From 35a8cea7e2291246b2b5a488ea578adf1194e883 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 7 Feb 2024 15:57:57 +0000 Subject: [PATCH 01/31] feat: Add EKS Onboarding Terraform module --- modules/services/eks/datasources.tf | 6 ++++++ modules/services/eks/locals.tf | 21 +++++++++++++++++++ modules/services/eks/main.tf | 31 +++++++++++++++++++++++++++++ modules/services/eks/outputs.tf | 8 ++++++++ modules/services/eks/provider.tf | 8 ++++++++ modules/services/eks/variables.tf | 20 +++++++++++++++++++ modules/services/eks/versions.tf | 14 +++++++++++++ 7 files changed, 108 insertions(+) create mode 100644 modules/services/eks/datasources.tf create mode 100644 modules/services/eks/locals.tf create mode 100644 modules/services/eks/main.tf create mode 100644 modules/services/eks/outputs.tf create mode 100644 modules/services/eks/provider.tf create mode 100644 modules/services/eks/variables.tf create mode 100644 modules/services/eks/versions.tf diff --git a/modules/services/eks/datasources.tf b/modules/services/eks/datasources.tf new file mode 100644 index 0000000..fca4a0b --- /dev/null +++ b/modules/services/eks/datasources.tf @@ -0,0 +1,6 @@ +data "aws_eks_clusters" "clusters" {} + +data "aws_eks_cluster" "clusters" { + for_each = toset(data.aws_eks_clusters.clusters.names) + name = each.value +} diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf new file mode 100644 index 0000000..1fc5cd3 --- /dev/null +++ b/modules/services/eks/locals.tf @@ -0,0 +1,21 @@ +locals { + api_enabled_clusters = [ + for cluster in data.aws_eks_cluster.clusters : + cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config.0.authentication_mode) && (var.onboard_all_clusters || contains(var.clusters, cluster.name)) + ] + + sysdig_cidrs = ["54.218.164.215/32", "54.244.190.180/32", "44.232.85.27/32"] + clusters = { + for cluster in local.api_enabled_clusters : cluster.name => cluster + // Only onboard public clusters or clusters that Sysdig has access to + if cluster.vpc_config.0.endpoint_public_access && (contains(cluster.vpc_config.0.public_access_cidrs, "0.0.0.0/0") || contains(cluster.vpc_config.0.public_access_cidrs, local.sysdig_cidrs[0])) + } + + eks_view_policy = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" + cluster_access_policy = { + access_scope = { + type = "cluster" + } + policy_arn = local.eks_view_policy + } +} diff --git a/modules/services/eks/main.tf b/modules/services/eks/main.tf new file mode 100644 index 0000000..22b1768 --- /dev/null +++ b/modules/services/eks/main.tf @@ -0,0 +1,31 @@ +# import { +# for_each = local.filtered_clusters +# to = aws_eks_cluster.this[each.key] +# id = each.value.id +# } + +// TODO: Open public access manually +# resource "aws_eks_cluster" "this" { +# for_each = local.filtered_clusters // TODO: Is the import order preserved? +# name = each.value.name +# role_arn = each.value.role_arn +# +# vpc_config { +# endpoint_private_access = false +# endpoint_public_access = true +# public_access_cidrs = concat(local.sysdig_cidrs, [for cidr in each.value.vpc_config.0.public_access_cidrs : cidr if cidr != "0.0.0.0/0"]) +# security_group_ids = each.value.vpc_config.0.security_group_ids +# subnet_ids = each.value.vpc_config.0.subnet_ids +# } +# +# tags = each.value.tags +# } + +// TODO: Check if it already exists (in case if the customer runs this script twice) +resource "awscc_eks_access_entry" "viewer" { + for_each = local.clusters + cluster_name = each.value.name + principal_arn = var.principal_arn // TODO: Use data source + access_policies = [local.cluster_access_policy] +} + diff --git a/modules/services/eks/outputs.tf b/modules/services/eks/outputs.tf new file mode 100644 index 0000000..e73a365 --- /dev/null +++ b/modules/services/eks/outputs.tf @@ -0,0 +1,8 @@ +output "eks_clusers" { + value = local.clusters +} + +// DEBUG ONLY +output "eks_clusers_api_enabled" { + value = [for cluster in local.api_enabled_clusters : cluster.name] +} diff --git a/modules/services/eks/provider.tf b/modules/services/eks/provider.tf new file mode 100644 index 0000000..b62c97d --- /dev/null +++ b/modules/services/eks/provider.tf @@ -0,0 +1,8 @@ +# Cluster region +provider "aws" { + region = var.region +} + +provider "awscc" { + region = var.region +} diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf new file mode 100644 index 0000000..5cfd4c8 --- /dev/null +++ b/modules/services/eks/variables.tf @@ -0,0 +1,20 @@ +variable "region" { + description = "The AWS region where clusters reside" + type = string +} + +variable "onboard_all_clusters" { + description = "Should all public clusters be onboarded and scanned by Sysdig" + type = bool + default = false +} + +variable "clusters" { + description = "Names of the clusters to be onboarded and scanned by Sysdig" + type = set(string) +} + +variable "principal_arn" { + description = "The IAM Principal ARN which will access the EKS cluster" + type = string +} diff --git a/modules/services/eks/versions.tf b/modules/services/eks/versions.tf new file mode 100644 index 0000000..e96643f --- /dev/null +++ b/modules/services/eks/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = "~> 1.7" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + awscc = { + source = "hashicorp/awscc" + version = "~> 0.69" + } + } +} From a51ff0b0e793bfe457afe6cbcb5452a4fc8759c9 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 7 Feb 2024 16:04:37 +0000 Subject: [PATCH 02/31] chore: Remove aws_eks_cluster resource block --- modules/services/eks/main.tf | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/modules/services/eks/main.tf b/modules/services/eks/main.tf index 22b1768..6be8bd6 100644 --- a/modules/services/eks/main.tf +++ b/modules/services/eks/main.tf @@ -1,26 +1,3 @@ -# import { -# for_each = local.filtered_clusters -# to = aws_eks_cluster.this[each.key] -# id = each.value.id -# } - -// TODO: Open public access manually -# resource "aws_eks_cluster" "this" { -# for_each = local.filtered_clusters // TODO: Is the import order preserved? -# name = each.value.name -# role_arn = each.value.role_arn -# -# vpc_config { -# endpoint_private_access = false -# endpoint_public_access = true -# public_access_cidrs = concat(local.sysdig_cidrs, [for cidr in each.value.vpc_config.0.public_access_cidrs : cidr if cidr != "0.0.0.0/0"]) -# security_group_ids = each.value.vpc_config.0.security_group_ids -# subnet_ids = each.value.vpc_config.0.subnet_ids -# } -# -# tags = each.value.tags -# } - // TODO: Check if it already exists (in case if the customer