delegated admin account

modules/services/agentless-scanning/README.md

@@ -63,6 +63,7 @@ No modules.
 | <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
 | <a name="mgt_stackset"></a> [mgt_stackset](#mgt\_stackset) | Whether to create the resources on the management account using a stackset | `bool` | `true` | no |
+| <a name="delegated"></a> [delegated](#input\_delegated) | Whether to create the resources using an delegated admin account | `bool` | `false` | no |
 
 ## Outputs
 

modules/services/agentless-scanning/main.tf

@@ -20,7 +20,7 @@
 #-----------------------------------------------------------------------------------------------------------------------
 
 data "aws_iam_policy_document" "scanning" {
-  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset) ? 1 : 0
+  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset && !var.delegated) ? 1 : 0
 
   # General read permission, necessary for the discovery phase.
   statement {
@@ -184,7 +184,7 @@ data "aws_iam_policy_document" "scanning" {
 }
 
 resource "aws_iam_policy" "scanning" {
-  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset) ? 1 : 0
+  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset && !var.delegated) ? 1 : 0
 
   name        = var.name
   description = "Grants Sysdig Secure access to volumes and snapshots"
@@ -193,7 +193,7 @@ resource "aws_iam_policy" "scanning" {
 }
 
 data "aws_iam_policy_document" "scanning_assume_role_policy" {
-  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset) ? 1 : 0
+  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset && !var.delegated) ? 1 : 0
 
   statement {
     sid = "SysdigSecureScanning"
@@ -218,15 +218,15 @@ data "aws_iam_policy_document" "scanning_assume_role_policy" {
 }
 
 resource "aws_iam_role" "scanning" {
-  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset) ? 1 : 0
+  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset && !var.delegated) ? 1 : 0
 
   name               = var.name
   tags               = var.tags
   assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy[0].json
 }
 
 resource "aws_iam_policy_attachment" "scanning" {
-  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset) ? 1 : 0
+  count = (var.deploy_global_resources || var.is_organizational && var.mgt_stackset && !var.delegated) ? 1 : 0
 
   name       = var.name
   roles      = [aws_iam_role.scanning[0].name]

modules/services/agentless-scanning/organizational.tf

@@ -47,6 +47,8 @@ resource "aws_cloudformation_stack_set" "scanning_role_stackset" {
     ignore_changes = [administration_role_arn]
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   template_body = <<TEMPLATE
 Resources:
   AgentlessScanningRole:
@@ -141,6 +143,8 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
     max_concurrent_count = 10
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   timeouts {
     create = var.timeout
     update = var.timeout
@@ -156,7 +160,7 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
 
 # stackset to deploy resources for agentless scanning in management account
 resource "aws_cloudformation_stack_set" "mgmt_acc_resources_stackset" {
-  count      = var.is_organizational && var.mgt_stackset ? 1 : 0
+  count      = var.is_organizational && var.mgt_stackset && !var.delegated ? 1 : 0
   depends_on = [aws_iam_role.scanning]
 
   name                    = join("-", [var.name, "ScanningKmsMgmtAcc"])
@@ -214,7 +218,7 @@ TEMPLATE
 
 # stackset instance to deploy resources for agentless scanning, in all regions of the management account
 resource "aws_cloudformation_stack_set_instance" "mgmt_acc_stackset_instance" {
-  for_each = var.mgt_stackset ? local.region_set : toset([])
+  for_each = var.mgt_stackset && !var.delegated ? local.region_set : toset([])
   region   = each.key
 
   stack_set_name = aws_cloudformation_stack_set.mgmt_acc_resources_stackset[0].name
@@ -258,6 +262,8 @@ resource "aws_cloudformation_stack_set" "ou_resources_stackset" {
     ignore_changes = [administration_role_arn]
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   template_body = <<TEMPLATE
 Resources:
   AgentlessScanningKmsPrimaryKey:
@@ -313,6 +319,8 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
     region_concurrency_type = "PARALLEL"
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   timeouts {
     create = var.timeout
     update = var.timeout

modules/services/agentless-scanning/variables.tf

@@ -79,4 +79,10 @@ variable "mgt_stackset" {
   description = "(Optional) Indicates if the management stackset should be deployed"
   type        = bool
   default     = true
+}
+
+variable "delegated" {
+  description = "Whether a delegated admin account will be used"
+  type        = bool
+  default     = false
 }

modules/services/event-bridge/README.md

@@ -60,6 +60,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | <pre>{<br>  "product": "sysdig"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
 | <a name="mgt_stackset"></a> [mgt_stackset](#mgt\_stackset) | Whether to create the resources on the management account using a stackset | `bool` | `true` | no |
+| <a name="delegated"></a> [delegated](#input\_delegated) | Whether to create the resources using an delegated admin account | `bool` | `false` | no |
 
