feat: Add organizational cloud-scanning (#20)

tembleking · web-flow · commit aec15844a782 · 2021-08-30T17:52:54.000+02:00
* feat: Add organizational cloud-scanning
* docs(organizational): Update documentation diagram
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -76,7 +76,9 @@ Notice that:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
+| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
+| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
 | <a name="module_resource_group_master"></a> [resource\_group\_master](#module\_resource\_group\_master) | ../../modules/infrastructure/resource-group |  |
 | <a name="module_resource_group_secure_for_cloud_member"></a> [resource\_group\_secure\_for\_cloud\_member](#module\_resource\_group\_secure\_for\_cloud\_member) | ../../modules/infrastructure/resource-group |  |
diff --git a/examples/organizational/diagram-org.png b/examples/organizational/diagram-org.png
diff --git a/examples/organizational/diagram-org.py b/examples/organizational/diagram-org.py
@@ -1,15 +1,13 @@
 # diagrams as code vía https://diagrams.mingrammer.com
-from diagrams import Diagram, Cluster, Diagram, Edge, Node
-from diagrams.custom import Custom
-from diagrams.aws.general import General
-from diagrams.aws.management import Cloudtrail
-from diagrams.aws.storage import S3, SimpleStorageServiceS3Bucket
-from diagrams.aws.integration import SNS
-from diagrams.aws.integration import SQS
+from diagrams import Cluster, Diagram, Edge, Node
 from diagrams.aws.compute import ElasticContainerServiceService
-from diagrams.aws.security import IAMRole,IAM
-from diagrams.aws.management import Cloudwatch
-
+from diagrams.aws.devtools import Codebuild
+from diagrams.aws.general import General
+from diagrams.aws.integration import SNS, SQS
+from diagrams.aws.management import Cloudtrail, Cloudwatch
+from diagrams.aws.security import IAM, IAMRole
+from diagrams.aws.storage import S3
+from diagrams.custom import Custom
 
 diagram_attr = {
     "pad":"0.25"
@@ -23,14 +21,14 @@
 
 event_color="firebrick"
 
-with Diagram("Sysdig Secure for Cloud{}(organizational usecase)".format("\n"), graph_attr=diagram_attr, filename="diagram-org", show=True):
+with Diagram("Sysdig Secure for Cloud\n(organizational usecase)", graph_attr=diagram_attr, filename="diagram-org", show=True):
 
     with Cluster("AWS organization"):
 
-        with Cluster("member account (main targets)", graph_attr={"bgcolor":"lightblue"}):
-            member_accounts = [General("account-1"),General("..."),General("account-n")]
+        with Cluster("member accounts (main targets)", graph_attr={"bgcolor":"lightblue"}):
+            member_accounts = [General("account-1"), General("account-2"), General("..."), General("account-n")]
 
-            org_member_role = IAMRole("OrganizationAccountAccessRole\ncreated by AWS for org. member accounts", **role_attr)
+            org_member_role = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
 
 
         with Cluster("master account"):
@@ -53,18 +51,22 @@
 
         with Cluster("member account (secure for cloud)", graph_attr={"bgcolor":"seashell2"}):
 
-            org_member_role = IAMRole("OrganizationAccountAccessRole\ncreated by AWS for org. member accounts", **role_attr)
+            org_member_role = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
 
             with Cluster("ecs-cluster"):
                 cloud_connector = ElasticContainerServiceService("cloud-connector")
+                cloud_scanning = ElasticContainerServiceService("cloud-scanning")
 
             sqs         = SQS("cloudtrail-sqs")
             s3_config   = S3("cloud-connector-config")
             cloudwatch  = Cloudwatch("cloudwatch\nlogs and alarms")
+            codebuild = Codebuild("codebuild project")
 
             sqs << Edge(color=event_color) << cloud_connector
+            sqs << Edge(color=event_color) << cloud_scanning
             cloud_connector - s3_config
             cloud_connector >> cloudwatch
+            cloud_scanning >> codebuild
 
 
         member_accounts >> Edge(color=event_color, style="dashed") >>  cloudtrail
@@ -76,3 +78,4 @@
         sds = Custom("Sysdig Secure", "../../resources/diag-sysdig-icon.png")
 
     cloud_connector >> sds
+    codebuild >> sds
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
@@ -68,7 +68,6 @@ module "ssm" {
 }
 
