | ||
resource "aws_cloudformation_stack_set_registry" "scanning_role_stackset_registry" { | ||
count = var.is_organizational ? 1 : 0 | ||
|
||
stack_set_name = aws_cloudformation_stack_set.scanning_role_stackset[0].name | ||
deployment_targets { | ||
organizational_unit_ids = local.organizational_unit_ids | ||
} | ||
operation_preferences { | ||
failure_tolerance_count = 10 | ||
max_concurrent_count = 10 | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "role_arn" { | ||
description = "Role used by Sysdig Platform for Agentless Workload Scanning" | ||
value = var.is_organizational ? null : var.deploy_global_resources ? aws_iam_role.scanning[0].arn : var.role_arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
variable "external_id" { | ||
description = "Random string generated unique to a customer" | ||
type = string | ||
} | ||
|
||
variable "trusted_identity" { | ||
type = string | ||
description = "The name of sysdig trusted identity" | ||
} | ||
|
||
variable "name" { | ||
description = "The name of the installation. Assigned to most child resource(s)" | ||
type = string | ||
default = "sysdig-workload-scanning" | ||
} | ||
|
||
variable "tags" { | ||
type = map(string) | ||
description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning" | ||
default = { | ||
"product" = "sysdig-secure-for-cloud" | ||
} | ||
} | ||
|
||
variable "deploy_global_resources" { | ||
description = "(Optional) Set this field to 'true' to deploy Agentless Workload Scanning when deploying to the main region (Non Organization Setup)" | ||
type = bool | ||
default = false | ||
} | ||
|
||
variable "is_organizational" { | ||
description = "(Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs)" | ||
type = bool | ||
default = false | ||
} | ||
|
||
variable "org_units" { | ||
description = "(Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`" | ||
type = set(string) | ||
default = [] | ||
} | ||
|
||
variable "regions" { | ||
description = "(Optional) List of regions in which to install Agentless Workload Scanning" | ||
type = set(string) | ||
default = [] | ||
} | ||
|
||
variable "role_arn" { | ||
description = "(Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false" | ||
type = string | ||
default = "" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
terraform { | ||
required_version = ">= 1.2.0" | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.39.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
provider "aws" { | ||
region = "us-east-1" | ||
access_key = "test" | ||
secret_key = "test" | ||
|
||
endpoints { | ||
iam = "http://127.0.0.1:5000/" | ||
sts = "http://127.0.0.1:5000/" | ||
} | ||
} | ||
|
||
module "single-workload-scanning" { | ||
source = "../../../..//modules/services/workload-scanning" | ||
trusted_identity = "arn:aws:iam::123456789012:role/secure-assume-role" | ||
external_id = "external_id" | ||
name = "sysdig" | ||
} |