feat(modules/cloud-logs): introduce cloud logs module for s3 onboarding (#16)

Author: SKosier

modules/integrations/cloud-logs/README.md

@@ -0,0 +1,63 @@
+# AWS Cloud Logs Module
+
+This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail associated s3 bucket through a dedicated IAM role.
+
+The following resources will be created in each instrumented account:
+- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and retrieve items from it.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version   |
+|------|-----------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0  |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name                                                                                                                                                                             | Type |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                         | resource |
+| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                    | data source |
+| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                                | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
+| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
+
+## Inputs
+
+| Name                                                               | Description                                                                                                                                   | Type | Default                                                     | Required |
+|--------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder                                                                                           | `string` | n/a                                                         |   yes    |
+| <a name="input_tags"></a> [tags](#input\_tags)                     | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                                        | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
+| <a name="input_name"></a> [name](#input\_name)                     | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                           | `string` | sysdig-secure-cloudlogs |    no    |
+
+## Outputs
+
+| Name                                                                                                            | Description |
+|-----------------------------------------------------------------------------------------------------------------|-------------|
+| <a name="output_cloud_logs_component_id"></a> [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/integrations/cloud-logs/main.tf

@@ -0,0 +1,126 @@
+#-----------------------------------------------------------------------------------------------------------------------
+# The only resource needed to make Sysdig's backend start to fetch data from the CloudTrail associated s3 bucket is a
+# properly set AWS IAM Role. Sysdig's trusted identity act as the Principal in the assume role Policy, namely the role
+# that the backend will use to assume the Client's role. At that point, given the permission set granted to the newly
+# created Role in the Client's account, Sysdig's backend will be able to perform all the required actions in order to
+# retrieve the log files that are automatically published in the target s3 bucket.
+#
+# Note: this setup assumes that the Customer has already properly set up an AWS CloudTrail Trail and the associated bucket.
+# Sysdig's Secure UI provides the necessary information to make the Customer perform the
+# required setup operations before applying the Terraform module.
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------
+# Fetch the data sources
+#-----------------------------------------------------------------------------------------
+data "aws_caller_identity" "current" {}
+
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
+  cloud_provider = "aws"
+}
+
+data "sysdig_secure_tenant_external_id" "external_id" {}
+
+#-----------------------------------------------------------------------------------------
+# Generate a unique name for resources using random suffix and account ID hash
+#-----------------------------------------------------------------------------------------
+locals {
+  account_id_hash  = substr(md5(data.aws_caller_identity.current.account_id), 0, 4)
+  role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
+
+  bucket_arn = regex("^([^/]+)", var.folder_arn)[0]
+}
+
+#-----------------------------------------------------------------------------------------------------------------------
+# A random resource is used to generate unique role name suffix.
+# This prevents conflicts when recreating an role with the same name.
+#-----------------------------------------------------------------------------------------------------------------------
+resource "random_id" "suffix" {
+  byte_length = 3
+}
+
+# AWS IAM Role that will be used by CloudIngestion to access the CloudTrail-associated s3 bucket
+resource "aws_iam_role" "cloudlogs_s3_access" {
+  name = local.role_name
+  tags = var.tags
+
+  assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
+  inline_policy {
+    name   = "cloudlogs_s3_access_policy"
+    policy = data.aws_iam_policy_document.cloudlogs_s3_access.json
+  }
+}
+
+# IAM Policy Document used for the assume role policy
+data "aws_iam_policy_document" "assume_cloudlogs_s3_access_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
+    }
+
+    actions = ["sts:AssumeRole"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [data.sysdig_secure_tenant_external_id.external_id.external_id]
+    }
+  }
+}
+
+# IAM Policy Document used for the bucket access policy
+data "aws_iam_policy_document" "cloudlogs_s3_access" {
+  statement {
+    sid = "CloudlogsS3AccessGet"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:Get*",
+    ]
+
+    resources = [
+      local.bucket_arn,
+      "${local.bucket_arn}/*"
+    ]
+  }
+
+  statement {
+    sid = "CloudlogsS3AccessList"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:List*"
+    ]
+
+    resources = [
+      local.bucket_arn,
+      "${local.bucket_arn}/*"
+    ]
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------------------------------
+# Call Sysdig Backend to add the cloud logs integration to the Sysdig Cloud Account
+#
+# Note (optional): To ensure this gets called after all cloud resources are created, add
+# explicit dependency using depends_on
+#-----------------------------------------------------------------------------------------------------------------------------------------
+resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
+  account_id                 = var.sysdig_secure_account_id
+  type                       = "COMPONENT_CLOUD_LOGS"
+  instance                   = "secure-runtime"
+  version                    = "v0.1.0"
+  cloud_logs_metadata = jsonencode({
+    aws = {
+      cloudtrailS3Bucket = {
+        folder_arn    = var.folder_arn
+        role_name     = local.role_name
+      }
+    }
+  })
+}

modules/integrations/cloud-logs/outputs.tf

@@ -0,0 +1,5 @@
+output "cloud_logs_component_id" {
+  value       = "${sysdig_secure_cloud_auth_account_component.aws_cloud_logs.type}/${sysdig_secure_cloud_auth_account_component.aws_cloud_logs.instance}"
+  description = "Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion"
+  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
+}

modules/integrations/cloud-logs/variables.tf

@@ -0,0 +1,24 @@
+variable "sysdig_secure_account_id" {
+  type        = string
+  description = "ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account)"
+}
+
+variable "folder_arn" {
+  description = "(Required) The ARN of your CloudTrail Bucket Folder"
+  type        = string
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "(Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
+
+  default = {
+    "product" = "sysdig-secure-for-cloud"
+  }
+}
+
+variable "name" {
+  description = "(Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
+  type        = string
+  default     = "sysdig-secure-cloudlogs"
+}

modules/integrations/cloud-logs/versions.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.60.0"
+    }
+    sysdig = {
+      source = "sysdiglabs/sysdig"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+  }
+}