 
-
 #
 # cloud-connector
 #
@@ -99,7 +98,6 @@ module "cloud_connector" {
 }
 
 
-
 #
 # cloud-bench
 # WIP
@@ -122,40 +120,45 @@ module "cloud_connector" {
 
 #
 # cloud-scanning
-# WIP
 #
+## FIXME? if this is a non-shared resource, move its usage to scanning service?
+module "codebuild" {
+  providers = {
+    aws = aws.member
+  }
+  source                       = "../../modules/infrastructure/codebuild"
+  name                         = var.name
+  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+  depends_on                   = [module.ssm]
+}
 
+module "cloud_scanning" {
+  providers = {
+    aws = aws.member
+  }
 
-## FIXME? if this is a non-shared resource, move its usage to scanning service?
-#module "codebuild" {
-#  source                       = "../../modules/infrastructure/codebuild"
-#  name                         = var.name
-#  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-#  depends_on                   = [module.ssm]
-#}
-#
+  source = "../../modules/services/cloud-scanning"
+  name   = "${var.name}-cloudscanning"
 
+  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
+  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-#module "cloud_scanning" {
-#  providers = {
-#    aws = aws.member
-#  }
-#
-#  source = "../../modules/services/cloud-scanning"
-#  name   = "${var.name}-cloudscanning"
-#
-#  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
-#  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-#
-#  build_project_arn  = module.codebuild.project_arn
-#  build_project_name = module.codebuild.project_name
-#
-#  sns_topic_arn = module.cloudtrail.sns_topic_arn
-#
-#  ecs_cluster = module.ecs_fargate_cluster.id
-#  vpc_id      = module.ecs_fargate_cluster.vpc_id
-#  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
-#
-#  tags       = var.tags
-#  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
-#}
+  build_project_arn  = module.codebuild.project_arn
+  build_project_name = module.codebuild.project_name
+
+  is_organizational = true
+  organizational_config = {
+    sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
+    organizational_role_per_account  = "OrganizationAccountAccessRole"
+    scanning_ecs_task_role_name      = aws_iam_role.connector_ecs_task.name
+  }
+
+  sns_topic_arn = module.cloudtrail.sns_topic_arn
+
+  ecs_cluster = module.ecs_fargate_cluster.id
+  vpc_id      = module.ecs_fargate_cluster.vpc_id
+  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
+
+  tags       = var.tags
+  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+}
diff --git a/modules/infrastructure/organizational/secure-for-cloud-role/README.md b/modules/infrastructure/organizational/secure-for-cloud-role/README.md
@@ -26,8 +26,10 @@ No modules.
 |------|------|
 | [aws_iam_role.secure_for_cloud_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.enable_assume_secure_for_cloud_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.sysdig_secure_for_cloud_role_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.sysdig_secure_for_cloud_role_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_policy_document.enable_assume_secure_for_cloud_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sysdig_secure_for_cloud_role_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sysdig_secure_for_cloud_role_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sysdig_secure_for_cloud_role_trusted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_role.ecs_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
@@ -39,6 +41,7 @@ No modules.
 | <a name="input_cloudconnector_ecs_task_role_name"></a> [cloudconnector\_ecs\_task\_role\_name](#input\_cloudconnector\_ecs\_task\_role\_name) | cloudconnector ecs task role name | `string` | n/a | yes |
 | <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | Cloudtrail S3 bucket ARN | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name for the Cloud Connector deployment | `string` | `"sysdig-secure-for-cloud"` | no |
+| <a name="input_organizational_role_per_account"></a> [organizational\_role\_per\_account](#input\_organizational\_role\_per\_account) | Name of the organizational role deployed by AWS in each account of the organization | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
 ## Outputs
diff --git a/modules/infrastructure/organizational/secure-for-cloud-role/main.tf b/modules/infrastructure/organizational/secure-for-cloud-role/main.tf
@@ -74,3 +74,21 @@ data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_s3" {
     ]
   }
 }
+
+
+resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_assume_role" {
+  name   = "${var.name}-AllowAssumeRoleInChildAccounts"
+  role   = aws_iam_role.secure_for_cloud_role.id
+  policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_assume_role.json
+}
+data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_assume_role" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+    ]
+    resources = [
+      "arn:aws:iam::*:role/${var.organizational_role_per_account}"
+    ]
+  }
+}
diff --git a/modules/infrastructure/organizational/secure-for-cloud-role/variables.tf b/modules/infrastructure/organizational/secure-for-cloud-role/variables.tf
@@ -18,6 +18,12 @@ variable "name" {
   description = "Name for the Cloud Connector deployment"
 }
 
