Skip to content

Commit

Permalink
feat: workload scanning initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@mms2409
mms2409 committed Feb 15, 2024
1 parent 45fc068 commit 706d2e2
Show file tree
Hide file tree
Showing 7 changed files with 332 additions and 0 deletions.
66 changes: 66 additions & 0 deletions modules/services/workload-scanning/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# AWS Agentless Scanning Module

This Module creates the resources required to perform agentless workload (ECR) scanning.

The following resources will be created in each instrumented account:
- An IAM Role and associated policies that allows Sysdig to perform tasks necessary for agentless workload scanning, i.e.
pull images from ECR.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|-----------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.39.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.39.0 |

## Modules

No modules.

## Resources

| Name | Type |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
| [aws_cloudformation_stack_set_registry.scanning_role_stackset_registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
| [aws_iam_policy.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
| <a name="input_deploy_global_resources"></a> [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no |
| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false | `string` | `""` | no |
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
| <a name="input_name"></a> [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-workload-scanning"` | no |
| <a name="input_org_units"></a> [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
| <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|---------------------------------------------------------------------|
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Workload Scanning |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Authors

Module is maintained by [Sysdig](https://sysdig.com).

## License

Apache 2 Licensed. See LICENSE for full details.
96 changes: 96 additions & 0 deletions modules/services/workload-scanning/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
###########################################
# Workload Controller IAM roles and stuff #
###########################################

#-----------------------------------------------------------------------------------------------------------------------
# Determine if this is an Organizational install, or a single account install. For Single Account installs, resources
# are created directly using the AWS Terraform Provider (This is the default behaviour). For Organizational installs,
# see organizational.tf, and the resources in this file are used to instrument the management account (StackSets do not
# include the management account they are created in, even if this account is within the target Organization).
#-----------------------------------------------------------------------------------------------------------------------

#-----------------------------------------------------------------------------------------------------------------------
# We have two types of resources. global and regional. Global resources are deployed only once (mostly in the primary
# region). We use deploy_global_resources boolean to determine that.
#-----------------------------------------------------------------------------------------------------------------------

#-----------------------------------------------------------------------------------------------------------------------
# These resources create an Agentless Workload Scanning IAM Role and IAM Policy in the account.
#-----------------------------------------------------------------------------------------------------------------------

data "aws_iam_policy_document" "scanning" {
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0

# General ECR read permission, necessary for the fetching artifacts.
statement {
sid = "EcrReadPermissions"

effect = "Allow"

actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:ListTagsForResource",
"ecr:GetAuthorizationToken",
]

resources = [
"*",
]
}
}

resource "aws_iam_policy" "scanning" {
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0

name = var.name
description = "Grants Sysdig Secure access to volumes and snapshots"
policy = data.aws_iam_policy_document.scanning[0].json
tags = var.tags
}

data "aws_iam_policy_document" "scanning_assume_role_policy" {
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0

statement {
sid = "SysdigWorkloadScanning"

actions = [
"sts:AssumeRole"
]

principals {
type = "AWS"
identifiers = [
var.trusted_identity,
]
}

condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [var.external_id]
}
}
}

resource "aws_iam_role" "scanning" {
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0

name = var.name
tags = var.tags
assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy[0].json
}

resource "aws_iam_policy_attachment" "scanning" {
count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0

name = var.name
roles = [aws_iam_role.scanning[0].name]
policy_arn = aws_iam_policy.scanning[0].arn
}
93 changes: 93 additions & 0 deletions modules/services/workload-scanning/organizational.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
#-----------------------------------------------------------------------------------------------------------------------
# Determine if this is an Organizational install, or a single account install. For Organizational installs, resources
# are created using CloudFormation StackSet. For Single Account installs see main.tf.
#-----------------------------------------------------------------------------------------------------------------------

data "aws_organizations_organization" "org" {
count = var.is_organizational ? 1 : 0
}

locals {
organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
}

#-----------------------------------------------------------------------------------------------------------------------
# The resources in this file set up an Agentless Workload Scanning IAM Role and Policies in all accounts
# in an AWS Organization via a CloudFormation StackSet.
# Global resources: IAM Role and Policy
#-----------------------------------------------------------------------------------------------------------------------

