Skip to content

Commit 7815eb6

Browse files
tgam-smickelertgam-smickeler
authored
Merge pull request #5 from globeandmail/AHP-1113
AHP-1113 Add optional variables use_sysdig_api_token and svcs_account_sysdig_api_token_aws_secret_arn
2 parents 06ce4b1 + cc087ad commit 7815eb6

File tree

3 files changed

+156
-74
lines changed

3 files changed

+156
-74
lines changed

README.md

Lines changed: 86 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,31 @@ The module currently supports multi-region build for lambda, ECS and ECR in the
3737
## v1.1 Notes
3838
If `s3_block_public_access` is set to `true`, the block public access setting for the artifact bucket is enabled.
3939

40+
41+
## v.1.2 Note
42+
If `use_sysdig_api_token` is set to `true`, the secrets manager environment variable `SYSDIG_API_TOKEN_SECRETS_ID` is exposed via codebuild.
43+
44+
You can add these 8 lines to the end of your `build` phase commands in `buildspec.yml` to run Sysdig image security scans.
45+
```yml
46+
build:
47+
commands:
48+
...
49+
...
50+
- echo "Running Sysdig image inline scan..."
51+
- docker run --rm -u $(id -u) -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/reports:/staging/reports quay.io/sysdig/secure-inline-scan:2 -s https://us2.app.sysdig.com -k ${SYSDIG_API_TOKEN_SECRETS_ID} --storage-type docker-daemon --storage-path /var/run/docker.sock -r /staging/reports ${REPOSITORY_URI}:${IMAGE_TAG} || true
52+
- echo "Downloading Sysdig Cli Scanner..."
53+
- curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
54+
- echo "Adding executable permission to sysdig-cli-scanner binary..."
55+
- chmod +x ./sysdig-cli-scanner
56+
- echo "Running Sysdig image cli scan..."
57+
- SECURE_API_TOKEN=${SYSDIG_API_TOKEN_SECRETS_ID} ./sysdig-cli-scanner --apiurl https://us2.app.sysdig.com ${REPOSITORY_URI}:${IMAGE_TAG} --policy sysdig_best_practices || true
58+
```
59+
4060
## Usage
4161
### Lambda
4262
```hcl
4363
module "lambda_ci_pipeline" {
44-
source = "github.com/globeandmail/aws-ci-codepipeline?ref=1.1"
64+
source = "github.com/globeandmail/aws-ci-codepipeline?ref=1.2"
4565
4666
name = "app-name"
4767
deploy_type = "lambda"
@@ -73,70 +93,74 @@ module "lambda_ci_pipeline" {
7393
### ECS
7494
```hcl
7595
module "ecs_ci_pipeline" {
76-
source = "github.com/globeandmail/aws-ci-codepipeline?ref=1.1"
77-
78-
name = "app-name"
79-
deploy_type = "ecs"
80-
aws_organization_id = "aws-organization-id"
81-
github_repo_owner = "github-account-name"
82-
github_repo_name = "github-repo-name"
83-
github_branch_name = "github-branch-name"
84-
github_oauth_token = data.aws_ssm_parameter.github_token.value
85-
non_default_aws_provider_configurations = {
86-
ireland = {
87-
region_name = "region-name",
88-
profile_name = "profile-name",
89-
allowed_account_ids = ["account-id"]
90-
}
91-
}
92-
s3_bucket_force_destroy = true
93-
create_cross_region_resources = true
94-
create_ireland_region_resources = true
95-
svcs_account_ireland_kms_cmk_arn_for_s3 = "svcs-account-ireland-kms-cmk-arn-for-s3"
96-
svcs_account_virginia_kms_cmk_arn_for_s3 = "svcs-account-virginia-kms-cmk-arn-for-s3"
97-
ecr_name = "ecr-repo-name"
98-
use_docker_credentials = true
99-
use_repo_access_github_token = true
100-
svcs_account_github_token_aws_secret_arn = "svcs-account-github-token-aws-secret-arn"
101-
svcs_account_github_token_aws_kms_cmk_arn = "svcs-account-github-token-aws-kms-cmk-arn"
102-
s3_block_public_access = true
103-
tags = {
104-
Environment = var.environment
105-
}
96+
source = "github.com/globeandmail/aws-ci-codepipeline?ref=1.2"
97+
98+
name = "app-name"
99+
deploy_type = "ecs"
100+
aws_organization_id = "aws-organization-id"
101+
github_repo_owner = "github-account-name"
102+
github_repo_name = "github-repo-name"
103+
github_branch_name = "github-branch-name"
104+
github_oauth_token = data.aws_ssm_parameter.github_token.value
105+
non_default_aws_provider_configurations = {
106+
ireland = {
107+
region_name = "region-name",
108+
profile_name = "profile-name",
109+
allowed_account_ids = ["account-id"]
