draios · alexeyovriakh · Mar 12, 2024 · Feb 7, 2024 · Feb 7, 2024 · Feb 8, 2024
@@ -0,0 +1,61 @@
+# AWS EKS Module
+
+This module will grant Sysdig view-only access to the AWS EKS clusters specified in the `clusters` variable.
+
+The following resource will be created in each EKS cluster:
+- EKS access entry that assigns `AmazonEKSViewPolicy` to Sysdig's IAM principal
+- IAM role that grants Sysdig permissions to pull ECR images
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.7 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_access_entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
+| [aws_eks_access_policy_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_policy_association) | resource |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="var_eks_role_name"></a> [eks_role_name](#var\_eks\_role\_name) | (Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role. | `string` | | Yes |
+| <a name="var_clusters"></a> [clusters](#var\_clusters) | (Required) List the clusters that Sysdig will scan. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded. | `set(string)` | | Yes |
+| <a name="var_deploy_global_resources"></a> [deploy\_global\_resources](#var\_deploy\_global\_resources) | (Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them. | `bool` | `false` | No |
+| <a name="var_trusted_identity"></a> [trusted\_identity](#var\_trusted\_identity) | (Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | | No |
+| <a name="var_ecr_role_name"></a> [ecr_role_name](#var\_ecr\_role\_name) | (Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images | `string` | | No |
+| <a name="var_external_id"></a> [external\_id](#var\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role | `string` | | No |
+| <a name="var_tags"></a> [tags](#var\_tags) | (Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role. | `map(string)` | <pre>{ "product": "sysdig-secure-for-cloud" }</pre> | No |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
+
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
@@ -0,0 +1,16 @@
+resource "aws_eks_access_entry" "viewer" {
+  for_each      = var.clusters
+  cluster_name  = each.value
+  principal_arn = local.principal_arn // TODO: Use data source
+  type          = "STANDARD"
+}
+
+resource "aws_eks_access_policy_association" "viewer" {
+  for_each      = var.clusters
+  cluster_name  = each.value
+  policy_arn    = local.policy_arn
+  principal_arn = local.principal_arn // TODO: Use data source
+  access_scope {
+    type = "cluster"
+  }
+}
@@ -0,0 +1,68 @@
+// This is a Single Account installation. The resources are created globally (instead of regionally). 
+data "aws_iam_policy_document" "ecr_pull_image" {
+  statement {
+    sid = "SysdigEcrPullImagePermissions"
+
+    effect = "Allow"
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:ListImages",
+      "ecr:GetAuthorizationToken",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ecr_pull_image" {
+  count = local.n
+
+  name        = var.ecr_role_name
+  description = "Allows Sysdig Secure to pull ECR images"
+  policy      = data.aws_iam_policy_document.ecr_pull_image[0].json
+  tags        = var.tags
+}
+
+data "aws_iam_policy_document" "ecr_assume_role" {
+  statement {
+    sid = "SysdigEcrAssumeRole"
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        var.trusted_identity,
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [var.external_id]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecr" {
+  count = local.n
+
+  name               = var.ecr_role_name
+  tags               = var.tags
+  assume_role_policy = data.aws_iam_policy_document.ecr_assume_role[0].json
+}
+
+resource "aws_iam_policy_attachment" "ecr" {
+  count = local.n
+
+  name       = var.ecr_role_name
+  roles      = [aws_iam_role.ecr[0].name]
+  policy_arn = aws_iam_policy.ecr_pull_image[0].arn
+}
@@ -0,0 +1,7 @@
+locals {
+  account_id    = data.aws_caller_identity.current.account_id
+  principal_arn = "arn:aws:iam::${local.account_id}:role/${var.eks_role_name}"
+  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+
+  n = var.deploy_global_resources ? 1 : 0
+}
@@ -0,0 +1,59 @@
+// Values required to create access entries
+variable "eks_role_name" {
+  description = "(Required) IAM role that Sysdig will assume to access the EKS clusters. Prerequisite: Before this module can be invoked, Sysdig's CSPM Terraform module needs to create this role."
+  type        = string
+}
+
+variable "clusters" {
+  description = "(Optional) List the clusters that Sysdig will scan. Please note that only clusters with authentication mode set to API or API_AND_CONFIG_MAP will be onboarded."
+  type        = set(string)
+}
+
+// Values required to create the ECR role
+variable "deploy_global_resources" {
+  description = "(Optional) Setting this field to 'true' creates an IAM role that allows Sysdig to pull ECR images in order to scan them."
+  type        = bool
+  default     = false
+}
+
+variable "trusted_identity" {
+  type        = string
+  description = "(Optional) This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images."
+  default     = null
+}
+
+variable "ecr_role_name" {
+  description = "(Optional) This value should be provided by Sysdig. The field refers to an installation name, which will also be used to name the IAM role that grants access to pull ECR images."
+  type        = string
+  default     = null
+}
+
+variable "external_id" {
+  description = "(Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role."
+  type        = string
+  default     = null
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "(Optional) This value should be provided by Sysdig. Tags that will be associated with the IAM role."
+  default = {
+    "product" = "sysdig-secure-for-cloud"
+  }
+}
+
+output "validate_deploy_global_resources" {
+  value = null
+  precondition {
+    condition     = (var.deploy_global_resources && var.external_id != null)
+    error_message = "Please provide external_id or set deploy_global_resources to false."
+  }
+  precondition {
+    condition     = (var.deploy_global_resources && var.ecr_role_name != null)
+    error_message = "Please provide ecr_role_name or set deploy_global_resources set to false."
+  }
+  precondition {
+    condition     = (var.deploy_global_resources && var.trusted_identity != null)
+    error_message = "Please provide trusted_identity or set deploy_global_resources to false."
+  }
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}