feat: add deploy_aws_iam_user optional for example/single-k8s (#124)

For k8s single account, we make optional the creation of aws IAM
credentials.

Co-authored-by: iru <[email protected]>

Author: jprieto92

.pre-commit-config.yaml

@@ -46,12 +46,9 @@ repos:
     rev: v1.64.0
     hooks:
       - id: terraform_fmt
-      # https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
       - id: terraform_docs
         args:
           - '--args=--sort-by required'
-      - id: terraform_validate
-        exclude: (test)|(examples-internal)\/.*$
       - id: terraform_tflint
         exclude: (test)|(examples-internal)\/.*$
         args:
@@ -70,6 +67,9 @@ repos:
           - '--args=--only=terraform_unused_declarations'
           - '--args=--only=terraform_unused_required_providers'
           - '--args=--only=terraform_workspace_remote'
+      # https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
+      - id: terraform_validate
+        exclude: (test)|(examples-internal)\/.*$
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.1.0
     hooks:

README.md

@@ -66,11 +66,11 @@ This would be an overall schema of the **created resources**, for the default se
 - Sysdig Workload: ECS / AppRunner creation (K8s cluster is pre-required, not created)
   - each compute solution require a role to assume for execution
 - CodeBuild for on-demand image scanning
-- Sysdig role for [Compliance](./modules/services/cloud-bench)
+- Sysdig role for [Compliance](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-bench)
 
 ### Runtime Permissions
 
-**General  Permissions**
+**Threat-Detection specific**
 
 ```shell
 ssm: GetParameters
@@ -85,8 +85,14 @@ s3: GetObject
 **Image-Scanning specific**
 
 ```shell
+
+# all type scanning
 codebuild: StartBuild
 
+# deploy_image_scanning_ecr
+ecs:DescribeTaskDefinition
+
+# deploy_image_scanning_ecs
 ecr: GetAuthorizationToken
 ecr: BatchCheckLayerAvailability
 ecr: GetDownloadUrlForLayer
@@ -99,14 +105,13 @@ ecr: GetLifecyclePolicy
 ecr: GetLifecyclePolicyPreview
 ecr: ListTagsForResource
 ecr: DescribeImageScanFindings
-
-ecs:DescribeTaskDefinition
   ```
 - Other Notes:
+  - [Runtime AWS IAM permissions on JSON Statement format](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/policy-single-account-k8s-aws.json)
   - only Sysdig workload related permissions are specified above; infrastructure internal resource permissions (such as Cloudtrail permissions to publish on SNS, or SNS-SQS Subscription)
   are not detailed.
   - For a better security, permissions are resource pinned, instead of `*`
-  - Check [Organizational Use Case - Role Summary](./examples/organizational/README.md#role-summary) for more details
+  - Check [Organizational Use Case - Role Summary](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/organizational/README.md#role-summary) for more details
 
 
 <br/>
@@ -155,6 +160,14 @@ When scanning is activated, should see following lines on the cloud-connector co
 ```
 
   - For ECR image scanning, upload any image to an ECR repository of AWS. Can find CLI instructions within the UI of AWS
+
+    It may take some time, but you should see logs detecting the new image in the ECR repository
+    ```
+    {"component":"ecr-action","message":"processing detection {\"account\":\"***\",\"image\":\"***.dkr.ecr.us-east-1.amazonaws.com/myimage:tag\",\"region\":\"us-east-1\"}. source=aws_cloudtrail"}
+    {"component":"ecr-action","message":"starting ECR scanning for ***.dkr.ecr.us-east-1.amazonaws.com/myimage:tag at account ‘***’ region ‘us-east-1’"}
+    ```
+    and a CodeBuild project being launched successfully
+
   - For ECS running image scanning, deploy any task in your own cluster, or the one that we create to deploy our workload (ex.`amazon/amazon-ecs-sample` image).
 
