From 7c20b962b4e7811e6af8647525a85fbe598f289f Mon Sep 17 00:00:00 2001 From: Christopher Geers Date: Fri, 4 Oct 2024 12:02:07 -0500 Subject: [PATCH] fix(volume_access): consolidate role into org stackset * move role into single organization stackset * deploy role in one region * regional kms keys conditionally depend on role * costs are sequential regional deployments --- modules/volume_access.cft.yaml | 88 ++++++++++++++-------------------- 1 file changed, 35 insertions(+), 53 deletions(-) diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml index b1c6748..f2f8946 100644 --- a/modules/volume_access.cft.yaml +++ b/modules/volume_access.cft.yaml @@ -264,12 +264,12 @@ Resources: Properties: AliasName: !Sub alias/sysdig-secure-scanning-${NameSuffix} TargetKeyId: !Ref ScanningKmsKey - OrganizationRoleStackSet: + OrganizationKMSKeyStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational Properties: - StackSetName: !Sub sysdig-secure-scanning-organization-roles-${NameSuffix} - Description: IAM Role used to create IAM roles scan organization accounts/regions + StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix} + Description: IAM Role used to create KMS Keys to scan organization accounts/regions PermissionModel: SERVICE_MANAGED Capabilities: - "CAPABILITY_NAMED_IAM" @@ -282,6 +282,7 @@ Resources: MaxConcurrentPercentage: 100 FailureTolerancePercentage: 90 ConcurrencyMode: SOFT_FAILURE_TOLERANCE + RegionConcurrencyType: SEQUENTIAL Parameters: - ParameterKey: NameSuffix ParameterValue: !Ref NameSuffix @@ -291,32 +292,43 @@ Resources: ParameterValue: !Ref TrustedIdentity - ParameterKey: ExternalID ParameterValue: !Ref ExternalID + - ParameterKey: Regions + ParameterValue: !Join [ ',', !Ref Regions ] StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs - Regions: [!Ref "AWS::Region"] + Regions: !Ref Regions TemplateBody: | AWSTemplateFormatVersion: "2010-09-09" - Description: IAM Role used by Sysdig Secure Vulnerability Scanning - Parameters: + Description: "Template to create KMS Key and Alias for Sysdig Agentless Scanning" + Parameters: NameSuffix: Type: String Description: Suffix to append to the resource name identifiers AllowedPattern: '[0-9a-z]+' MaxLength: 8 MinLength: 4 + ScanningAccountID: + Type: String + Description: The AWS Account ID of the Sysdig Scanning Account ExternalID: Type: String Description: Sysdig assigned token that proves you own this account TrustedIdentity: Type: String Description: The Role in Sysdig's AWS Account with permissions to your account - ScanningAccountID: - Type: String - Description: The AWS Account ID of the Sysdig Scanning Account + Regions: + Type: CommaDelimitedList + Description: Comma separated list of regions enabled for Sysdig Scanning + Conditions: + GlobalRegion: + Fn::Equals: + - !Ref "AWS::Region" + - !Select [ "0", !Ref Regions ] Resources: ScanningRole: Type: AWS::IAM::Role + Condition: GlobalRegion Properties: RoleName: !Sub sysdig-secure-scanning-${NameSuffix} AssumeRolePolicyDocument: @@ -396,52 +408,22 @@ Resources: Condition: StringEqualsIgnoreCase: "aws:ResourceTag/CreatedBy": "Sysdig" - OrganizationKMSKeyStackSet: - Type: AWS::CloudFormation::StackSet - Condition: IsOrganizational - DependsOn: - - OrganizationRoleStackSet - Properties: - StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix} - Description: IAM Role used to create KMS Keys to scan organization accounts/regions - PermissionModel: SERVICE_MANAGED - Capabilities: - - "CAPABILITY_NAMED_IAM" - AutoDeployment: - Enabled: true - RetainStacksOnAccountRemoval: false - ManagedExecution: - Active: true - OperationPreferences: - MaxConcurrentPercentage: 100 - FailureTolerancePercentage: 90 - ConcurrencyMode: SOFT_FAILURE_TOLERANCE - RegionConcurrencyType: PARALLEL - Parameters: - - ParameterKey: NameSuffix - ParameterValue: !Ref NameSuffix - - ParameterKey: ScanningAccountID - ParameterValue: !Ref ScanningAccountID - StackInstancesGroup: - - DeploymentTargets: - OrganizationalUnitIds: !Ref OrganizationalUnitIDs - Regions: !Ref Regions - TemplateBody: | - AWSTemplateFormatVersion: "2010-09-09" - Description: "Template to create KMS Key and Alias for Sysdig Agentless Scanning" - Parameters: - NameSuffix: - Type: String - Description: Suffix to append to the resource name identifiers - AllowedPattern: '[0-9a-z]+' - MaxLength: 8 - MinLength: 4 - ScanningAccountID: - Type: String - Description: The AWS Account ID of the Sysdig Scanning Account - Resources: + + GlobalRegionWaitHandle: + Condition: GlobalRegion + DependsOn: ScanningRole + Type: AWS::CloudFormation::WaitConditionHandle + RegionWaitHandle: + Type: AWS::CloudFormation::WaitConditionHandle + WaitCondition: + Type: AWS::CloudFormation::WaitCondition + Properties: + Handle: !If [ GlobalRegion, !Ref GlobalRegionWaitHandle, !Ref RegionWaitHandle ] + Timeout: '20' + Count: '0' ScanningKmsKey: Type: 'AWS::KMS::Key' + DependsOn: WaitCondition Properties: Description: "Sysdig Agentless Scanning encryption key" PendingWindowInDays: 7