runs this script twice) resource "awscc_eks_access_entry" "viewer" { for_each = local.clusters From 4635274dd38ff711f10e86200ed6b10a3eaea22a Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 10:59:58 +0000 Subject: [PATCH 03/31] chore: Fix Linter issues --- modules/services/eks/locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 1fc5cd3..2ae228c 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -1,14 +1,14 @@ locals { api_enabled_clusters = [ for cluster in data.aws_eks_cluster.clusters : - cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config.0.authentication_mode) && (var.onboard_all_clusters || contains(var.clusters, cluster.name)) + cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) && (var.onboard_all_clusters || contains(var.clusters, cluster.name)) ] sysdig_cidrs = ["54.218.164.215/32", "54.244.190.180/32", "44.232.85.27/32"] clusters = { for cluster in local.api_enabled_clusters : cluster.name => cluster // Only onboard public clusters or clusters that Sysdig has access to - if cluster.vpc_config.0.endpoint_public_access && (contains(cluster.vpc_config.0.public_access_cidrs, "0.0.0.0/0") || contains(cluster.vpc_config.0.public_access_cidrs, local.sysdig_cidrs[0])) + if cluster.vpc_config[0].endpoint_public_access && (contains(cluster.vpc_config[0].public_access_cidrs, "0.0.0.0/0") || contains(cluster.vpc_config[0].public_access_cidrs, local.sysdig_cidrs[0])) } eks_view_policy = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" From 1fe6ae3571cf9f674fef742d8c69c7db6c1f1a6f Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 11:00:17 +0000 Subject: [PATCH 04/31] chore: Remove debug output --- modules/services/eks/outputs.tf | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/modules/services/eks/outputs.tf b/modules/services/eks/outputs.tf index e73a365..fe53f09 100644 --- a/modules/services/eks/outputs.tf +++ b/modules/services/eks/outputs.tf @@ -1,8 +1,3 @@ -output "eks_clusers" { - value = local.clusters -} - -// DEBUG ONLY -output "eks_clusers_api_enabled" { - value = [for cluster in local.api_enabled_clusters : cluster.name] +output "onboarded_clusters" { + value = [for cluster in local.clusters : cluster.name] } From 674a818ec7e5a6e24c58a4682e894415e5e75dd8 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 11:01:26 +0000 Subject: [PATCH 05/31] docs: Update variable descriptions --- modules/services/eks/variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 5cfd4c8..f32a662 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -1,20 +1,20 @@ variable "region" { - description = "The AWS region where clusters reside" + description = "The AWS region where clusters are located" type = string } variable "onboard_all_clusters" { - description = "Should all public clusters be onboarded and scanned by Sysdig" + description = "Set the value to true if all public clusters should be scanned by Sysdig" type = bool default = false } variable "clusters" { - description = "Names of the clusters to be onboarded and scanned by Sysdig" + description = "Please list the clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified here will be scanned)" type = set(string) } variable "principal_arn" { - description = "The IAM Principal ARN which will access the EKS cluster" + description = "Sysdig's IAM Principal ARN which will access the EKS clusters" type = string } From 9d2adad32689e60d76b4858a5c81404e5c374fec Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 14:23:52 +0000 Subject: [PATCH 06/31] fix: Make clusters var optional --- modules/services/eks/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index f32a662..7eaa63f 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -12,6 +12,7 @@ variable "onboard_all_clusters" { variable "clusters" { description = "Please list the clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified here will be scanned)" type = set(string) + default = [] } variable "principal_arn" { From 50b8d65afc863fd2b0eec4dc6ee4f94b94f600e4 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 14:24:03 +0000 Subject: [PATCH 07/31] docs: Add README --- modules/services/eks/README.md | 55 ++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 modules/services/eks/README.md diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md new file mode 100644 index 0000000..4d8c941 --- /dev/null +++ b/modules/services/eks/README.md @@ -0,0 +1,55 @@ +# AWS Trust Relationship Module + +This module will onboard AWS EKS clusters into Agentless scanning. + +The following resource will be created in each EKS cluster: +- EKS access entry that assigns `AmazonEKSViewPolicy` to Sysdig's IAM principal. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.7 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_awscc) | >= 0.69 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [awscc_eks_access_entry](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/eks_access_entry) | resource | +| [aws_eks_clusters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_clusters) | data source | +| [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [principal_arn](#var\_principal\_arn) | Sysdig's IAM Principal ARN which will access the EKS clusters | `string` | N/A | Yes | +| [clusters](#var\_clusters) | The list of clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified in this list will be scanned) | `set(string)` | Empty list | No | +| [onboard_all_clusters](#var\_onboard\_all\_clusters) | If set to `true`, all public clusters will be onboarded | `bool` | `false` | No | + + +## Outputs + +No outputs. + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. + From 35252c7c345e5390f0ecb6f60a4f078ca7a697dd Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 14:28:42 +0000 Subject: [PATCH 08/31] refactor: Remove Sysdig CIDR check --- modules/services/eks/locals.