feat: Agentless Workload Scanning [SSPROD-37035]

modules/services/workload-scanning/README.md

@@ -0,0 +1,66 @@
+# AWS Agentless Scanning Module
+
+This Module creates the resources required to perform agentless workload (ECR) scanning.
+
+The following resources will be created in each instrumented account:
+- An IAM Role and associated policies that allows Sysdig to perform tasks necessary for agentless workload scanning, i.e.
+pull images from ECR.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version   |
+|------|-----------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0  |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.39.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.39.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name                                                                                                                                                                                   | Type |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
+| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set)                            | resource |
+| [aws_cloudformation_stack_set_registry.scanning_role_stackset_registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_iam_policy.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)                                                                      | resource |
+| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment)                                                | resource |
+| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                                          | resource |
+| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                                                 | data source |
+| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                              | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization)                                        | data source |
+
+## Inputs
+
+| Name | Description                                                                                                                                                                                                                                 | Type | Default                                                     | Required |
+|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
+| <a name="input_deploy_global_resources"></a> [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup)                                                                                                                 | `bool` | `false`                                                     | no |
+| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | Random string generated unique to a customer                                                                                                                                                                                                | `string` | n/a                                                         | yes |
+| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false                                                                                                           | `string` | `""`                                                        | no |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs)                                                                                                                          | `bool` | `false`                                                     | no |
+| <a name="input_name"></a> [name](#input\_name) | The name of the installation. Assigned to most child resource(s)                                                                                                                                                                            | `string` | `"sysdig-workload-scanning"`                                | no |
+| <a name="input_org_units"></a> [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]`                                                        | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                                                                                                                                    | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_trusted_identity"></a> [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity                                                                                                                                                                                                         | `string` | n/a                                                         | yes |
+
+## Outputs
+
+| Name | Description                                                         |
+|------|---------------------------------------------------------------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Workload Scanning |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.

modules/services/workload-scanning/main.tf

@@ -0,0 +1,92 @@
+###########################################
+# Workload Controller IAM roles and stuff #
+###########################################
+
+#-----------------------------------------------------------------------------------------------------------------------
+# Determine if this is an Organizational install, or a single account install. For Single Account installs, resources
+# are created directly using the AWS Terraform Provider (This is the default behaviour). For Organizational installs,
+# see organizational.tf, and the resources in this file are used to instrument the management account (StackSets do not
+# include the management account they are created in, even if this account is within the target Organization).
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# We have two types of resources. global and regional. Global resources are deployed only once (mostly in the primary
+# region). We use deploy_global_resources boolean to determine that.
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# These resources create an Agentless Workload Scanning IAM Role and IAM Policy in the account.
+#-----------------------------------------------------------------------------------------------------------------------
+
+data "aws_iam_policy_document" "scanning" {
+  count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+  # General ECR read permission, necessary for the fetching artifacts.
+  statement {
+    sid = "EcrReadPermissions"
+
+    effect = "Allow"
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:ListImages",
+      "ecr:GetAuthorizationToken",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ecr_scanning" {
+  count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+  name        = var.name
+  description = "Grants Sysdig Secure access to ECR images"
+  policy      = data.aws_iam_policy_document.scanning[0].json
+  tags        = var.tags
+}
+
+data "aws_iam_policy_document" "scanning_assume_role_policy" {
+  count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+  statement {
+    sid = "SysdigWorkloadScanning"
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        var.trusted_identity,
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [var.external_id]
+    }
+  }
+}
+
+resource "aws_iam_role" "scanning" {
+  count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+  name               = var.name
+  tags               = var.tags
+  assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy[0].json
+}
+
+resource "aws_iam_policy_attachment" "scanning" {
+  count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+  name       = var.name
+  roles      = [aws_iam_role.scanning[0].name]
+  policy_arn = aws_iam_policy.ecr_scanning[0].arn
+}