     It may take some time, but you should see logs detecting the new image in the ECS cloud-connector task

examples/single-account-k8s/README.md

@@ -51,6 +51,8 @@ provider "aws" {
 provider "helm" {
   kubernetes {
     config_path = "~/.kube/config"
+    # optional: if you have multiple k8s contexts and desire specify your eks context
+    config_context = "arn:aws:eks:<AWS-REGION>:<AWS-MANAGEMENT-ACCOUNT-ID>:cluster/<AWS-EKS-CLUSTER-NAME>"
   }
 }
 
@@ -116,6 +118,7 @@ $ terraform apply
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, deployment region must match Cloudtrail S3 bucket region | `string` | `"create"` | no |
+| <a name="input_deploy_aws_iam_user"></a> [deploy\_aws\_iam\_user](#input\_deploy\_aws\_iam\_user) | true/false whether to deploy an iam user. if set to false, check [required role permissions](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/policy-single-account-k8s-aws.json) | `bool` | `true` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |

examples/single-account-k8s/cloud-connector.tf

@@ -46,14 +46,20 @@ resource "helm_release" "cloud_connector" {
     value = data.sysdig_secure_connection.current.secure_api_token
   }
 
-  set_sensitive {
-    name  = "aws.accessKeyId"
-    value = module.iam_user.sfc_user_access_key_id
+  dynamic "set_sensitive" {
+    for_each = var.deploy_aws_iam_user ? [true] : []
+    content {
+      name  = "aws.accessKeyId"
+      value = module.iam_user[0].sfc_user_access_key_id
+    }
   }
 
-  set_sensitive {
-    name  = "aws.secretAccessKey"
-    value = module.iam_user.sfc_user_secret_access_key
+  dynamic "set_sensitive" {
+    for_each = var.deploy_aws_iam_user ? [true] : []
+    content {
+      name  = "aws.secretAccessKey"
+      value = module.iam_user[0].sfc_user_secret_access_key
+    }
   }
 
   set {
@@ -91,5 +97,5 @@ resource "helm_release" "cloud_connector" {
       ] : []
     })
   ]
-  depends_on = [module.iam_user]
+  depends_on = [module.iam_user[0]]
 }

examples/single-account-k8s/credentials.tf

@@ -1,5 +1,6 @@
 module "iam_user" {
   source = "../../modules/infrastructure/permissions/iam-user"
+  count  = var.deploy_aws_iam_user ? 1 : 0
   name   = var.name
 
   deploy_image_scanning = local.deploy_image_scanning

examples/single-account-k8s/variables.tf

@@ -68,3 +68,12 @@ variable "benchmark_regions" {
   description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
   default     = []
 }
+
+#
+# aws iam user configuration
+#
+variable "deploy_aws_iam_user" {
+  type        = bool
+  description = "true/false whether to deploy an iam user. if set to false, check [required role permissions](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/policy-single-account-k8s-aws.json)"
+  default     = true
+}

resources/sfc-policy.json

@@ -0,0 +1,57 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowSysdigSQSDeleteAndReceive",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:DeleteMessage",
+        "sqs:ReceiveMessage"
+      ],
+      "Resource": "<SYSDIG_CLOUDTRAIL_SNS_SQS_ARN>"
+    },
+    {
+      "Sid": "AllowSysdigReadS3",
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": "<SYSDIG_CLOUDTRAIL_S3_ARN>/*"
+    },
+    {
+      "Sid": "AllowSysdigECSTaskDefinition",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DescribeTaskDefinition"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "AllowSysdigCodeBuildStartBuild",
+      "Effect": "Allow",
+      "Action": [
+        "codebuild:StartBuild"
+      ],
+      "Resource": "<SYSDIG_CODEBUILD_ARN>"
+    },
+    {
+      "Sid": "AllowSysdigECRActions",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:GetRepositoryPolicy",
+        "ecr:DescribeRepositories",
+        "ecr:ListImages",
+        "ecr:DescribeImages",
+        "ecr:BatchGetImage",
+        "ecr:GetLifecyclePolicy",
+        "ecr:GetLifecyclePolicyPreview",
+        "ecr:ListTagsForResource",
+        "ecr:DescribeImageScanFindings"
+      ],
+      "Resource": "*"
+    }
+  ]
+}