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 2ae228c..77c6fc8 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -4,11 +4,10 @@ locals { cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) && (var.onboard_all_clusters || contains(var.clusters, cluster.name)) ] - sysdig_cidrs = ["54.218.164.215/32", "54.244.190.180/32", "44.232.85.27/32"] clusters = { for cluster in local.api_enabled_clusters : cluster.name => cluster // Only onboard public clusters or clusters that Sysdig has access to - if cluster.vpc_config[0].endpoint_public_access && (contains(cluster.vpc_config[0].public_access_cidrs, "0.0.0.0/0") || contains(cluster.vpc_config[0].public_access_cidrs, local.sysdig_cidrs[0])) + if cluster.vpc_config[0].endpoint_public_access } eks_view_policy = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" From 90a7cb23e4e29a76fd1b15484143f071db0f8770 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 8 Feb 2024 14:37:03 +0000 Subject: [PATCH 09/31] fix: Remove providers file --- modules/services/eks/provider.tf | 8 -------- modules/services/eks/variables.tf | 5 ----- 2 files changed, 13 deletions(-) delete mode 100644 modules/services/eks/provider.tf diff --git a/modules/services/eks/provider.tf b/modules/services/eks/provider.tf deleted file mode 100644 index b62c97d..0000000 --- a/modules/services/eks/provider.tf +++ /dev/null @@ -1,8 +0,0 @@ -# Cluster region -provider "aws" { - region = var.region -} - -provider "awscc" { - region = var.region -} diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 7eaa63f..76a9393 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -1,8 +1,3 @@ -variable "region" { - description = "The AWS region where clusters are located" - type = string -} - variable "onboard_all_clusters" { description = "Set the value to true if all public clusters should be scanned by Sysdig" type = bool From 99a0b6e9c1b199acf95d1f1788a93f69c2e8d48a Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Mon, 12 Feb 2024 14:34:53 +0000 Subject: [PATCH 10/31] feat: Onboard opted-in clusters --- modules/services/eks/locals.tf | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 77c6fc8..9b6b87b 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -1,11 +1,18 @@ locals { api_enabled_clusters = [ for cluster in data.aws_eks_cluster.clusters : - cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) && (var.onboard_all_clusters || contains(var.clusters, cluster.name)) + cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) + ] + + tag_key = "sysdig:secure:scan" + tag_opt_in_values = ["true", "all"] + opted_in_clusters = [ + for cluster in local.api_enabled_clusters : + cluster if var.onboard_all_clusters || contains(var.clusters, cluster.name) || contains(local.tag_opt_in_values, lookup(cluster.tags, local.tag_key, "false")) ] clusters = { - for cluster in local.api_enabled_clusters : cluster.name => cluster + for cluster in local.opted_in_clusters : cluster.name => cluster // Only onboard public clusters or clusters that Sysdig has access to if cluster.vpc_config[0].endpoint_public_access } From bbd408971eff7ee774653533edcc7df19154f7f5 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Mon, 12 Feb 2024 14:37:45 +0000 Subject: [PATCH 11/31] chore: Update formatting --- modules/services/eks/locals.tf | 2 +- modules/services/eks/main.tf | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 9b6b87b..2b01785 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -4,7 +4,7 @@ locals { cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) ] - tag_key = "sysdig:secure:scan" + tag_key = "sysdig:secure:scan" tag_opt_in_values = ["true", "all"] opted_in_clusters = [ for cluster in local.api_enabled_clusters : diff --git a/modules/services/eks/main.tf b/modules/services/eks/main.tf index 6be8bd6..01b9506 100644 --- a/modules/services/eks/main.tf +++ b/modules/services/eks/main.tf @@ -1,8 +1,6 @@ -// TODO: Check if it already exists (in case if the customer runs this script twice) resource "awscc_eks_access_entry" "viewer" { for_each = local.clusters cluster_name = each.value.name principal_arn = var.principal_arn // TODO: Use data source access_policies = [local.cluster_access_policy] } - From 9b14257cfe8458cdfd5b8a0d39da932a97162d81 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 14 Feb 2024 13:45:50 +0000 Subject: [PATCH 12/31] fix: Use role_name to create access entry --- modules/services/eks/datasources.tf | 2 ++ modules/services/eks/locals.tf | 3 +++ modules/services/eks/main.tf | 2 +- modules/services/eks/variables.tf | 4 ++-- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/services/eks/datasources.tf b/modules/services/eks/datasources.tf index fca4a0b..17d4a07 100644 --- a/modules/services/eks/datasources.tf +++ b/modules/services/eks/datasources.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + data "aws_eks_clusters" "clusters" {} data "aws_eks_cluster" "clusters" { diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 2b01785..1685af0 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -1,4 +1,7 @@ locals { + account_id = data.aws_caller_identity.current.account_id + principal_arn = "arn:aws:iam::${local.account_id}:role/${var.role_name}" + api_enabled_clusters = [ for cluster in data.aws_eks_cluster.clusters : cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) diff --git a/modules/services/eks/main.tf b/modules/services/eks/main.tf index 01b9506..4265b4a 100644 --- a/modules/services/eks/main.tf +++ b/modules/services/eks/main.tf @@ -1,6 +1,6 @@ resource "awscc_eks_access_entry" "viewer" { for_each = local.clusters cluster_name = each.value.name - principal_arn = var.principal_arn // TODO: Use data source + principal_arn = local.principal_arn // TODO: Use data source access_policies = [local.cluster_access_policy] } diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 76a9393..9aca442 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -10,7 +10,7 @@ variable "clusters" { default = [] } -variable "principal_arn" { - description = "Sysdig's IAM Principal ARN which will access the EKS clusters" +variable "role_name" { + description = "IAM role that Sysdig will assume to access the EKS clusters" type = string } From 2e3afa876a08128d01e12dd34e98779626226ef8 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Mon, 19 Feb 2024 14:18:45 +0000 Subject: [PATCH 13/31] chore: Update README to add role_name attribute info --- modules/services/eks/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index 4d8c941..98c0262 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -35,7 +35,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [principal_arn](#var\_principal\_arn) | Sysdig's IAM Principal ARN which will access the EKS clusters | `string` | N/A | Yes | +| [role_name](#role\_name) | IAM role that Sysdig will assume to access the EKS clusters | `string` | N/A | Yes | | [clusters](#var\_clusters) | The list of clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified in this list will be scanned) | `set(string)` | Empty list | No | | [onboard_all_clusters](#var\_onboard\_all\_clusters) | If set to `true`, all public clusters will be onboarded | `bool` | `false` | No | From e444dbec80471cdbe640793af29d1bdb555d1bf3 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Mon, 19 Feb 2024 14:19:02 +0000 Subject: [PATCH 14/31] chore: Remove outputs.tf --- modules/services/eks/outputs.tf | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 modules/services/eks/outputs.tf diff --git a/modules/services/eks/outputs.tf b/modules/services/eks/outputs.tf deleted file mode 100644 index fe53f09..0000000 --- a/modules/services/eks/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "onboarded_clusters" { - value = [for cluster in local.clusters : cluster.name] -} From b5645e5500b4431234d8bc5ee26be85a2b010061 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 28 Feb 2024 15:55:50 +0000 Subject: [PATCH 15/31] refactor: Rename main.tf to eks.tf --- modules/services/eks/{main.tf => eks.