+variable "organizational_role_per_account" {
+  type        = string
+  default     = "OrganizationAccountAccessRole"
+  description = "Name of the organizational role deployed by AWS in each account of the organization"
+}
+
 variable "tags" {
   type        = map(string)
   description = "sysdig secure-for-cloud tags"
diff --git a/modules/services/cloud-scanning/README.md b/modules/services/cloud-scanning/README.md
@@ -54,6 +54,7 @@ No modules.
 | [aws_iam_policy_document.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.trigger_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_role.task_inherited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_ssm_parameter.sysdig_secure_api_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
@@ -71,7 +72,10 @@ No modules.
 | <a name="input_cloudwatch_log_retention"></a> [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudScanning | `number` | `5` | no |
 | <a name="input_extra_env_vars"></a> [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Scanning deployment | `map(string)` | `{}` | no |
 | <a name="input_image"></a> [image](#input\_image) | Image of the cloud scanning to deploy | `string` | `"quay.io/sysdig/cloud-scanning:latest"` | no |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for the Cloud Scanning deployment | `string` | `"sysdig-secure-for-cloudscanning"` | no |
+| <a name="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given<br><ul><br>    <li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><br>    <li>`scanning_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role</li><br>    <li>`organizational_role_per_account` is the name of the organizational role deployed by AWS in each account of the organization</li><br></ul> | <pre>object({<br>    sysdig_secure_for_cloud_role_arn = string<br>    organizational_role_per_account  = string<br>    scanning_ecs_task_role_name      = string<br>  })</pre> | <pre>{<br>  "organizational_role_per_account": "",<br>  "scanning_ecs_task_role_name": "",<br>  "sysdig_secure_for_cloud_role_arn": ""<br>}</pre> | no |
+| <a name="input_scanning_ecs_task_role_name"></a> [scanning\_ecs\_task\_role\_name](#input\_scanning\_ecs\_task\_role\_name) | Default ecs cloudscanning task role name | `string` | `"scanning-ECSTaskRole"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_verify_ssl"></a> [verify\_ssl](#input\_verify\_ssl) | true/false to determine ssl secure connection verification | `bool` | `true` | no |
diff --git a/modules/services/cloud-scanning/ecs-service-security.tf b/modules/services/cloud-scanning/ecs-service-security.tf
@@ -1,17 +1,31 @@
 data "aws_ssm_parameter" "sysdig_secure_api_token" {
   name = var.secure_api_token_secret_name
 }
+
+locals {
+  ecs_task_role_id          = var.is_organizational ? data.aws_iam_role.task_inherited[0].id : aws_iam_role.task[0].id
+  ecs_task_role_arn         = var.is_organizational ? data.aws_iam_role.task_inherited[0].arn : aws_iam_role.task[0].arn
+  ecs_task_role_name_suffix = var.is_organizational ? var.organizational_config.scanning_ecs_task_role_name : var.scanning_ecs_task_role_name
+}
+
 #---------------------------------
 # task role
+# notes
+# - duplicated in /examples/organizational/utils.tf, where root lvl role is created, to avoid cyclic dependencies
 #---------------------------------
-
+data "aws_iam_role" "task_inherited" {
+  count = var.is_organizational ? 1 : 0
+  name  = var.organizational_config.scanning_ecs_task_role_name
+}
 resource "aws_iam_role" "task" {
-  name               = "${var.name}-ECSTaskRole"
-  assume_role_policy = data.aws_iam_policy_document.task_assume_role.json
+  count              = var.is_organizational ? 0 : 1
+  name               = "${var.name}-${local.ecs_task_role_name_suffix}"
+  assume_role_policy = data.aws_iam_policy_document.task_assume_role[0].json
   path               = "/"
   tags               = var.tags
 }
 data "aws_iam_policy_document" "task_assume_role" {
+  count = var.is_organizational ? 0 : 1
   statement {
     effect = "Allow"
     principals {
@@ -24,7 +38,7 @@ data "aws_iam_policy_document" "task_assume_role" {
 
