sysdiglabs
diff --git a/‎modules/agentless-scanning/main.tf‎
Lines changed: 55 additions & 39 deletions b/‎modules/agentless-scanning/main.tf‎
Lines changed: 55 additions & 39 deletions
diff --git a/‎modules/agentless-scanning/outputs.tf‎
Lines changed: 2 additions & 2 deletions b/‎modules/agentless-scanning/outputs.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/agentless-scanning/variables.tf‎
Lines changed: 2 additions & 2 deletions b/‎modules/agentless-scanning/variables.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎modules/agentless-scanning/versions.tf‎
Lines changed: 1 addition & 1 deletion b/‎modules/agentless-scanning/versions.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/config-posture/main.tf‎
Lines changed: 56 additions & 88 deletions b/‎modules/config-posture/main.tf‎
Lines changed: 56 additions & 88 deletions
diff --git a/‎modules/config-posture/outputs.tf‎
Lines changed: 1 addition & 1 deletion b/‎modules/config-posture/outputs.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/config-posture/versions.tf‎
Lines changed: 1 addition & 1 deletion b/‎modules/config-posture/versions.tf‎
Lines changed: 1 addition & 1 deletion
@@ -26,7 +26,7 @@ data "aws_iam_session_context" "current" {
 data "sysdig_secure_agentless_scanning_assets" "assets" {}
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-	cloud_provider = "aws"
+  cloud_provider = "aws"
 }
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
@@ -64,29 +64,13 @@ resource "random_id" "suffix" {
 # predefined/default AWSCloudFormationStackSetAdministrationRole.
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
-# IAM Policy Document used by Stackset roles for the KMS operations policy
-data "aws_iam_policy_document" "kms_operations" {
-  count = !var.auto_create_stackset_roles ? 0 : 1
-
-  statement {
-    sid = "KmsOperationsAccess"
-    effect = "Allow"
-    actions = [
-      "kms:*",
-    ]
-    resources = [
-      "*",
-    ]
-  }
-}
-
 resource "aws_iam_role" "scanning_stackset_admin_role" {
   count = !var.auto_create_stackset_roles ? 0 : 1
 
   name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
   tags = var.tags
 
-  assume_role_policy = <<EOF
+  assume_role_policy  = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -101,10 +85,25 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
 }
 EOF
   managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
-  inline_policy {
-    name   = "KmsOperationsAccess"
-    policy = data.aws_iam_policy_document.kms_operations[0].json
-  }
+}
+
+resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
+  count = !var.auto_create_stackset_roles ? 0 : 1
+
+  name = "KmsOperationsAccess"
+  role = aws_iam_role.scanning_stackset_admin_role[0].id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "KmsOperationsAccess"
+        Action = [
+          "kms:*",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
 }
 
 #-----------------------------------------------------------------------------------------------------------------------------------------
@@ -139,10 +138,25 @@ EOF
   managed_policy_arns = [
     "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
   ]
-  inline_policy {
-    name   = "KmsOperationsAccess"
-    policy = data.aws_iam_policy_document.kms_operations[0].json
-  }
+}
+
+resource "aws_iam_role_policy" "scanning_stackset_execution_role_policy" {
+  count = !var.auto_create_stackset_roles ? 0 : 1
+
+  name = "KmsOperationsAccess"
+  role = aws_iam_role.scanning_stackset_execution_role[0].id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "KmsOperationsAccess"
+        Action = [
+          "kms:*",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
 }
 
 #-----------------------------------------------------------------------------------------------------------------------------------------
@@ -368,7 +382,7 @@ resource "aws_iam_policy_attachment" "scanning_policy_attachment" {
 #   - KMS Primary Key, and
 #   - KMS Primary alias
 #
-# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions 
+# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_cloudformation_stack_set" "primary_acc_stackset" {
@@ -428,7 +442,9 @@ TEMPLATE
   depends_on = [
     aws_iam_role.scanning_role,
     aws_iam_role.scanning_stackset_admin_role,
-    aws_iam_role.scanning_stackset_execution_role
+    aws_iam_role_policy.scanning_stackset_admin_role_policy,
+    aws_iam_role.scanning_stackset_execution_role,
+    aws_iam_role_policy.scanning_stackset_execution_role_policy
   ]
 }
 