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/services/eks/{main.tf => eks.tf} (100%) diff --git a/modules/services/eks/main.tf b/modules/services/eks/eks.tf similarity index 100% rename from modules/services/eks/main.tf rename to modules/services/eks/eks.tf From 5dcf592751220dd25b2663e4fb79fde4e40d528d Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 28 Feb 2024 15:57:19 +0000 Subject: [PATCH 16/31] feat: Add ECR-related variables --- modules/services/eks/variables.tf | 39 +++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 9aca442..668cb28 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -1,16 +1,47 @@ +// Values required to create access entries +variable "role_name" { + description = "(Required) IAM role that Sysdig will assume to access the EKS clusters" + type = string +} + variable "onboard_all_clusters" { - description = "Set the value to true if all public clusters should be scanned by Sysdig" + description = "(Optional) Set the value to true if all public clusters (API and API_AND_CONFIG_MAP-type clusters) should be scanned by Sysdig. Only the clusters having authentication mode set to either API or API_AND_CONFIG_MAP will be onboarded." type = bool default = false } variable "clusters" { - description = "Please list the clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified here will be scanned)" + description = "(Optional) Please list the clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified here will be scanned). The clusters must have authentication mode set to either API or API_AND_CONFIG_MAP to be onboarded." type = set(string) default = [] } -variable "role_name" { - description = "IAM role that Sysdig will assume to access the EKS clusters" +// Values required to create the ECR role +variable "deploy_global_resources" { + description = "(Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images." + type = bool + default = false +} + +variable "trusted_identity" { type = string + description = "(Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images." +} + +variable "name" { + description = "(Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images." + type = string +} + +variable "external_id" { + description = "(Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role." + type = string +} + +variable "tags" { + type = map(string) + description = "(Optional) This value should be provided by Sysdig." + default = { + "product" = "sysdig-secure-for-cloud" + } } From bc7dbd7e28aa9f32fc4bcfeda25bdd246499c2a9 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 28 Feb 2024 16:01:05 +0000 Subject: [PATCH 17/31] feat: Add an ECR role to allow pulling images --- modules/services/eks/iam.tf | 73 ++++++++++++++++++++++++++++++++++ modules/services/eks/locals.tf | 3 ++ 2 files changed, 76 insertions(+) create mode 100644 modules/services/eks/iam.tf diff --git a/modules/services/eks/iam.tf b/modules/services/eks/iam.tf new file mode 100644 index 0000000..50c6feb --- /dev/null +++ b/modules/services/eks/iam.tf @@ -0,0 +1,73 @@ +// This is a Single Account installation. The resources are created globally (instead of regionally). + +data "aws_iam_policy_document" "ecr_pull_image" { + count = local.n + + statement { + sid = "SysdigEcrPullImagePermissions" + + effect = "Allow" + + actions = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:ListImages", + "ecr:GetAuthorizationToken", + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_policy" "ecr_pull_image" { + count = local.n + + name = var.name + description = "Allows Sysdig Secure to pull ECR images" + policy = data.aws_iam_policy_document.ecr_pull_image[0].json + tags = var.tags +} + +data "aws_iam_policy_document" "ecr_assume_role" { + count = local.n + + statement { + sid = "SysdigEcrAssumeRole" + + actions = [ + "sts:AssumeRole" + ] + + principals { + type = "AWS" + identifiers = [ + var.trusted_identity, + ] + } + + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.external_id] + } + } +} + +resource "aws_iam_role" "ecr" { + count = local.n + + name = var.name + tags = var.tags + assume_role_policy = data.aws_iam_policy_document.ecr_assume_role[0].json +} + +resource "aws_iam_policy_attachment" "ecr" { + count = local.n + + name = var.name + roles = [aws_iam_role.ecr[0].name] + policy_arn = aws_iam_policy.ecr_pull_image[0].arn +} diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 1685af0..0f34648 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -27,4 +27,7 @@ locals { } policy_arn = local.eks_view_policy } + + // ECR role to pull images + n = var.deploy_global_resources ? 1 : 0 } From d3e64729f305207fe3370e3e3c89e67f25d05a4a Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 28 Feb 2024 16:36:19 +0000 Subject: [PATCH 18/31] docs: Update README --- modules/services/eks/README.md | 13 +++++++++++-- modules/services/eks/variables.tf | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index 98c0262..bb273d0 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -3,7 +3,8 @@ This module will onboard AWS EKS clusters into Agentless scanning. The following resource will be created in each EKS cluster: -- EKS access entry that assigns `AmazonEKSViewPolicy` to Sysdig's IAM principal. +- EKS access entry that assigns `AmazonEKSViewPolicy` to Sysdig's IAM principal +- IAM role that grants Sysdig permissions to pull ECR images ## Requirements @@ -30,6 +31,10 @@ No modules. | [awscc_eks_access_entry](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/eks_access_entry) | resource | | [aws_eks_clusters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_clusters) | data source | | [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs @@ -38,7 +43,11 @@ No modules. | [role_name](#role\_name) | IAM role that Sysdig will assume to access