feat(cloudlogs): add roleARN variable (#61)

lorenzo-merici · web-flow · commit 889d1b1334f5 · 2025-04-23T16:17:45.000+02:00
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
@@ -72,11 +72,12 @@ locals {
   kms_account_id = split(":", var.kms_key_arn)[3]
   need_kms_policy = var.bucket_account_id != null && var.bucket_account_id != local.kms_account_id
 
-  account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
-  role_name        = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
+  # Role variables
+  role_name = split("/", var.role_arn)[1]
 
+  account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
   # StackSet configuration
-  stackset_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
+  stackset_name = "sysdig-secure-cloudlogs-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
 
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
diff --git a/modules/integrations/cloud-logs/outputs.tf b/modules/integrations/cloud-logs/outputs.tf
@@ -9,7 +9,7 @@ output "kms_policy_instructions" {
   value = (local.need_kms_policy) ? templatefile(
     "${path.module}/templates/kms_policy_instructions.tpl",
     {
-      role_arn = "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}"
+      role_arn = var.role_arn
     }
   ) : ""
 }
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
@@ -33,12 +33,6 @@ variable "tags" {
   }
 }
 
-variable "name" {
-  description = "(Optional) Name to be assigned to all child resources. A suffix may be added internally when required."
-  type        = string
-  default     = "sysdig-secure-cloudlogs"
-}
-
 variable "regions" {
   description = "(Optional) The list of AWS regions we want to scrape data from"
   type        = set(string)
@@ -66,6 +60,21 @@ variable "topic_arn" {
   }
 }
 
+variable "role_arn" {
+  type        = string
+  description = "ARN of the role that terraform will create to download the CloudTrail logs from the S3 bucket."
+
+  validation {
+    condition     = var.role_arn != ""
+    error_message = "Role ARN must not be empty"
+  }
+
+  validation {
+      condition     = can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn))
+      error_message = "Role ARN must be a valid IAM ARN format"
+  }
+}
+
 variable "create_topic" {
   type        = bool
   default     = false

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ output "kms_policy_instructions" {`
`9`	`9`	`value = (local.need_kms_policy) ? templatefile(`
`10`	`10`	`"${path.module}/templates/kms_policy_instructions.tpl",`
`11`	`11`	`{`
`12`		`- role_arn = "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}"`
	`12`	`+ role_arn = var.role_arn`
`13`	`13`	`}`
`14`	`14`	`) : ""`
`15`	`15`	`}`