110+
}
111+
}
112+
s3_bucket_force_destroy = true
113+
create_cross_region_resources = true
114+
create_ireland_region_resources = true
115+
svcs_account_ireland_kms_cmk_arn_for_s3 = "svcs-account-ireland-kms-cmk-arn-for-s3"
116+
svcs_account_virginia_kms_cmk_arn_for_s3 = "svcs-account-virginia-kms-cmk-arn-for-s3"
117+
ecr_name = "ecr-repo-name"
118+
use_docker_credentials = true
119+
use_repo_access_github_token = true
120+
svcs_account_github_token_aws_secret_arn = "svcs-account-github-token-aws-secret-arn"
121+
svcs_account_aws_kms_cmk_arn = "svcs-account-aws-kms-cmk-arn"
122+
s3_block_public_access = true
123+
use_sysdig_api_token = true
124+
svcs_account_sysdig_api_token_aws_secret_arn = "svcs-account-sysdig-api-token-aws-secret-arn"
125+
tags = {
126+
Environment = var.environment
127+
}
106128
}
107129
```
108130

109131
### ECR
110132
```hcl
111133
module "ecr_ci_pipeline" {
112-
source = "github.com/globeandmail/aws-ci-codepipeline?ref=1.1"
113-
114-
name = "app-name"
115-
deploy_type = "ecr"
116-
aws_organization_id = "aws-organization-id"
117-
github_repo_owner = "github-account-name"
118-
github_repo_name = "github-repo-name"
119-
github_branch_name = "github-branch-name"
120-
github_oauth_token = data.aws_ssm_parameter.github_token.value
121-
non_default_aws_provider_configurations = {
122-
ireland = {
123-
region_name = "region-name",
124-
profile_name = "profile-name",
125-
allowed_account_ids = ["account-id"]
126-
}
127-
}
128-
create_cross_region_resources = false
129-
create_ireland_region_resources = false
130-
svcs_account_virginia_kms_cmk_arn_for_s3 = "svcs-account-virginia-kms-cmk-arn-for-s3"
131-
ecr_name = "ecr-repo-name"
132-
use_docker_credentials = true
133-
use_repo_access_github_token = true
134-
svcs_account_github_token_aws_secret_arn = "svcs-account-github-token-aws-secret-arn"
135-
svcs_account_github_token_aws_kms_cmk_arn = "svcs-account-github-token-aws-kms-cmk-arn"
136-
s3_block_public_access = true
137-
tags = {
138-
Environment = var.environment
139-
}
134+
source = "github.com/globeandmail/aws-ci-codepipeline?ref=1.2"
135+
136+
name = "app-name"
137+
deploy_type = "ecr"
138+
aws_organization_id = "aws-organization-id"
139+
github_repo_owner = "github-account-name"
140+
github_repo_name = "github-repo-name"
141+
github_branch_name = "github-branch-name"
142+
github_oauth_token = data.aws_ssm_parameter.github_token.value
143+
non_default_aws_provider_configurations = {
144+
ireland = {
145+
region_name = "region-name",
146+
profile_name = "profile-name",
147+
allowed_account_ids = ["account-id"]
148+
}
149+
}
150+
create_cross_region_resources = false
151+
create_ireland_region_resources = false
152+
svcs_account_virginia_kms_cmk_arn_for_s3 = "svcs-account-virginia-kms-cmk-arn-for-s3"
153+
ecr_name = "ecr-repo-name"
154+
use_docker_credentials = true
155+
use_repo_access_github_token = true
156+
svcs_account_github_token_aws_secret_arn = "svcs-account-github-token-aws-secret-arn"
157+
svcs_account_aws_kms_cmk_arn = "svcs-account-aws-kms-cmk-arn"
158+
s3_block_public_access = true
159+
use_sysdig_api_token = true
160+
svcs_account_sysdig_api_token_aws_secret_arn = "svcs-account-sysdig-api-token-aws-secret-arn"
161+
tags = {
162+
Environment = var.environment
163+
}
140164
}
141165
```
142166

@@ -179,13 +203,15 @@ module "ecr_ci_pipeline" {
179203
| <a name="input_privileged_mode"></a> [privileged\_mode](#input\_privileged\_mode) | (Optional) Use privileged mode for docker containers. Defaults to false. | `bool` | `false` | no |
180204
| <a name="input_s3_block_public_access"></a> [s3\_block\_public\_access](#input\_s3\_block\_public\_access) | (Optional) Enable the S3 block public access setting for the artifact bucket. | `bool` | `false` | no |
181205
| <a name="input_s3_bucket_force_destroy"></a> [s3\_bucket\_force\_destroy](#input\_s3\_bucket\_force\_destroy) | (Optional) Delete all objects in S3 bucket upon bucket deletion. S3 objects are not recoverable.<br> Set to true if var.deploy\_type is ecs or lambda. Defaults to false. | `bool` | `false` | no |