the EKS clusters | `string` | N/A | Yes | | [clusters](#var\_clusters) | The list of clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified in this list will be scanned) | `set(string)` | Empty list | No | | [onboard_all_clusters](#var\_onboard\_all\_clusters) | If set to `true`, all public clusters will be onboarded | `bool` | `false` | No | - +| [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images | `bool` | `false` | no | +| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | n/a | yes | +| [name](#var\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | no | +| [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | +| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | n/a | yes | ## Outputs diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 668cb28..7957ccd 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -40,7 +40,7 @@ variable "external_id" { variable "tags" { type = map(string) - description = "(Optional) This value should be provided by Sysdig." + description = "(Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role." default = { "product" = "sysdig-secure-for-cloud" } From 858878af40c75e45ac80842278ddc192e557bad3 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 28 Feb 2024 16:39:39 +0000 Subject: [PATCH 19/31] fix: Update the README title --- modules/services/eks/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index bb273d0..e1fcb56 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -1,4 +1,4 @@ -# AWS Trust Relationship Module +# AWS EKS Module This module will onboard AWS EKS clusters into Agentless scanning. From 4ffa1a00d4e302c727a7b75ae86d11275d8e8321 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 28 Feb 2024 16:41:52 +0000 Subject: [PATCH 20/31] docs: Minor update to the README --- modules/services/eks/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index e1fcb56..c23505e 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -44,10 +44,10 @@ No modules. | [clusters](#var\_clusters) | The list of clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified in this list will be scanned) | `set(string)` | Empty list | No | | [onboard_all_clusters](#var\_onboard\_all\_clusters) | If set to `true`, all public clusters will be onboarded | `bool` | `false` | No | | [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images | `bool` | `false` | no | -| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | n/a | yes | +| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | yes | | [name](#var\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | no | -| [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | -| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | n/a | yes | +| [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{ "product": "sysdig-secure-for-cloud" }
| no | +| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | yes | ## Outputs From 6c8c03832457076bb57927d1e967c5a2dc2b8382 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 29 Feb 2024 12:12:19 +0000 Subject: [PATCH 21/31] refactor: Add validation for deploy_global_resources variable --- modules/services/eks/variables.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 7957ccd..24e3286 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -26,16 +26,19 @@ variable "deploy_global_resources" { variable "trusted_identity" { type = string description = "(Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images." + default = null } variable "name" { description = "(Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images." type = string + default = null } variable "external_id" { description = "(Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role." type = string + default = null } variable "tags" { @@ -45,3 +48,19 @@ variable "tags" { "product" = "sysdig-secure-for-cloud" } } + +output "validate_deploy_global_resources" { + value = null + precondition { + condition = (var.deploy_global_resources && var.external_id != null) + error_message = "Please provide external_id or set deploy_global_resources to false." + } + precondition { + condition = (var.deploy_global_resources && var.name != null) + error_message = "Please provide name or set deploy_global_resources set to false." + } + precondition { + condition = (var.deploy_global_resources && var.trusted_identity != null) + error_message = "Please provide trusted_identity or set deploy_global_resources to false." + } +} From 929f783e064de73ad7e36e3bf76d920561dccec3 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 29 Feb 2024 13:11:49 +0000 Subject: [PATCH 22/31] docs: Update README to clarify variables purpose --- modules/services/eks/README.md | 8 ++++---- modules/services/eks/variables.tf | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index c23505e..1544f1a 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -40,10 +40,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [role_name](#role\_name) | IAM role that Sysdig will assume to access the EKS clusters | `string` | N/A | Yes | -| [clusters](#var\_clusters) | The list of clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified in this list will be scanned) | `set(string)` | Empty list | No | -| [onboard_all_clusters](#var\_onboard\_all\_clusters) | If set to `true`, all public clusters will be onboarded | `bool` | `false` | No | -| [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images | `bool` | `false` | no | +| [role_name](#role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters | `string` | N/A | Yes | +| [clusters](#var\_clusters) | (Optional) To only scan some public clusters, enter their names here. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | Empty list | No | +| [onboard_all_clusters](#var\_onboard\_all\_clusters) | (Optional) Set the value to true to ensure Sysdig scans all public clusters. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `bool` | `false` | No | +| [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | no | | [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | yes | | [name](#var\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | no | | [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{ "product": "sysdig-secure-for-cloud" }
