From 5cf522cf2cfafa6db8b84077c5762d779773ce16 Mon Sep 17 00:00:00 2001
From: lorenzo merici <lorenzo.merici@sysdig.com>
Date: Wed, 23 Apr 2025 15:20:53 +0200
Subject: [PATCH 1/3] Add roleARN parameter

---
 modules/integrations/cloud-logs/main.tf      |  7 ++++---
 modules/integrations/cloud-logs/outputs.tf   |  2 +-
 modules/integrations/cloud-logs/variables.tf | 21 ++++++++++++++------
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index c1e9531..6ca955c 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -72,11 +72,12 @@ locals {
   kms_account_id = split(":", var.kms_key_arn)[3]
   need_kms_policy = var.bucket_account_id != null && var.bucket_account_id != local.kms_account_id
 
-  account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
-  role_name        = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
+  # Role variables
+  role_name = split(":", var.role_arn)[5]
 
+  account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
   # StackSet configuration
-  stackset_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
+  stackset_name = "sysdig-cloudlogs-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
 
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
diff --git a/modules/integrations/cloud-logs/outputs.tf b/modules/integrations/cloud-logs/outputs.tf
index d6251c1..c6f621d 100644
--- a/modules/integrations/cloud-logs/outputs.tf
+++ b/modules/integrations/cloud-logs/outputs.tf
@@ -9,7 +9,7 @@ output "kms_policy_instructions" {
   value = (local.need_kms_policy) ? templatefile(
     "${path.module}/templates/kms_policy_instructions.tpl",
     {
-      role_arn = "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}"
+      role_arn = var.role_arn
     }
   ) : ""
 }
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 116a07b..b4eb67c 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -33,12 +33,6 @@ variable "tags" {
   }
 }
 
-variable "name" {
-  description = "(Optional) Name to be assigned to all child resources. A suffix may be added internally when required."
-  type        = string
-  default     = "sysdig-secure-cloudlogs"
-}
-
 variable "regions" {
   description = "(Optional) The list of AWS regions we want to scrape data from"
   type        = set(string)
@@ -66,6 +60,21 @@ variable "topic_arn" {
   }
 }
 
+variable "role_arn" {
+  type        = string
+  description = "ARN of the role that terraform will create to download the CloudTrail logs from the S3 bucket."
+
+  validation {
+    condition     = var.role_arn != ""
+    error_message = "Role ARN must not be empty"
+  }
+
+  validation {
+      condition     = can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn))
+      error_message = "Role ARN must be a valid IAM ARN format"
+  }
+}
+
 variable "create_topic" {
   type        = bool
   default     = false

From 626fc7a7220b9f72da86f51cef3541e28b4baf81 Mon Sep 17 00:00:00 2001
From: lorenzo merici <lorenzo.merici@sysdig.com>
Date: Wed, 23 Apr 2025 15:30:27 +0200
Subject: [PATCH 2/3] update role_name parsing

---
 modules/integrations/cloud-logs/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index 6ca955c..aa946a1 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -73,7 +73,7 @@ locals {
   need_kms_policy = var.bucket_account_id != null && var.bucket_account_id != local.kms_account_id
 
   # Role variables
-  role_name = split(":", var.role_arn)[5]
+  role_name = split("/", var.role_arn)[1]
 
   account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
   # StackSet configuration

From 2d91600e10650c3284de11eeec66302bb2bee724 Mon Sep 17 00:00:00 2001
From: lorenzo merici <lorenzo.merici@sysdig.com>
Date: Wed, 23 Apr 2025 16:15:44 +0200
Subject: [PATCH 3/3] rename stackset prefix

---
 modules/integrations/cloud-logs/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index aa946a1..2195342 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -77,7 +77,7 @@ locals {
 
   account_id_hash  = substr(md5(local.bucket_account_id), 0, 4)
   # StackSet configuration
-  stackset_name = "sysdig-cloudlogs-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
+  stackset_name = "sysdig-secure-cloudlogs-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
 
   # fetch the AWS Root OU under org
   # As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root