From 020e50f1008fea0c8f16ada666aaea39c0f95349 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Mon, 2 Dec 2024 17:34:33 +0100 Subject: [PATCH] [SSPROD-48724] AWS Modular Onboarding for VM Workload Scanning (#25) * First version of VM Workload Scanning component for AWS * Small fixes to examples * With lambda included * Some fixes * Some changes * Workload scanning for AWS without EKS * Corrections from testing onboarding * Examples fix * Comments from chris geers --- modules/config-posture/README.md | 3 + modules/config-posture/outputs.tf | 11 ++ modules/vm-workload-scanning/README.md | 77 +++++++++ modules/vm-workload-scanning/locals.tf | 9 + modules/vm-workload-scanning/main.tf | 161 ++++++++++++++++++ .../vm-workload-scanning/organizational.tf | 149 ++++++++++++++++ modules/vm-workload-scanning/outputs.tf | 11 ++ modules/vm-workload-scanning/variables.tf | 43 +++++ modules/vm-workload-scanning/versions.tf | 14 ++ .../organization/vm-workload-scanning-ecs.tf | 15 ++ .../vm-workload-scanning-lambda.tf | 17 ++ .../vm-workload-scanning-ecs.tf | 14 ++ .../vm-workload-scanning-lambda.tf | 16 ++ 13 files changed, 540 insertions(+) create mode 100644 modules/vm-workload-scanning/README.md create mode 100644 modules/vm-workload-scanning/locals.tf create mode 100644 modules/vm-workload-scanning/main.tf create mode 100644 modules/vm-workload-scanning/organizational.tf create mode 100644 modules/vm-workload-scanning/outputs.tf create mode 100644 modules/vm-workload-scanning/variables.tf create mode 100644 modules/vm-workload-scanning/versions.tf create mode 100644 test/examples/organization/vm-workload-scanning-ecs.tf create mode 100644 test/examples/organization/vm-workload-scanning-lambda.tf create mode 100644 test/examples/single_account/vm-workload-scanning-ecs.tf create mode 100644 test/examples/single_account/vm-workload-scanning-lambda.tf diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 30606d8..70c7e5f 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -63,6 +63,9 @@ No modules. | Name | Description | |------|-------------| +| [config_posture_component_id](#output_config_posture_component_id) | Component identifier of trusted identity created in Sysdig Backend for Config Posture | +| [cspm_role_arn](#output_cspm_role_arn) | The ARN of the CSPM role | +| [sysdig_secure_account_id](#output_sysdig_secure_account_id) | ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | | [config\_posture\_component\_id](#output\_config\_posture\_component\_id) | The component id of the config posture trusted identity | diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf index a84a0a8..0c34e93 100644 --- a/modules/config-posture/outputs.tf +++ b/modules/config-posture/outputs.tf @@ -2,4 +2,15 @@ output "config_posture_component_id" { value = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}" description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture" depends_on = [sysdig_secure_cloud_auth_account_component.config_posture_role] +} + +output "cspm_role_arn" { + value = aws_iam_role.cspm_role.arn + description = "The ARN of the CSPM role" + depends_on = [aws_iam_role.cspm_role] +} + +output "sysdig_secure_account_id" { + value = var.sysdig_secure_account_id + description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)" } \ No newline at end of file diff --git a/modules/vm-workload-scanning/README.md b/modules/vm-workload-scanning/README.md new file mode 100644 index 0000000..43d24a4 --- /dev/null +++ b/modules/vm-workload-scanning/README.md @@ -0,0 +1,77 @@ +# AWS VM Workload Scanning Module + +This Module creates the resources required to perform agentless workload scanning operations. +By default, it will create a role with permissions necessary to access and pull ECR images in the account where it is deployed. +Combined with the base onboarding, this allows for scanning ECS Services and Tasks pointing to ECR images. +Also public docker images and private repos are supported, as long as private repository permissions are granted to Sysdig using the Registry Credentials UI. + +Optional, if AWS Lambda is enabled, we will have visibility on a set of Lambda functions in the account and be able to scan its resources. + +The following resources will be created in each instrumented account: +- An IAM Role and associated policies that allows Sysdig to perform tasks necessary for vm agentless workload scanning, i.e. +pull images from ECR, optionally obtain lambda function code and