fix: limit permissions

draios · Mar 12, 2024 · 1b78b95 · 1b78b95
1 parent 4b749ec
commit 1b78b95
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 13 deletions.
diff --git a/modules/services/workload-scanning/main.tf b/modules/services/workload-scanning/main.tf
@@ -31,11 +31,7 @@ data "aws_iam_policy_document" "scanning" {
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchGetImage",
       "ecr:BatchCheckLayerAvailability",
-      "ecr:GetRepositoryPolicy",
-      "ecr:DescribeRepositories",
       "ecr:ListImages",
-      "ecr:DescribeImages",
-      "ecr:ListTagsForResource",
       "ecr:GetAuthorizationToken",
     ]
 
@@ -49,7 +45,7 @@ resource "aws_iam_policy" "scanning" {
   count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
 
   name        = var.name
-  description = "Grants Sysdig Secure access to volumes and snapshots"
+  description = "Grants Sysdig Secure access to ECR images"
   policy      = data.aws_iam_policy_document.scanning[0].json
   tags        = var.tags
 }

diff --git a/modules/services/workload-scanning/organizational.tf b/modules/services/workload-scanning/organizational.tf
@@ -67,11 +67,7 @@ Resources:
                     - "ecr:GetDownloadUrlForLayer"
                     - "ecr:BatchGetImage"
                     - "ecr:BatchCheckLayerAvailability"
-                    - "ecr:GetRepositoryPolicy"
-                    - "ecr:DescribeRepositories"
                     - "ecr:ListImages"
-                    - "ecr:DescribeImages"
-                    - "ecr:ListTagsForResource"
                     - "ecr:GetAuthorizationToken"
                   Resource: "*"
 

diff --git a/modules/services/workload-scanning/outputs.tf b/modules/services/workload-scanning/outputs.tf
@@ -2,3 +2,19 @@ output "role_arn" {
   description = "Role used by Sysdig Platform for Agentless Workload Scanning"
   value       = var.is_organizational ? null : var.deploy_global_resources ? aws_iam_role.scanning[0].arn : var.role_arn
 }
+
+output "validate_deploy_global_resources" {
+  value = null
+  precondition {
+    condition     = (var.deploy_global_resources && var.external_id != null)
+    error_message = "Please provide external_id or set deploy_global_resources to false."
+  }
+  precondition {
+    condition     = (var.deploy_global_resources && var.role_arn != null)
+    error_message = "Please provide ecr_role_name or set deploy_global_resources set to false."
+  }
+  precondition {
+    condition     = (var.deploy_global_resources && var.trusted_identity != null)
+    error_message = "Please provide trusted_identity or set deploy_global_resources to false."
+  }
+}
diff --git a/modules/services/workload-scanning/variables.tf b/modules/services/workload-scanning/variables.tf
@@ -1,11 +1,12 @@
 variable "external_id" {
-  description = "Random string generated unique to a customer"
+  description = "(Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role."
   type        = string
+  default     = null
 }
 
 variable "trusted_identity" {
   type        = string
-  description = "The name of sysdig trusted identity"
+  description = "This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images"
 }
 
 variable "name" {

diff --git a/modules/services/workload-scanning/versions.tf b/modules/services/workload-scanning/versions.tf
@@ -1,9 +1,10 @@
 terraform {
-  required_version = ">= 1.2.0"
+  required_version = "~> 1.7"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.39.0"
+      version = "~> 5.0"
     }
   }
 }