Skip to content

Commit 2b58df2

Browse files
SKosierSKosier
authored
feat(modules/cloud-logs): add list of regions we want to scrape (SSPROD-46506) (#17)
1 parent 84de7bf commit 2b58df2

File tree

3 files changed

+22
-12
lines changed

3 files changed

+22
-12
lines changed

modules/integrations/cloud-logs/README.md

+8-6
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ No modules.
3131
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
3232
| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
3333
| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
34+
| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
3435
| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
3536
| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
3637
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -40,12 +41,13 @@ No modules.
4041

4142
## Inputs
4243

43-
| Name | Description | Type | Default | Required |
44-
|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
45-
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
46-
| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
47-
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
48-
| <a name="input_name"></a> [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
44+
| Name | Description | Type | Default | Required |
45+
|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------------------------------------------------|:--------:|
46+
| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
47+
| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
48+
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
49+
| <a name="input_name"></a> [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
50+
| <a name="input_regions"></a> [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
4951

5052
## Outputs
5153

modules/integrations/cloud-logs/main.tf

+8-6
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
2727
locals {
2828
account_id_hash = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
2929
role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
30-
3130
bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
3231
}
3332

@@ -43,12 +42,14 @@ resource "random_id" "suffix" {
4342
resource "aws_iam_role" "cloudlogs_s3_access" {
4443
name = local.role_name
4544
tags = var.tags
46-
4745
assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
48-
inline_policy {
49-
name = "cloudlogs_s3_access_policy"
50-
policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
51-
}
46+
}
47+
48+
// AWS IAM Role Policy that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
49+
resource "aws_iam_role_policy" "cloudlogs_s3_access_policy" {
50+
name = "cloudlogs_s3_access_policy"
51+
role = aws_iam_role.cloudlogs_s3_access.name
52+
policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
5253
}
5354

5455
# IAM Policy Document used for the assume role policy
@@ -120,6 +121,7 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
120121
cloudtrailS3Bucket = {
121122
folder_arn = var.folder_arn
122123
role_name = local.role_name
124+
regions = var.regions
123125
}
124126
}
125127
})

modules/integrations/cloud-logs/variables.tf

+6
Original file line numberDiff line numberDiff line change
@@ -22,3 +22,9 @@ variable "name" {
2222
type = string
2323
default = "sysdig-secure-cloudlogs"
2424
}
25+
26+
variable "regions" {
27+
description = "(Optional) The list of AWS regions we want to scrape data from"
28+
type = set(string)
29+
default = []
30+
}

0 commit comments

Comments
 (0)