Skip to content

feat(cloudlogs): add roleARN variable #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 23, 2025
Merged

feat(cloudlogs): add roleARN variable #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5cf522c
Add roleARN parameter
lorenzo-merici Apr 23, 2025
626fc7a
update role_name parsing
lorenzo-merici Apr 23, 2025
2d91600
rename stackset prefix
lorenzo-merici Apr 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions modules/integrations/cloud-logs/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,12 @@ locals {
kms_account_id = split(":", var.kms_key_arn)[3]
need_kms_policy = var.bucket_account_id != null && var.bucket_account_id != local.kms_account_id

account_id_hash = substr(md5(local.bucket_account_id), 0, 4)
role_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}"
# Role variables
role_name = split("/", var.role_arn)[1]

account_id_hash = substr(md5(local.bucket_account_id), 0, 4)
# StackSet configuration
stackset_name = "${var.name}-${random_id.suffix.hex}-${local.account_id_hash}-stackset"
stackset_name = "sysdig-secure-cloudlogs-${random_id.suffix.hex}-${local.account_id_hash}-stackset"

# fetch the AWS Root OU under org
# As per https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure, there can be only one root
Expand Down
2 changes: 1 addition & 1 deletion modules/integrations/cloud-logs/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ output "kms_policy_instructions" {
value = (local.need_kms_policy) ? templatefile(
"${path.module}/templates/kms_policy_instructions.tpl",
{
role_arn = "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}"
role_arn = var.role_arn
}
) : ""
}
21 changes: 15 additions & 6 deletions modules/integrations/cloud-logs/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,6 @@ variable "tags" {
}
}

variable "name" {
description = "(Optional) Name to be assigned to all child resources. A suffix may be added internally when required."
type = string
default = "sysdig-secure-cloudlogs"
}

variable "regions" {
description = "(Optional) The list of AWS regions we want to scrape data from"
type = set(string)
Expand Down Expand Up @@ -66,6 +60,21 @@ variable "topic_arn" {
}
}

variable "role_arn" {
type = string
description = "ARN of the role that terraform will create to download the CloudTrail logs from the S3 bucket."

validation {
condition = var.role_arn != ""
error_message = "Role ARN must not be empty"
}

validation {
condition = can(regex("^arn:(aws|aws-us-gov):iam::[0-9]+:role/.+$", var.role_arn))
error_message = "Role ARN must be a valid IAM ARN format"
}
}

variable "create_topic" {
type = bool
default = false
Expand Down