From 2b58df2aeeadc1cdcb6673255ffb36fe2a4727bb Mon Sep 17 00:00:00 2001
From: Sanja Kosier <43904019+SKosier@users.noreply.github.com>
Date: Tue, 8 Oct 2024 10:40:31 +0200
Subject: [PATCH] feat(modules/cloud-logs): add list of regions we want to
scrape (SSPROD-46506) (#17)
---
modules/integrations/cloud-logs/README.md | 14 ++++++++------
modules/integrations/cloud-logs/main.tf | 14 ++++++++------
modules/integrations/cloud-logs/variables.tf | 6 ++++++
3 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
index ae20f99..effe728 100644
--- a/modules/integrations/cloud-logs/README.md
+++ b/modules/integrations/cloud-logs/README.md
@@ -31,6 +31,7 @@ No modules.
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -40,12 +41,13 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
-| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
-| [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
-| [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
-| [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
+| Name | Description | Type | Default | Required |
+|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------------------------------------------------|:--------:|
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
+| [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
+| [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
+| [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
## Outputs
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index 75a7580..4f3e7f7 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -27,7 +27,6 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
locals {
account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
-
bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
}
@@ -43,12 +42,14 @@ resource "random_id" "suffix" {
resource "aws_iam_role" "cloudlogs_s3_access" {
name = local.role_name
tags = var.tags
-
assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
- inline_policy {
- name = "cloudlogs_s3_access_policy"
- policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
- }
+}
+
+// AWS IAM Role Policy that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
+resource "aws_iam_role_policy" "cloudlogs_s3_access_policy" {
+ name = "cloudlogs_s3_access_policy"
+ role = aws_iam_role.cloudlogs_s3_access.name
+ policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
}
# IAM Policy Document used for the assume role policy
@@ -120,6 +121,7 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
cloudtrailS3Bucket = {
folder_arn = var.folder_arn
role_name = local.role_name
+ regions = var.regions
}
}
})
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 78129d9..f77320f 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -22,3 +22,9 @@ variable "name" {
type = string
default = "sysdig-secure-cloudlogs"
}
+
+variable "regions" {
+ description = "(Optional) The list of AWS regions we want to scrape data from"
+ type = set(string)
+ default = []
+}