@@ -459,10 +475,10 @@ resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance"
 # explicit dependency using depends_on
 #-----------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_TRUSTED_ROLE"
-  instance                   = "secure-scanning"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_TRUSTED_ROLE"
+  instance   = "secure-scanning"
+  version    = "v0.1.0"
   trusted_role_metadata = jsonencode({
     aws = {
       role_name = local.scanning_resource_name
@@ -477,16 +493,16 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
 # explicit dependency using depends_on
 #-----------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "aws_crypto_key" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_CRYPTO_KEY"
-  instance                   = "secure-scanning"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_CRYPTO_KEY"
+  instance   = "secure-scanning"
+  version    = "v0.1.0"
   crypto_key_metadata = jsonencode({
     aws = {
       kms = {
-          alias   = "alias/${local.scanning_resource_name}"
-          regions = var.regions
-        }
+        alias   = "alias/${local.scanning_resource_name}"
+        regions = var.regions
+      }
     }
   })
 }
@@ -1,11 +1,11 @@
 output "scanning_role_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.aws_scanning_role.type}/${sysdig_secure_cloud_auth_account_component.aws_scanning_role.instance}"
   description = "Component identifier of scanning role created in Sysdig Backend for Agentless Scanning"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_scanning_role ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.aws_scanning_role]
 }
 
 output "crypto_key_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}"
   description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_crypto_key ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.aws_crypto_key]
 }
@@ -56,8 +56,8 @@ variable "stackset_admin_role_arn" {
 
 variable "stackset_execution_role_name" {
   description = "(Optional) stackset execution role name to run SELF_MANAGED stackset"
-    type        = string
-    default     = ""
+  type        = string
+  default     = ""
 }
 
 variable "timeout" {
 
@@ -6,7 +6,7 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source  = "sysdiglabs/sysdig"
+      source = "sysdiglabs/sysdig"
     }
     random = {
       source  = "hashicorp/random"
 
@@ -9,7 +9,7 @@ locals {
 }
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-	cloud_provider = "aws"
+  cloud_provider = "aws"
 }
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
@@ -41,103 +41,71 @@ resource "aws_iam_role" "cspm_role" {
 }
 EOF
   managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
-  inline_policy {
-    name   = local.config_posture_role_name
-    policy = data.aws_iam_policy_document.custom_resources_policy.json
-  }
 }
 