details. + + +## Requirements + +| Name | Version | +|---------------------------------------------------------------------------|-----------| +| [terraform](#requirement\_terraform) | ~> 1.7 | +| [aws](#requirement\_aws) | >= 5.60.0 | +| [sysdig](#requirement\_sysdig) | ~> 1.37 | + +## Providers + +| Name | Version | +|------------------------------------------------------------|----------| +| [aws](#provider\_aws) | >= 5.60.0 | +| [sysdig](#provider\_sysdig) | ~> 1.37 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdig/sysdig/latest/docs/data-sources/tenant_external_id) | data source | +| [aws_iam_policy.ecr_scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [sysdig_secure_cloud_auth_account_component.vm_workload_scanning_account_component](https://registry.terraform.io/providers/sysdig/sysdig/latest/docs/resources/cloud_auth_account_component) | resource | +| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource | +| [aws_cloudformation_stack_set_instance.scanning_role_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource | +| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | + + +## Inputs + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [tags](#input_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
"product": "sysdig-secure-for-cloud"
}
| no | +| [is_organizational](#input_is_organizational) | Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no | +| [organizational_units_ids](#input_org_units) | List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no | +| [timeout](#input_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | +| [failure_tolerance_percentage](#input_failure_tolerance_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no | +| [lambda_scanning_enabled](#input_lambda_scanning_enabled) | Set this field to 'true' to deploy Agentless Workload Scanning for Lambda functions | `bool` | `false` | no | +| [sysdig_secure_account_id](#input_sysdig_secure_account_id) | ID of the Sysdig Cloud Account to enable Config Posture for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [role_arn](#output_role_arn) | Role used by Sysdig Platform for Agentless Workload Scanning | +| [vm_workload_scanning_component_id](#output_vm_workload_scanning_component_id) | Component identifier of trusted identity created in Sysdig Backend for VM Workload Scanning | + + + +## Authors + +Module is maintained by [Sysdig](https://sysdig.com). + +## License + +Apache 2 Licensed. See LICENSE for full details. diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf new file mode 100644 index 0000000..ad2c39e --- /dev/null +++ b/modules/vm-workload-scanning/locals.tf @@ -0,0 +1,9 @@ +// generate a random suffix for the config-posture role name + +resource "random_id" "suffix" { + byte_length = 3 +} + +locals { + ecr_role_name = "sysdig-vm-workload-scanning-${random_id.suffix.hex}" +} diff --git a/modules/vm-workload-scanning/main.tf b/modules/vm-workload-scanning/main.tf new file mode 100644 index 0000000..e4652b3 --- /dev/null +++ b/modules/vm-workload-scanning/main.tf @@ -0,0 +1,161 @@ +data "sysdig_secure_tenant_external_id" "cloud_auth_external_id" {} + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "aws" +} + +########################################### +# Workload Controller IAM roles and stuff # +########################################### + +#----------------------------------------------------------------------------------------------------------------------- +# Determine if this is an Organizational install, or a single account install. For Single Account installs, resources +# are created directly using the AWS Terraform Provider (This is the default behaviour). For Organizational installs, +# see organizational.tf, and the resources in this file are used to instrument the management account (StackSets do not +# include the management account they are created in, even if this account is within the target Organization). +#----------------------------------------------------------------------------------------------------------------------- + +#----------------------------------------------------------------------------------------------------------------------- +# These resources create an Agentless Workload Scanning IAM Role and IAM Policy in the account. +#----------------------------------------------------------------------------------------------------------------------- + +data "aws_iam_policy_document" "scanning" { + # General ECR read permission, necessary for the fetching artifacts. + statement { + sid = "EcrReadPermissions" + + effect = "Allow" + + actions = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:ListImages", + "ecr:GetAuthorizationToken", + ] + + resources = [ + "*", + ] + } +} + +data "aws_iam_policy_document" "functions" { + count = var.lambda_scanning_enabled ? 