 resource "aws_iam_role_policy" "task" {
   name   = "${var.name}-TaskRolePolicy"
-  role   = aws_iam_role.task.id
+  role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.iam_role_task_role_policy.json
 }
 data "aws_iam_policy_document" "iam_role_task_role_policy" {
@@ -46,7 +60,7 @@ data "aws_iam_policy_document" "iam_role_task_role_policy" {
 
 resource "aws_iam_role_policy" "trigger_scan" {
   name   = "${var.name}-TriggerScan"
-  role   = aws_iam_role.task.id
+  role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.trigger_scan.json
 }
 data "aws_iam_policy_document" "trigger_scan" {
@@ -61,7 +75,7 @@ data "aws_iam_policy_document" "trigger_scan" {
 
 resource "aws_iam_role_policy" "task_definition_reader" {
   name   = "TaskDefinitionReader"
-  role   = aws_iam_role.task.id
+  role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.task_definition_reader.json
 }
 data "aws_iam_policy_document" "task_definition_reader" {
@@ -76,7 +90,7 @@ data "aws_iam_policy_document" "task_definition_reader" {
 
 resource "aws_iam_role_policy" "secrets_reader" {
   name   = "SecretsReader"
-  role   = aws_iam_role.task.id
+  role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.secrets_reader.json
 }
 data "aws_iam_policy_document" "secrets_reader" {
@@ -92,7 +106,7 @@ data "aws_iam_policy_document" "secrets_reader" {
 
 resource "aws_iam_role_policy" "ecr_reader" {
   name   = "ECRReader"
-  role   = aws_iam_role.task.id
+  role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.ecr_reader.json
 }
 data "aws_iam_policy_document" "ecr_reader" {
@@ -117,7 +131,6 @@ data "aws_iam_policy_document" "ecr_reader" {
 }
 
 
-
 #---------------------------------
 # execution role
 # This role is required by tasks to pull container images and publish container logs to Amazon CloudWatch on your behalf.
diff --git a/modules/services/cloud-scanning/ecs-service.tf b/modules/services/cloud-scanning/ecs-service.tf
@@ -22,7 +22,7 @@ resource "aws_ecs_task_definition" "task_definition" {
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
   execution_role_arn       = aws_iam_role.execution.arn # ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume
-  task_role_arn            = aws_iam_role.task.arn      # ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS resource-group.
+  task_role_arn            = local.ecs_task_role_arn    # ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS resource-group.
   cpu                      = "256"
   memory                   = "512"
 
@@ -84,9 +84,21 @@ locals {
       name  = "SECURE_API_TOKEN_SECRET"
       value = var.secure_api_token_secret_name
     }
-    ], flatten([for env_key, env_value in var.extra_env_vars : [{
+    ],
+    local.task_organizational_env_vars,
+    [for env_key, env_value in var.extra_env_vars : {
       name  = env_key,
       value = env_value
-    }]])
+    }]
   )
+  task_organizational_env_vars = [
+    {
+      name  = "MASTER_ORGANIZATION_ROLE"
+      value = var.is_organizational ? var.organizational_config.sysdig_secure_for_cloud_role_arn : ""
+    },
+    {
+      name  = "ORGANIZATIONAL_ROLE_PER_ACCOUNT"
+      value = var.is_organizational ? var.organizational_config.organizational_role_per_account : ""
+    }
+  ]
 }
diff --git a/modules/services/cloud-scanning/variables.tf b/modules/services/cloud-scanning/variables.tf