182-
| <a name="input_svcs_account_github_token_aws_kms_cmk_arn"></a> [svcs\_account\_github\_token\_aws\_kms\_cmk\_arn](#input\_svcs\_account\_github\_token\_aws\_kms\_cmk\_arn) | (Optional) The us-east-1 region AWS KMS customer managed key ARN for encrypting the repo access Github token AWS secret.<br> The key is created in the shared service account.<br> Required if var.use\_repo\_access\_github\_token is true. | `string` | `null` | no |
206+
| <a name="input_svcs_account_aws_kms_cmk_arn"></a> [svcs\_account\_aws\_kms\_cmk\_arn](#input\_svcs\_account\_aws\_kms\_cmk\_arn) | (Optional) The us-east-1 region AWS KMS customer managed key ARN for encrypting all AWS secrets.<br> The key is created in the shared service account.<br> Required if var.use\_repo\_access\_github\_token or var.use\_sysdig\_api\_token is true. | `string` | `null` | no |
183207
| <a name="input_svcs_account_github_token_aws_secret_arn"></a> [svcs\_account\_github\_token\_aws\_secret\_arn](#input\_svcs\_account\_github\_token\_aws\_secret\_arn) | (Optional) The AWS secret ARN for the repo access Github token.<br> The secret is created in the shared service account.<br> Required if var.use\_repo\_access\_github\_token is true. | `string` | `null` | no |
184208
| <a name="input_svcs_account_ireland_kms_cmk_arn_for_s3"></a> [svcs\_account\_ireland\_kms\_cmk\_arn\_for\_s3](#input\_svcs\_account\_ireland\_kms\_cmk\_arn\_for\_s3) | (Optional) The eu-west-1 region AWS KMS customer managed key ARN for encrypting s3 data.<br> The key is created in the shared service account.<br> Required if var.create\_ireland\_region\_resources is true. | `string` | `null` | no |
209+
| <a name="input_svcs_account_sysdig_api_token_aws_secret_arn"></a> [svcs\_account\_sysdig\_api\_token\_aws\_secret\_arn](#input\_svcs\_account\_sysdig\_api\_token\_aws\_secret\_arn) | (Optional) The AWS secret ARN for the sysdig API token.<br> The secret is created in the shared service account.<br> Required if var.use\_sysdig\_api\_token is true. | `string` | `null` | no |
185210
| <a name="input_svcs_account_virginia_kms_cmk_arn_for_s3"></a> [svcs\_account\_virginia\_kms\_cmk\_arn\_for\_s3](#input\_svcs\_account\_virginia\_kms\_cmk\_arn\_for\_s3) | (Required) The us-east-1 region AWS KMS customer managed key ARN for encrypting s3 data.<br> The key is created in the shared service account. | `string` | n/a | yes |
186211
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource | `map` | `{}` | no |
187212
| <a name="input_use_docker_credentials"></a> [use\_docker\_credentials](#input\_use\_docker\_credentials) | (Optional) Use dockerhub credentals stored in parameter store. Defaults to false. | `bool` | `false` | no |
188213
| <a name="input_use_repo_access_github_token"></a> [use\_repo\_access\_github\_token](#input\_use\_repo\_access\_github\_token) | (Optional) Allow the AWS codebuild IAM role read access to the REPO\_ACCESS\_GITHUB\_TOKEN secrets manager secret in the shared service account.<br> Defaults to false. | `bool` | `false` | no |
214+
| <a name="input_use_sysdig_api_token"></a> [use\_sysdig\_api\_token](#input\_use\_sysdig\_api\_token) | (Optional) Allow the AWS codebuild IAM role read access to the SYSDIG\_API\_TOKEN secrets manager secret in the shared service account.<br> Defaults to false. | `bool` | `false` | no |
189215

190216
## Outputs
191217

codebuild.tf

Lines changed: 48 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -107,19 +107,47 @@ resource "aws_iam_role_policy" "codebuild_ecr" {
107107

108108

109109
data "aws_iam_policy_document" "codebuild_secrets_manager" {
110-
count = var.use_repo_access_github_token ? 1 : 0
111-
statement {
112-
actions = [
113-
"secretsmanager:GetSecretValue"
114-
]
115-
resources = [
116-
replace(var.svcs_account_github_token_aws_secret_arn, "/-.{6}$/", "-??????")
117-
]
110+
count = var.use_repo_access_github_token || var.use_sysdig_api_token ? 1 : 0
111+
dynamic "statement" {
112+