| no | diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 24e3286..d4c2ba1 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -5,20 +5,20 @@ variable "role_name" { } variable "onboard_all_clusters" { - description = "(Optional) Set the value to true if all public clusters (API and API_AND_CONFIG_MAP-type clusters) should be scanned by Sysdig. Only the clusters having authentication mode set to either API or API_AND_CONFIG_MAP will be onboarded." + description = "(Optional) Set the value to true to ensure Sysdig scans all public clusters. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded." type = bool default = false } variable "clusters" { - description = "(Optional) Please list the clusters to be scanned by Sysdig (when 'onboard_all_clusters' is set to false, only the clusters specified here will be scanned). The clusters must have authentication mode set to either API or API_AND_CONFIG_MAP to be onboarded." + description = "(Optional) To only scan some public clusters, enter their names here. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded." type = set(string) default = [] } // Values required to create the ECR role variable "deploy_global_resources" { - description = "(Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images." + description = "(Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them." type = bool default = false } From 2bffcfcff00237701739e02c6d33aacabeb2e608 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 29 Feb 2024 13:14:40 +0000 Subject: [PATCH 23/31] chore: Update required flags in README --- modules/services/eks/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index 1544f1a..55f55b3 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -43,11 +43,11 @@ No modules. | [role_name](#role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters | `string` | N/A | Yes | | [clusters](#var\_clusters) | (Optional) To only scan some public clusters, enter their names here. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | Empty list | No | | [onboard_all_clusters](#var\_onboard\_all\_clusters) | (Optional) Set the value to true to ensure Sysdig scans all public clusters. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `bool` | `false` | No | -| [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | no | -| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | yes | -| [name](#var\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | no | -| [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{ "product": "sysdig-secure-for-cloud" }
| no | -| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | yes | +| [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | No | +| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | No | +| [name](#var\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | No | +| [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{ "product": "sysdig-secure-for-cloud" }
| No | +| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | No | ## Outputs From 42500082f890bac69d8a1b21833b1fcdb622e681 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Wed, 6 Mar 2024 15:16:41 +0000 Subject: [PATCH 24/31] fix: Remove automatic onboarding for agentless-tagged clusters --- modules/services/eks/README.md | 8 +++----- modules/services/eks/datasources.tf | 4 +--- modules/services/eks/iam.tf | 7 +++---- modules/services/eks/locals.tf | 19 ++++++++++--------- modules/services/eks/variables.tf | 17 +++++------------ 5 files changed, 22 insertions(+), 33 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index 55f55b3..d1c2422 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -29,7 +29,6 @@ No modules. | Name | Type | |------|------| | [awscc_eks_access_entry](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/eks_access_entry) | resource | -| [aws_eks_clusters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_clusters) | data source | | [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -40,12 +39,11 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [role_name](#role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters | `string` | N/A | Yes | -| [clusters](#var\_clusters) | (Optional) To only scan some public clusters, enter their names here. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | Empty list | No | -| [onboard_all_clusters](#var\_onboard\_all\_clusters) | (Optional) Set the value to true to ensure Sysdig scans all public clusters. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `bool` | `false` | No | +| [eks_role_name](#var\_eks\_role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role. | `string` | N/A | Yes | +| [clusters](#var\_clusters) | (Required) List the clusters that Sysdig will scan. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | | Yes | | [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | No | | [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | No | -| [name](#var\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | No | +| [ecr_role_name](#var\_ecr\_role\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | No | | [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{ "product": "sysdig-secure-for-cloud" }
| No | | [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | No | diff --git a/modules/services/eks/datasources.tf b/modules/services/eks/datasources.tf index 17d4a07..310cdea 100644 --- a/modules/services/eks/datasources.tf +++ b/modules/services/eks/datasources.tf @@ -1,8 +1,6 @@ data "aws_caller_identity" "current" {} -data "aws_eks_clusters" "clusters" {} - data "aws_eks_cluster" "clusters" { - for_each = toset(data.aws_eks_clusters.clusters.names) + for_each = toset(var.clusters) name = each.value } diff --git a/modules/services/eks/iam.tf b/modules/services/eks/iam.tf index 50c6feb..f1e5be6 100644 --- a/modules/services/eks/iam.tf +++ b/modules/services/eks/iam.tf @@ -1,5 +1,4 @@ // This is a Single Account installation. The resources are created globally (instead of regionally). - data "aws_iam_policy_document" "ecr_pull_image" { count = local.n @@ -25,7 +24,7 @@ data "aws_iam_policy_document" "ecr_pull_image" { resource "aws_iam_policy" "ecr_pull_image" { count = local.n - name = var.name + name = var.ecr_role_name description = "Allows Sysdig Secure to pull ECR images" policy = data.aws_iam_policy_document.ecr_pull_image[0].json tags = var.tags @@ -59,7 +58,7 @@ data "aws_iam_policy_document" "ecr_assume_role" { resource "aws_iam_role" "ecr" { count = local.n - name = var.name + name = var.ecr_role_name tags = var.tags assume_role_policy = data.aws_iam_policy_document.ecr_assume_role[0].json } @@ -67,7 +66,7 @@ resource "aws_iam_role" "ecr" { resource "aws_iam_policy_attachment" "ecr" { count = local.n - name = var.name + name = var.ecr_role_name roles = [aws_iam_role.ecr[0].name] policy_arn = aws_iam_policy.ecr_pull_image[0].arn } diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index 0f34648..ab4a7df 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -1,21 +1,14 @@ locals { account_id = data.aws_caller_identity.current.account_id - principal_arn = "arn:aws:iam::${local.account_id}:role/${var.role_name}" + principal_arn = "arn:aws:iam::${local.account_id}:role/${var.eks_role_name}" api_enabled_clusters = [ for cluster in data.aws_eks_cluster.clusters : cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) ] - tag_key = "sysdig:secure:scan" - tag_opt_in_values = ["true", "all"] - opted_in_clusters = [ - for cluster in local.api_enabled_clusters : - cluster if var.onboard_all_clusters || contains(var.clusters, cluster.name) || contains(local.tag_opt_in_values, lookup(cluster.tags, local.tag_key, "false")) - ] - clusters = { - for cluster in local.opted_in_clusters : cluster.name => cluster + for cluster in local.api_enabled_clusters : cluster.name => cluster // Only onboard public clusters or clusters that Sysdig has access to if cluster.vpc_config[0].endpoint_public_access } @@ -31,3 +24,11 @@ locals { // ECR role to pull images n = var.deploy_global_resources ? 1 : 0 } + +output "validate_cluster_authentication_mode" { + value = null + precondition { + condition = length(var.clusters) > 0 && length(var.clusters) == length(local.clusters) + error_message = "Some clusters are not API-enabled. Sysdig Agentless only supports API-enabled clusters." + } +} diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index d4c2ba1..0552b27 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -1,19 +1,12 @@ // Values required to create access entries -variable "role_name" { - description = "(Required) IAM role that Sysdig will assume to access the EKS clusters" +variable "eks_role_name" { + description = "(Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role." type = string } -variable "onboard_all_clusters" { - description = "(Optional) Set the value to true to ensure Sysdig scans all public clusters. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded." - type = bool - default = false -} - variable "clusters" { - description = "(Optional) To only scan some public clusters, enter their names here. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded." + description = "(Optional) List the clusters that Sysdig will scan. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded." type = set(string) - default = [] } // Values required to create the ECR role @@ -29,7 +22,7 @@ variable "trusted_identity" { default = null } -variable "name" { +variable "ecr_role_name" { description = "(Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images." type = string default = null @@ -56,7 +49,7 @@ output "validate_deploy_global_resources" { error_message = "Please provide external_id or set deploy_global_resources to false." } precondition { - condition = (var.deploy_global_resources && var.name != null) + condition = (var.deploy_global_resources && var.ecr_role_name != null) error_message = "Please provide name or set deploy_global_resources set to false." } precondition { From 1c9cadeda8ed38674476fa1140ee2670a1bb0bd2 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 7 Mar 2024 14:51:29 +0000 Subject: [PATCH 25/31] fix: Remove awscc provider --- modules/services/eks/README.md | 4 ++-- modules/services/eks/eks.tf | 18 ++++++++++++++---- modules/services/eks/locals.tf | 29 +---------------------------- modules/services/eks/versions.tf | 4 ---- 4 files changed, 17 insertions(+), 38 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index d1c2422..c8b24e2 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -18,7 +18,6 @@ The following resource will be created in each EKS cluster: | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 5.0 | -| [aws](#provider\_awscc) | >= 0.69 | ## Modules @@ -28,7 +27,8 @@ No modules. | Name | Type | |------|------| -| [awscc_eks_access_entry](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/eks_access_entry) | resource | +| [aws_eks_access_entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource | +| [aws_eks_access_policy_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource | | [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | diff --git a/modules/services/eks/eks.tf b/modules/services/eks/eks.tf index 4265b4a..1faecc0 100644 --- a/modules/services/eks/eks.tf +++ b/modules/services/eks/eks.tf @@ -1,6 +1,16 @@ -resource "awscc_eks_access_entry" "viewer" { - for_each = local.clusters - cluster_name = each.value.name +resource "aws_eks_access_entry" "viewer" { + for_each = var.clusters + cluster_name = each.value principal_arn = local.principal_arn // TODO: Use data source - access_policies = [local.cluster_access_policy] + type = "STANDARD" +} + +resource "aws_eks_access_policy_association" "viewer" { + for_each = var.clusters + cluster_name = each.value + policy_arn = local.policy_arn + principal_arn = local.principal_arn // TODO: Use data source + access_scope { + type = "cluster" + } } diff --git a/modules/services/eks/locals.tf b/modules/services/eks/locals.tf index ab4a7df..8474a85 100644 --- a/modules/services/eks/locals.tf +++ b/modules/services/eks/locals.tf @@ -1,34 +1,7 @@ locals { account_id = data.aws_caller_identity.current.account_id principal_arn = "arn:aws:iam::${local.account_id}:role/${var.eks_role_name}" + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" - api_enabled_clusters = [ - for cluster in data.aws_eks_cluster.clusters : - cluster if contains(["API", "API_AND_CONFIG_MAP"], cluster.access_config[0].authentication_mode) - ] - - clusters = { - for cluster in local.api_enabled_clusters : cluster.name => cluster - // Only onboard public clusters or clusters that Sysdig has access to - if cluster.vpc_config[0].endpoint_public_access - } - - eks_view_policy = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy" - cluster_access_policy = { - access_scope = { - type = "cluster" - } - policy_arn = local.eks_view_policy - } - - // ECR role to pull images n = var.deploy_global_resources ? 1 : 0 } - -output "validate_cluster_authentication_mode" { - value = null - precondition { - condition = length(var.clusters) > 0 && length(var.clusters) == length(local.clusters) - error_message = "Some clusters are not API-enabled. Sysdig Agentless only supports API-enabled clusters." - } -} diff --git a/modules/services/eks/versions.tf b/modules/services/eks/versions.tf index e96643f..bd4ef84 100644 --- a/modules/services/eks/versions.tf +++ b/modules/services/eks/versions.tf @@ -6,9 +6,5 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } - awscc = { - source = "hashicorp/awscc" - version = "~> 0.69" - } } } From f67af2558b1a49499bb361eab8a7dc6bffd2c01a Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 7 Mar 2024 14:51:57 +0000 Subject: [PATCH 26/31] fix: Remove aws_eks_cluster data source --- modules/services/eks/datasources.