feat(cloud-logs): add role name as alternative to role ARN, to be provided with the bucket account (#71)

Author: legobrick

modules/integrations/cloud-logs/README.md

@@ -105,8 +105,10 @@ No modules.
 | <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string`      | n/a                                                         |   yes    |
 | <a name="input_bucket_arn"></a> [bucket\_arn](#input\_bucket\_arn)                                               | (Required) The ARN of your CloudTrail Bucket                                                                                                  | `string`      | n/a                                                         |   yes    |
 | <a name="input_topic_arn"></a> [topic\_arn](#input\_topic\_arn)                                                  | SNS Topic ARN that will forward CloudTrail notifications to Sysdig Secure                                                                     | `string`      | n/a                                                         |   yes    |
-| <a name="input_create_topic"></a> [create\_topic](#input\_create\_topic)                                         | true/false whether terraform should create the SNS Topic                                                                                      | `bool`        | `false`                                                     |    no    |
-| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn)                                         | (Optional) ARN of the KMS key used to encrypt the S3 bucket. If provided, the IAM role will be granted permissions to decrypt using this key. | `string`      | `null`                                                     |    no    |
+| <a name="input_create_topic"></a> [create\_topic](#input\_create\_topic)                                         | true/false whether terraform should create the SNS Topic or subscribe to an existing one                                                                                      | `bool`        | `false`                                                     |    no    |
+| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn)                                         | ARN of the Role to create, used by Sysdig to access logs in the S3 Bucket. Alternative to the Role Name                                                                                      | `string`        | `null`                                                     |    no    |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name)                                         | Name of the Role to create, used by Sysdig to access logs in the S3 Bucket. Alternative to the Role ARN                                                                                      | `string`        | `null`                                                     |    no    |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn)                                          | (Optional) ARN of the KMS key used to encrypt the S3 bucket. If provided, the IAM role will be granted permissions to decrypt using this key. | `string`      | `null`                                                     |    no    |
 | <a name="input_bucket_account_id"></a> [bucket\_account\_id](#input\_bucket\_account\_id)                        | (Optional) AWS Account ID that owns the S3 bucket, if different from the account where the module is being applied. Required for cross-account organizational deployments. | `string`      | `null`                                                     |    no    |
 | <a name="input_tags"></a> [tags](#input\_tags)                                                                   | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                           | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
 | <a name="input_name"></a> [name](#input\_name)                                                                   | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                                        | `string`      | sysdig-secure-cloudlogs                                     |    no    |

modules/integrations/cloud-logs/main.tf

@@ -47,7 +47,17 @@ data "aws_organizations_organization" "org" {
   count = var.is_organizational ? 1 : 0
 }
 
-
+resource "null_resource" "validation" {
+  lifecycle {
+    precondition {
+      condition = (
+        (var.role_name != null ? 1 : 0) +
+        (var.role_arn != null ? 1 : 0)
+      ) == 1
+      error_message = "either `role_arn` or `role_name` must be defined"
+    }
+  }
+}
 #-----------------------------------------------------------------------------------------
 # Generate a unique name for resources using random suffix and account ID hash
 #-----------------------------------------------------------------------------------------
@@ -73,7 +83,8 @@ locals {
   need_kms_policy = var.bucket_account_id != null && var.bucket_account_id != local.kms_account_id
 
   # Role variables
-  role_name = split("/", var.role_arn)[1]
+  role_name = var.role_name != null ? var.role_name : split("/", var.role_arn)[1]
+  role_arn = var.role_arn != null ? var.role_arn : "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}"
 
   account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
   # StackSet configuration
@@ -99,6 +110,11 @@ resource "aws_iam_role" "cloudlogs_s3_access" {
   name               = local.role_name
   tags               = var.tags
   assume_role_policy = data.aws_iam_policy_document.assume_cloudlogs_s3_access_role.json
+  depends_on         = [null_resource.validation]
+
+  lifecycle {
+    precondition {
+      condition   = var.role_arn == null || split(":", var.role_arn)[4] == local.bucket_account_id
 }
 
 // AWS IAM Role Policy
@@ -313,6 +329,7 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
   })
 
   depends_on = [
+    null_resource.validation,
     aws_iam_role.cloudlogs_s3_access,
     aws_cloudformation_stack_set_instance.cloudlogs_s3_access_bucket,
     aws_cloudformation_stack_set_instance.cloudlogs_s3_access_topic

modules/integrations/cloud-logs/outputs.tf

@@ -9,7 +9,7 @@ output "kms_policy_instructions" {
   value = (local.need_kms_policy) ? templatefile(
     "${path.module}/templates/kms_policy_instructions.tpl",
     {
-      role_arn = var.role_arn
+      role_arn = local.role_arn
     }
   ) : ""
 }

modules/integrations/cloud-logs/variables.tf

@@ -60,25 +60,27 @@ variable "topic_arn" {
   }
 }
 
+variable "create_topic" {
+  type        = bool
+  default     = false
+  description = "true/false whether terraform should create the SNS Topic"
+}
+
 variable "role_arn" {
   type        = string
   description = "ARN of the role that terraform will create to download the CloudTrail logs from the S3 bucket."
+  default     = null
 
   validation {
-    condition     = var.role_arn != ""
-    error_message = "Role ARN must not be empty"
-  }
-
-  validation {
-      condition     = can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn))
+      condition     = var.role_arn == null || can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn))
       error_message = "Role ARN must be a valid IAM ARN format"
   }
 }
 
-variable "create_topic" {
-  type        = bool
-  default     = false
-  description = "true/false whether terraform should create the SNS Topic"
+variable "role_name" {
+  type        = string
+  description = "Name for the Role that Terraform will create to download the CloudTrail logs from the S3 bucket. Alternative to the `role_arn`"
+  default     = null
 }
 
 variable "bucket_account_id" {