chore(permissions): optional org role (#37)

* chore(permissions): homogeneize eks with ecs

Author: iru

examples-internal/organizational-k8s-threat-reuse_cloudtrail/README.md

@@ -108,7 +108,7 @@ Notice that:
 | <a name="input_cloudtrail_s3_sns_sqs_url"></a> [cloudtrail\_s3\_sns\_sqs\_url](#input\_cloudtrail\_s3\_sns\_sqs\_url) | Organization cloudtrail event notification  S3-SNS-SQS URL to listen to | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
-| <a name="input_organization_managed_role_arn"></a> [organization\_managed\_role\_arn](#input\_organization\_managed\_role\_arn) | `sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><li>and the `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role | `string` | `"none"` | no |
+| <a name="input_organization_managed_role_arn"></a> [organization\_managed\_role\_arn](#input\_organization\_managed\_role\_arn) | for cloud-connector assumeRole in order to read cloudtrail s3 events | `string` | `"none"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

examples-internal/organizational-k8s-threat-reuse_cloudtrail/cloud-connector.tf

@@ -46,7 +46,8 @@ logging: info
 ingestors:
   - aws-cloudtrail-s3-sns-sqs:
       queueURL: ${var.cloudtrail_s3_sns_sqs_url}
-      assumeRole: ${var.organization_managed_role_arn}
+      %{if var.organization_managed_role_arn != "none"}assumeRole: ${var.organization_managed_role_arn}
+%{endif~}
 CONFIG
   ]
 }

examples-internal/organizational-k8s-threat-reuse_cloudtrail/variables.tf

@@ -29,7 +29,7 @@ variable "aws_secret_access_key" {
 
 variable "organization_managed_role_arn" {
   type        = string
-  description = "`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><li>and the `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure_for_cloud_role"
+  description = "for cloud-connector assumeRole in order to read cloudtrail s3 events"
   default     = "none"
 }
 

modules/infrastructure/permissions/cloud-connector/README.md

@@ -25,7 +25,6 @@ No modules.
 | [aws_iam_user_policy.cloud_connector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_iam_policy_document.cloud_connector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_user) | data source |
-| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

modules/infrastructure/permissions/cloud-connector/data.tf

@@ -1,5 +1,3 @@
-data "aws_region" "this" {}
-
 data "aws_iam_user" "this" {
   user_name = var.sfc_user_name
 }

modules/infrastructure/permissions/cloud-connector/main.tf

@@ -9,12 +9,14 @@ data "aws_iam_policy_document" "cloud_connector" {
     sid    = "AllowReadCloudtrailS3"
     effect = "Allow"
     actions = [
-      "s3:GetObject",
       "s3:ListBucket",
+      "s3:GetObject"
     ]
     resources = [var.cloudtrail_s3_bucket_arn]
-  }
+    #      var.cloudtrail_s3_bucket_arn,
+    #      "${var.cloudtrail_s3_bucket_arn}/*"
 
+  }
 
   statement {
     sid    = "AllowReadWriteCloudtrailSubscribedSQS"
@@ -27,30 +29,16 @@ data "aws_iam_policy_document" "cloud_connector" {
     resources = [var.cloudtrail_subscribed_sqs_arn]
   }
 
-
-  statement {
-    sid    = "AllowReadSecurityHub"
-    effect = "Allow"
-    actions = [
-      "securityhub:GetFindings",
-      "securityhub:BatchImportFindings",
-    ]
-    resources = ["arn:aws:securityhub:${data.aws_region.this.name}::product/sysdig/sysdig-cloud-connector"]
-    # TODO. make an input-var out of this
-  }
-
-
+  # required for EKS
   statement {
     sid    = "AllowCloudwatchLogManagement"
     effect = "Allow"
     actions = [
-      "logs:CreateLogStream",
       "logs:DescribeLogStreams",
       "logs:GetLogEvents",
       "logs:FilterLogEvents",
-      "logs:PutLogEvents",
     ]
     resources = ["*"]
-    # TODO. make an input-var out of this. make it more specific "arn:aws:logs:eu-central-1:522353683035:log-group:test:*"
+    # TODO. make an input-var out of this. make it more specific "arn:aws:logs:*:*:log-group:test:*"
   }
 }