#-----------------------------------------------------------------------------------------------------------------------
# stackset and stackset instance deployed in organization units for Agentless Scanning IAM Role, Policies
#-----------------------------------------------------------------------------------------------------------------------

# stackset to deploy agentless workload scanning role in organization unit
resource "aws_cloudformation_stack_set" "scanning_role_stackset" {
count = var.is_organizational ? 1 : 0

name = join("-", [var.name, "ScanningRoleOrg"])
tags = var.tags
permission_model = "SERVICE_MANAGED"
capabilities = ["CAPABILITY_NAMED_IAM"]

auto_deployment {
enabled = true
retain_stacks_on_account_removal = false
}

lifecycle {
ignore_changes = [administration_role_arn]
}

template_body = <<TEMPLATE
Resources:
AgentlessWorkloadRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${var.name}
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "SysdigSecureScanning"
Effect: "Allow"
Action: "sts:AssumeRole"
Principal:
AWS: "${var.trusted_identity}"
Condition:
StringEquals:
sts:ExternalId: "${var.external_id}"
Policies:
- PolicyName: ${var.name}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "EcrReadPermissions"
Effect: "Allow"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:GetRepositoryPolicy"
- "ecr:DescribeRepositories"
- "ecr:ListImages"
- "ecr:DescribeImages"
- "ecr:ListTagsForResource"
- "ecr:GetAuthorizationToken"
Resource: "*"
TEMPLATE
}

# stackset instance to deploy agentless scanning role, in all organization units
resource "aws_cloudformation_stack_set_registry" "scanning_role_stackset_registry" {
count = var.is_organizational ? 1 : 0

stack_set_name = aws_cloudformation_stack_set.scanning_role_stackset[0].name
deployment_targets {
organizational_unit_ids = local.organizational_unit_ids
}
operation_preferences {
failure_tolerance_count = 10
max_concurrent_count = 10
}
}
4 changes: 4 additions & 0 deletions modules/services/workload-scanning/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "role_arn" {
description = "Role used by Sysdig Platform for Agentless Workload Scanning"
value = var.is_organizational ? null : var.deploy_global_resources ? aws_iam_role.scanning[0].arn : var.role_arn
}
47 changes: 47 additions & 0 deletions modules/services/workload-scanning/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
variable "external_id" {
description = "Random string generated unique to a customer"
type = string
}

variable "trusted_identity" {
type = string
description = "The name of sysdig trusted identity"
}

variable "name" {
description = "The name of the installation. Assigned to most child resource(s)"
type = string
default = "sysdig-workload-scanning"
}

variable "tags" {
type = map(string)
description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
default = {
"product" = "sysdig-secure-for-cloud"
}
}

variable "deploy_global_resources" {
description = "(Optional) Set this field to 'true' to deploy Agentless Workload Scanning when deploying to the main region (Non Organization Setup)"
type = bool
default = false
}

variable "is_organizational" {
description = "(Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs)"
type = bool
default = false
}

variable "org_units" {
description = "(Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`"
type = set(string)
default = []
}

variable "role_arn" {
description = "(Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false"
type = string
default = ""
}
9 changes: 9 additions & 0 deletions modules/services/workload-scanning/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.2.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.39.0"
}
}
}
17 changes: 17 additions & 0 deletions test/examples/secure_workload_scanning/single/main.tf.OFF
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
provider "aws" {
region = "us-east-1"
access_key = "test"
secret_key = "test"

endpoints {
iam = "http://127.0.0.1:5000/"
sts = "http://127.0.0.1:5000/"
}
}

module "single-workload-scanning" {
source = "../../../..//modules/services/workload-scanning"
trusted_identity = "arn:aws:iam::123456789012:role/secure-assume-role"
external_id = "external_id"
name = "sysdig"
}

0 comments on commit 706d2e2

Please sign in to comment.