1 : 0 + + statement { + sid = "SysdigWorkloadFunctionsScanning" + + effect = "Allow" + + actions = [ + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:GetRuntimeManagementConfig", + "lambda:ListFunctions", + "lambda:ListTagsForResource", + "lambda:GetLayerVersionByArn", + "lambda:GetLayerVersion", + "lambda:ListLayers", + "lambda:ListLayerVersions" + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_policy" "ecr_scanning" { + count = var.is_organizational ? 0 : 1 + + name = "${local.ecr_role_name}-ecr" + description = "Grants Sysdig Secure access to ECR images" + policy = data.aws_iam_policy_document.scanning.json + tags = var.tags +} + +resource "aws_iam_policy" "functions_scanning" { + count = var.lambda_scanning_enabled && !var.is_organizational? 1 : 0 + + name = "${local.ecr_role_name}-functions" + description = "Grants Sysdig Secure access to AWS Lambda" + policy = data.aws_iam_policy_document.functions[0].json + tags = var.tags +} + +data "aws_iam_policy_document" "scanning_assume_role_policy" { + statement { + sid = "SysdigWorkloadScanning" + + actions = [ + "sts:AssumeRole" + ] + + principals { + type = "AWS" + identifiers = [ + data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + ] + } + + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [data.sysdig_secure_tenant_external_id.cloud_auth_external_id.external_id] + } + } +} + +resource "aws_iam_role" "scanning" { + count = var.is_organizational ? 0 : 1 + + name = local.ecr_role_name + tags = var.tags + assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy.json +} + +resource "aws_iam_policy_attachment" "scanning" { + count = var.is_organizational ? 0 : 1 + + name = local.ecr_role_name + roles = [aws_iam_role.scanning[0].name] + policy_arn = aws_iam_policy.ecr_scanning[0].arn +} + +resource "aws_iam_policy_attachment" "functions" { + count = var.lambda_scanning_enabled && !var.is_organizational ? 1 : 0 + + name = local.ecr_role_name + roles = [aws_iam_role.scanning[0].name] + policy_arn = aws_iam_policy.functions_scanning[0].arn +} + +#-------------------------------------------------------------------------------------------------------------- +# Call Sysdig Backend to add the trusted role for Config Posture to the Sysdig Cloud Account +# +# Note (optional): To ensure this gets called after all cloud resources are created, add +# explicit dependency using depends_on +#-------------------------------------------------------------------------------------------------------------- +resource "sysdig_secure_cloud_auth_account_component" "vm_workload_scanning_account_component" { + account_id = var.sysdig_secure_account_id + + type = "COMPONENT_TRUSTED_ROLE" + instance = "secure-vm-workload-scanning" + version = "v0.1.0" + trusted_role_metadata = jsonencode({ + aws = { + role_name = aws_iam_role.scanning[0].name + } + }) + + depends_on = [ + aws_iam_policy.ecr_scanning, + aws_iam_role.scanning, + aws_iam_policy_attachment.scanning, + aws_cloudformation_stack_set.scanning_role_stackset, + aws_cloudformation_stack_set_instance.scanning_role_stackset_instance, + aws_iam_policy.functions_scanning, + aws_iam_policy_attachment.functions, + ] +} diff --git a/modules/vm-workload-scanning/organizational.tf b/modules/vm-workload-scanning/organizational.tf new file mode 100644 index 0000000..e90edf0 --- /dev/null +++ b/modules/vm-workload-scanning/organizational.tf @@ -0,0 +1,149 @@ +#----------------------------------------------------------------------------------------------------------------------- +# Determine if this is an Organizational install, or a single account install. For Organizational installs, resources +# are created using CloudFormation StackSet. For Single Account installs see main.tf. +#----------------------------------------------------------------------------------------------------------------------- + +data "aws_organizations_organization" "org" { + count = var.is_organizational ? 1 : 0 +} + +locals { + organizational_unit_ids = var.is_organizational && length(var.organizational_unit_ids) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.organizational_unit_ids) +} + +locals { + policy_document_no_lambda = <