 ## Outputs
 

modules/services/event-bridge/main.tf

@@ -56,7 +56,7 @@ resource "aws_cloudwatch_event_target" "sysdig" {
 # Role that will be used by EventBridge when sending events to Sysdig's EventBridge Bus. The EventBridge service is
 # given permission to assume this role.
 resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
-  count = (var.is_organizational && var.mgt_stackset || var.deploy_global_resources) ? 1 : 0
+  count = (var.is_organizational && var.mgt_stackset && !var.delegated || var.deploy_global_resources) ? 1 : 0
 
   name = var.name
   tags = var.tags

modules/services/event-bridge/organizational.tf

@@ -35,6 +35,8 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
     ignore_changes = [administration_role_arn]
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   template_body = templatefile("${path.module}/stackset_template_body.tpl", {
     name                 = var.name
     event_pattern        = var.event_pattern
@@ -45,7 +47,7 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
 
 # stackset to deploy eventbridge rule in management account
 resource "aws_cloudformation_stack_set" "mgmt-stackset" {
-  count = var.is_organizational && var.mgt_stackset ? 1 : 0
+  count = var.is_organizational && var.mgt_stackset && !var.delegated ? 1 : 0
 
   name                    = join("-", [var.name, "EBRuleMgmtAcc"])
   tags                    = var.tags
@@ -91,6 +93,8 @@ resource "aws_cloudformation_stack_set" "eb-role-stackset" {
     ignore_changes = [administration_role_arn]
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   template_body = <<TEMPLATE
 Resources:
   EventBridgeRole:
@@ -141,6 +145,8 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
     region_concurrency_type = "PARALLEL"
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   timeouts {
     create = var.timeout
     update = var.timeout
@@ -150,7 +156,7 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
 
 // stackset instance to deploy rule in all regions of management account
 resource "aws_cloudformation_stack_set_instance" "mgmt_acc_stackset_instance" {
-  for_each       = var.mgt_stackset ? local.region_set : toset([])
+  for_each       = var.mgt_stackset && !var.delegated ? local.region_set : toset([])
   region         = each.key
   stack_set_name = aws_cloudformation_stack_set.mgmt-stackset[0].name
 
@@ -179,6 +185,8 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
     region_concurrency_type = "PARALLEL"
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   timeouts {
     create = var.timeout
     update = var.timeout

modules/services/event-bridge/outputs.tf

@@ -1,4 +1,4 @@
 output "role_arn" {
-  value       = local.is_role_empty && var.mgt_stackset ? aws_iam_role.event_bus_invoke_remote_event_bus[0].arn : ""
+  value       = local.is_role_empty && var.mgt_stackset && !var.delegated ? aws_iam_role.event_bus_invoke_remote_event_bus[0].arn : ""
   description = "ARN of cspm role"
 }

modules/services/event-bridge/variables.tf

@@ -104,4 +104,10 @@ variable "mgt_stackset" {
   description = "(Optional) Indicates if the management stackset should be deployed"
   type        = bool
   default     = true
+}
+
+variable "delegated" {
+  description = "Whether a delegated admin account will be used"
+  type        = bool
+  default     = false
 }

modules/services/trust-relationship/README.md

@@ -50,6 +50,7 @@ No modules.
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
+| <a name="delegated"></a> [delegated](#input\_delegated) | Whether to create the resources using an delegated admin account | `bool` | `false` | no |
 
 ## Outputs
 

modules/services/trust-relationship/main.tf

@@ -14,6 +14,7 @@ locals {
 # If this is not an Organizational deploy, create role/polices directly
 #----------------------------------------------------------
 resource "aws_iam_role" "cspm_role" {
+  count               = var.delegated ? 0 : 1
   name                = var.role_name
   tags                = var.tags
   assume_role_policy  = <<EOF
@@ -145,6 +146,8 @@ resource "aws_cloudformation_stack_set" "stackset" {
     ignore_changes = [administration_role_arn]
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   template_body = <<TEMPLATE
 Resources:
   SysdigCSPMRole:
@@ -209,6 +212,8 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
     max_concurrent_count = 10
   }
 
+  call_as = var.delegated ? "DELEGATED_ADMIN" : "SELF"
+
   timeouts {
     create = var.timeout
     update = var.timeout

modules/services/trust-relationship/variables.tf

@@ -49,4 +49,10 @@ variable "timeout" {
   type        = string
   description = "Default timeout values for create, update, and delete operations"
   default     = "30m"
+}
+
+variable "delegated" {
+  description = "Whether a delegated admin account will be used"
+  type        = bool
+  default     = false
 }