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/services/eks/datasources.tf b/modules/services/eks/datasources.tf index 310cdea..8fc4b38 100644 --- a/modules/services/eks/datasources.tf +++ b/modules/services/eks/datasources.tf @@ -1,6 +1 @@ data "aws_caller_identity" "current" {} - -data "aws_eks_cluster" "clusters" { - for_each = toset(var.clusters) - name = each.value -} From 122da6ce59f3fb77d84c2849845d180c5403d8ff Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 7 Mar 2024 14:53:12 +0000 Subject: [PATCH 27/31] chore: Fix eks.tf formatting --- modules/services/eks/eks.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/services/eks/eks.tf b/modules/services/eks/eks.tf index 1faecc0..fe061e4 100644 --- a/modules/services/eks/eks.tf +++ b/modules/services/eks/eks.tf @@ -1,15 +1,15 @@ resource "aws_eks_access_entry" "viewer" { - for_each = var.clusters - cluster_name = each.value - principal_arn = local.principal_arn // TODO: Use data source - type = "STANDARD" + for_each = var.clusters + cluster_name = each.value + principal_arn = local.principal_arn // TODO: Use data source + type = "STANDARD" } resource "aws_eks_access_policy_association" "viewer" { - for_each = var.clusters - cluster_name = each.value - policy_arn = local.policy_arn - principal_arn = local.principal_arn // TODO: Use data source + for_each = var.clusters + cluster_name = each.value + policy_arn = local.policy_arn + principal_arn = local.principal_arn // TODO: Use data source access_scope { type = "cluster" } From 2c296f8740feb3b21bd00e6cffe316b402e8ad9f Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 7 Mar 2024 14:56:18 +0000 Subject: [PATCH 28/31] chore: Fix README anchor --- modules/services/eks/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index c8b24e2..652ed61 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -29,7 +29,6 @@ No modules. |------|------| | [aws_eks_access_entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource | | [aws_eks_access_policy_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource | -| [aws_eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | @@ -39,7 +38,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [eks_role_name](#var\_eks\_role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role. | `string` | N/A | Yes | +| [eks_role_name](#var\_eks\_role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role. | `string` | N/A | Yes | | [clusters](#var\_clusters) | (Required) List the clusters that Sysdig will scan. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | | Yes | | [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | No | | [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | No | From 789fae54c7c87a234cec63c5a93e6418afbaee69 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Thu, 7 Mar 2024 15:00:52 +0000 Subject: [PATCH 29/31] chore: Update the intro section in README --- modules/services/eks/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/services/eks/README.md b/modules/services/eks/README.md index 652ed61..06f4fb3 100644 --- a/modules/services/eks/README.md +++ b/modules/services/eks/README.md @@ -1,6 +1,6 @@ # AWS EKS Module -This module will onboard AWS EKS clusters into Agentless scanning. +This module will grant Sysdig view-only access to the AWS EKS clusters specified in the `clusters` variable. The following resource will be created in each EKS cluster: - EKS access entry that assigns `AmazonEKSViewPolicy` to Sysdig's IAM principal @@ -38,13 +38,13 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [eks_role_name](#var\_eks\_role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role. | `string` | N/A | Yes | +| [eks_role_name](#var\_eks\_role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role. | `string` | | Yes | | [clusters](#var\_clusters) | (Required) List the clusters that Sysdig will scan. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | | Yes | | [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | No | -| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | No | +| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | No | | [ecr_role_name](#var\_ecr\_role\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | No | +| [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | No | | [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | 
{ "product": "sysdig-secure-for-cloud" }
| No | -| [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | No | ## Outputs From 4b9a068f2834149911a810e1bf00a86915d9ab49 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Tue, 12 Mar 2024 12:09:09 +0000 Subject: [PATCH 30/31] refactor: Remove count from data sources --- modules/services/eks/iam.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/services/eks/iam.tf b/modules/services/eks/iam.tf index f1e5be6..65ad0a6 100644 --- a/modules/services/eks/iam.tf +++ b/modules/services/eks/iam.tf @@ -1,7 +1,5 @@ // This is a Single Account installation. The resources are created globally (instead of regionally). data "aws_iam_policy_document" "ecr_pull_image" { - count = local.n - statement { sid = "SysdigEcrPullImagePermissions" @@ -31,8 +29,6 @@ resource "aws_iam_policy" "ecr_pull_image" { } data "aws_iam_policy_document" "ecr_assume_role" { - count = local.n - statement { sid = "SysdigEcrAssumeRole" From 4f69256560e5148fdc5281e41cb84fced6e0fd03 Mon Sep 17 00:00:00 2001 From: alexeyovriakh Date: Tue, 12 Mar 2024 12:09:53 +0000 Subject: [PATCH 31/31] chore: Update ecr_role_name error message --- modules/services/eks/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/eks/variables.tf b/modules/services/eks/variables.tf index 0552b27..afba257 100644 --- a/modules/services/eks/variables.tf +++ b/modules/services/eks/variables.tf @@ -50,7 +50,7 @@ output "validate_deploy_global_resources" { } precondition { condition = (var.deploy_global_resources && var.ecr_role_name != null) - error_message = "Please provide name or set deploy_global_resources set to false." + error_message = "Please provide ecr_role_name or set deploy_global_resources set to false." } precondition { condition = (var.deploy_global_resources && var.trusted_identity != null)