feat(modules/cloud-logs): add list of regions we want to scrape (SSPR…

…OD-46506) (#17)
sysdiglabs · Oct 8, 2024 · 2b58df2 · 2b58df2
1 parent 84de7bf
commit 2b58df2
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 12 deletions.
diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
@@ -31,6 +31,7 @@ No modules.
 |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                         | resource |
+| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy)                                                         | resource |
 | [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                    | data source |
 | [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                                | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -40,12 +41,13 @@ No modules.
 
 ## Inputs
 
-| Name                                                               | Description                                                                                                                                   | Type | Default                                                     | Required |
-|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
-| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder                                                                                           | `string` | n/a                                                         |   yes    |
-| <a name="input_tags"></a> [tags](#input\_tags)                     | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                                        | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
-| <a name="input_name"></a> [name](#input\_name)                     | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                           | `string` | sysdig-secure-cloudlogs |    no    |
+| Name                                                                                                             | Description                                                                                                                         | Type          | Default                                                   | Required |
+|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------------------------------------------------|:--------:|
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string`      | n/a                                                       | yes |
+| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn)                                               | (Required) The ARN of your CloudTrail Bucket Folder                                                                                 | `string`      | n/a                                                       |   yes    |
+| <a name="input_tags"></a> [tags](#input\_tags)                                                                   | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                              | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
+| <a name="input_name"></a> [name](#input\_name)                                                                   | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                 | `string`      | sysdig-secure-cloudlogs                                   |    no    |
+| <a name="input_regions"></a> [regions](#input\_regions)                                                          | (Optional) The list of AWS regions we want to scrape data from                           | `set(string)` | `[]`                                                        |    no    |
 
 ## Outputs
 

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
@@ -27,7 +27,6 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
 locals {
   account_id_hash  = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
   role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
-
   bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
 }
 
@@ -43,12 +42,14 @@ resource "random_id" "suffix" {
 resource "aws_iam_role" "cloudlogs_s3_access" {
   name = local.role_name
   tags = var.tags
-
   assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
-  inline_policy {
-    name   = "cloudlogs_s3_access_policy"
-    policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
-  }
+}
+
+// AWS IAM Role Policy that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
+resource "aws_iam_role_policy" "cloudlogs_s3_access_policy" {
+  name   = "cloudlogs_s3_access_policy"
+  role   = aws_iam_role.cloudlogs_s3_access.name
+  policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
 }
 
 # IAM Policy Document used for the assume role policy
@@ -120,6 +121,7 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
       cloudtrailS3Bucket = {
         folder_arn    = var.folder_arn
         role_name     = local.role_name
+        regions       = var.regions
       }
     }
   })

diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
@@ -22,3 +22,9 @@ variable "name" {
   type        = string
   default     = "sysdig-secure-cloudlogs"
 }
+
+variable "regions" {
+  description = "(Optional) The list of AWS regions we want to scrape data from"
+  type        = set(string)
+  default     = []
+}