modules/services/workload-scanning/organizational.tf

@@ -0,0 +1,89 @@
+#-----------------------------------------------------------------------------------------------------------------------
+# Determine if this is an Organizational install, or a single account install. For Organizational installs, resources
+# are created using CloudFormation StackSet. For Single Account installs see main.tf.
+#-----------------------------------------------------------------------------------------------------------------------
+
+data "aws_organizations_organization" "org" {
+  count = var.is_organizational ? 1 : 0
+}
+
+locals {
+  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
+}
+
+#-----------------------------------------------------------------------------------------------------------------------
+# The resources in this file set up an Agentless Workload Scanning IAM Role and Policies in all accounts
+# in an AWS Organization via a CloudFormation StackSet.
+# Global resources: IAM Role and Policy
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# stackset and stackset instance deployed in organization units for Agentless Scanning IAM Role, Policies
+#-----------------------------------------------------------------------------------------------------------------------
+
+# stackset to deploy agentless workload scanning role in organization unit
+resource "aws_cloudformation_stack_set" "scanning_role_stackset" {
+  count = var.is_organizational ? 1 : 0
+
+  name             = join("-", [var.name, "ScanningRoleOrg"])
+  tags             = var.tags
+  permission_model = "SERVICE_MANAGED"
+  capabilities     = ["CAPABILITY_NAMED_IAM"]
+
+  auto_deployment {
+    enabled                          = true
+    retain_stacks_on_account_removal = false
+  }
+
+  lifecycle {
+    ignore_changes = [administration_role_arn]
+  }
+
+  template_body = <<TEMPLATE
+Resources:
+  SysdigAgentlessWorkloadRole:
+      Type: AWS::IAM::Role
+      Properties:
+        RoleName: ${var.name}
+        AssumeRolePolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+            - Sid: "SysdigSecureScanning"
+              Effect: "Allow"
+              Action: "sts:AssumeRole"
+              Principal:
+                AWS: "${var.trusted_identity}"
+              Condition:
+                StringEquals:
+                  sts:ExternalId: "${var.external_id}"
+        Policies:
+          - PolicyName: ${var.name}
+            PolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Sid: "EcrReadPermissions"
+                  Effect: "Allow"
+                  Action:
+                    - "ecr:GetDownloadUrlForLayer"
+                    - "ecr:BatchGetImage"
+                    - "ecr:BatchCheckLayerAvailability"
+                    - "ecr:ListImages"
+                    - "ecr:GetAuthorizationToken"
+                  Resource: "*"
+
+TEMPLATE
+}
+
+# stackset instance to deploy agentless scanning role, in all organization units
+resource "aws_cloudformation_stack_set_registry" "scanning_role_stackset_registry" {
+  count = var.is_organizational ? 1 : 0
+
+  stack_set_name = aws_cloudformation_stack_set.scanning_role_stackset[0].name
+  deployment_targets {
+    organizational_unit_ids = local.organizational_unit_ids
+  }
+  operation_preferences {
+    failure_tolerance_count = 10
+    max_concurrent_count    = 10
+  }
+}

modules/services/workload-scanning/outputs.tf

@@ -0,0 +1,20 @@
+output "role_arn" {
+  description = "Role used by Sysdig Platform for Agentless Workload Scanning"
+  value       = var.is_organizational ? null : var.deploy_global_resources ? aws_iam_role.scanning[0].arn : var.role_arn
+}
+
+output "validate_deploy_global_resources" {
+  value = null
+  precondition {
+    condition     = (var.deploy_global_resources && var.external_id != null)
+    error_message = "Please provide external_id or set deploy_global_resources to false."
+  }
+  precondition {
+    condition     = (var.deploy_global_resources && var.role_arn != null)
+    error_message = "Please provide ecr_role_name or set deploy_global_resources set to false."
+  }
+  precondition {
+    condition     = (var.deploy_global_resources && var.trusted_identity != null)
+    error_message = "Please provide trusted_identity or set deploy_global_resources to false."
+  }
+}

modules/services/workload-scanning/variables.tf

@@ -0,0 +1,48 @@
+variable "external_id" {
+  description = "(Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role."
+  type        = string
+  default     = null
+}
+
+variable "trusted_identity" {
+  type        = string
+  description = "This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images"
+}
+
+variable "name" {
+  description = "The name of the installation. Assigned to most child resource(s)"
+  type        = string
+  default     = "sysdig-workload-scanning"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
+  default = {
+    "product" = "sysdig-secure-for-cloud"
+  }
+}
+
+variable "deploy_global_resources" {
+  description = "(Optional) Set this field to 'true' to deploy Agentless Workload Scanning when deploying to the main region (Non Organization Setup)"
+  type        = bool
+  default     = false
+}
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs)"
+  type        = bool
+  default     = false
+}
+
+variable "org_units" {
+  description = "(Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`"
+  type        = set(string)
+  default     = []
+}
+
+variable "role_arn" {
+  description = "(Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false"
+  type        = string
+  default     = ""
+}

modules/services/workload-scanning/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}