for_each = var.use_repo_access_github_token && !var.use_sysdig_api_token ? [1] : []
113+
content {
114+
actions = [
115+
"secretsmanager:GetSecretValue"
116+
]
117+
resources = [
118+
replace(var.svcs_account_github_token_aws_secret_arn, "/-.{6}$/", "-??????")
119+
]
120+
}
121+
}
122+
123+
dynamic "statement" {
124+
for_each = !var.use_repo_access_github_token && var.use_sysdig_api_token ? [1] : []
125+
content {
126+
actions = [
127+
"secretsmanager:GetSecretValue"
128+
]
129+
resources = [
130+
replace(var.svcs_account_sysdig_api_token_aws_secret_arn, "/-.{6}$/", "-??????")
131+
]
132+
}
133+
}
134+
135+
dynamic "statement" {
136+
for_each = var.use_repo_access_github_token && var.use_sysdig_api_token ? [1] : []
137+
content {
138+
actions = [
139+
"secretsmanager:GetSecretValue"
140+
]
141+
resources = [
142+
replace(var.svcs_account_github_token_aws_secret_arn, "/-.{6}$/", "-??????"),
143+
replace(var.svcs_account_sysdig_api_token_aws_secret_arn, "/-.{6}$/", "-??????")
144+
]
145+
}
118146
}
119147
}
120148

121149
resource "aws_iam_role_policy" "codebuild_secrets_manager" {
122-
count = var.use_repo_access_github_token ? 1 : 0
150+
count = var.use_repo_access_github_token || var.use_sysdig_api_token ? 1 : 0
123151
name = "codebuild-secrets-manager-${local.codebuild_name}"
124152
role = aws_iam_role.codebuild.id
125153
policy = data.aws_iam_policy_document.codebuild_secrets_manager[0].json
@@ -135,7 +163,7 @@ data "aws_iam_policy_document" "codebuild_kms" {
135163
]
136164

137165
resources = [
138-
var.svcs_account_github_token_aws_kms_cmk_arn,
166+
var.svcs_account_aws_kms_cmk_arn,
139167
var.svcs_account_virginia_kms_cmk_arn_for_s3,
140168
var.svcs_account_ireland_kms_cmk_arn_for_s3
141169
]
@@ -150,7 +178,7 @@ data "aws_iam_policy_document" "codebuild_kms" {
150178
]
151179

152180
resources = [
153-
var.svcs_account_github_token_aws_kms_cmk_arn,
181+
var.svcs_account_aws_kms_cmk_arn,
154182
var.svcs_account_virginia_kms_cmk_arn_for_s3
155183
]
156184
}
@@ -252,6 +280,15 @@ resource "aws_codebuild_project" "project" {
252280
type = "SECRETS_MANAGER"
253281
}
254282
}
283+
284+
dynamic "environment_variable" {
285+
for_each = var.use_sysdig_api_token ? [1] : []
286+
content {
287+
name = "SYSDIG_API_TOKEN_SECRETS_ID"
288+
value = var.svcs_account_sysdig_api_token_aws_secret_arn
289+
type = "SECRETS_MANAGER"
290+
}
291+
}
255292
}
256293

257294
source {

variables.tf

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -169,12 +169,12 @@ variable "svcs_account_github_token_aws_secret_arn" {
169169
default = null
170170
}
171171

172-
variable "svcs_account_github_token_aws_kms_cmk_arn" {
172+
variable "svcs_account_aws_kms_cmk_arn" {
173173
type = string
174174
description = <<EOT
175-
(Optional) The us-east-1 region AWS KMS customer managed key ARN for encrypting the repo access Github token AWS secret.
175+
(Optional) The us-east-1 region AWS KMS customer managed key ARN for encrypting all AWS secrets.
176176
The key is created in the shared service account.
177-
Required if var.use_repo_access_github_token is true.
177+
Required if var.use_repo_access_github_token or var.use_sysdig_api_token is true.
178178
EOT
179179
default = null
180180
}
@@ -183,4 +183,23 @@ variable "s3_block_public_access" {
183183
type = bool
184184
description = "(Optional) Enable the S3 block public access setting for the artifact bucket."
185185
default = false
186+
}
187+
188+
variable "use_sysdig_api_token" {
189+
type = bool
190+
description = <<EOT
191+
(Optional) Allow the AWS codebuild IAM role read access to the SYSDIG_API_TOKEN secrets manager secret in the shared service account.
192+
Defaults to false.
193+
EOT
194+
default = false
195+
}
196+
197+
variable "svcs_account_sysdig_api_token_aws_secret_arn" {
198+
type = string
199+
description = <<EOT
200+
(Optional) The AWS secret ARN for the sysdig API token.
201+
The secret is created in the shared service account.
202+
Required if var.use_sysdig_api_token is true.
203+
EOT
204+
default = null
186205
}

0 commit comments

Comments
 (0)