-# Custom IAM Policy Document used by trust-relationship role
-data "aws_iam_policy_document" "custom_resources_policy" {
-
-  statement {
-    sid = "DescribeEFSAccessPoints"
-
-    effect = "Allow"
-
-    actions = [
-      "elasticfilesystem:DescribeAccessPoints",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid = "ListWafRegionalRulesAndRuleGroups"
-
-    effect = "Allow"
-
-    actions = [
-      "waf-regional:ListRules",
-      "waf-regional:ListRuleGroups",
-    ]
-
-    resources = [
-      "arn:aws:waf-regional:*:*:rule/*",
-      "arn:aws:waf-regional:*:*:rulegroup/*"
-    ]
-  }
-
-  statement {
-    sid = "ListJobsOnConsole"
-
-    effect = "Allow"
-
-    actions = [
-      "macie2:ListClassificationJobs",
+resource "aws_iam_role_policy" "cspm_role_policy" {
+  name = local.config_posture_role_name
+  role = aws_iam_role.cspm_role.id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "DescribeEFSAccessPoints"
+        Action = [
+          "elasticfilesystem:DescribeAccessPoints",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Sid = "ListWafRegionalRulesAndRuleGroups"
+        Action = [
+          "waf-regional:ListRules",
+          "waf-regional:ListRuleGroups",
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:waf-regional:*:*:rule/*",
+          "arn:aws:waf-regional:*:*:rulegroup/*"
+        ]
+      },
+      {
+        Sid      = "ListJobsOnConsole"
+        Action   = "macie2:ListClassificationJobs"
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Sid = "GetFunctionDetails"
+        Action = [
+          "lambda:GetRuntimeManagementConfig",
+          "lambda:GetFunction",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Sid      = "AccessAccountContactInfo"
+        Action   = "account:GetContactInformation"
+        Effect   = "Allow"
+        Resource = "*"
+      },
     ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid = "GetFunctionDetails"
-
-    effect = "Allow"
-
-    actions = [
-      "lambda:GetRuntimeManagementConfig",
-      "lambda:GetFunction",
-    ]
-
-    resources = [
-      "*"
-    ]
-  }
-
-  statement {
-    sid = "AccessAccountContactInfo"
-
-    effect = "Allow"
-
-    actions = [
-      "account:GetContactInformation",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
+  })
 }
-
 #--------------------------------------------------------------------------------------------------------------
 # Call Sysdig Backend to add the trusted role for Config Posture to the Sysdig Cloud Account
 #
 # Note (optional): To ensure this gets called after all cloud resources are created, add
 # explicit dependency using depends_on
 #--------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "config_posture_role" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_TRUSTED_ROLE"
-  instance                   = "secure-posture"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_TRUSTED_ROLE"
+  instance   = "secure-posture"
+  version    = "v0.1.0"
   trusted_role_metadata = jsonencode({
-        aws = {
-          role_name = local.config_posture_role_name
-        }
-      })
+    aws = {
+      role_name = local.config_posture_role_name
+    }
+  })
 }
@@ -1,5 +1,5 @@
 output "config_posture_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}"
   description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.config_posture_role ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.config_posture_role]
 }
@@ -6,7 +6,7 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source  = "sysdiglabs/sysdig"
+      source = "sysdiglabs/sysdig"
     }
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,11 @@`
`1`	`1`	`output "scanning_role_component_id" {`
`2`	`2`	`value = "${sysdig_secure_cloud_auth_account_component.aws_scanning_role.type}/${sysdig_secure_cloud_auth_account_component.aws_scanning_role.instance}"`
`3`	`3`	`description = "Component identifier of scanning role created in Sysdig Backend for Agentless Scanning"`
`4`		`- depends_on = [ sysdig_secure_cloud_auth_account_component.aws_scanning_role ]`
	`4`	`+ depends_on = [sysdig_secure_cloud_auth_account_component.aws_scanning_role]`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`output "crypto_key_component_id" {`
`8`	`8`	`value = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}"`
`9`	`9`	`description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning"`
`10`		`- depends_on = [ sysdig_secure_cloud_auth_account_component.aws_crypto_key ]`
	`10`	`+ depends_on = [sysdig_secure_cloud_auth_account_component.aws_crypto_key]`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,8 +56,8 @@ variable "stackset_admin_role_arn" {`
`56`	`56`
`57`	`57`	`variable "stackset_execution_role_name" {`
`58`	`58`	`description = "(Optional) stackset execution role name to run SELF_MANAGED stackset"`
`59`		`- type = string`
`60`		`- default = ""`
	`59`	`+ type = string`
	`60`	`+ default = ""`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`variable "timeout" {`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ terraform {`
`6`	`6`	`version = ">= 5.60.0"`
`7`	`7`	`}`
`8`	`8`	`sysdig = {`
`9`		`- source = "sysdiglabs/sysdig"`
	`9`	`+ source = "sysdiglabs/sysdig"`
`10`	`10`	`}`
`11`	`11`	`random = {`
`12`	`12`	`source = "hashicorp/random"`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`output "config_posture_component_id" {`
`2`	`2`	`value = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}"`
`3`	`3`	`description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture"`
`4`		`- depends_on = [ sysdig_secure_cloud_auth_account_component.config_posture_role ]`
	`4`	`+ depends_on = [sysdig_secure_cloud_auth_account_component.config_posture_role]`
`5`	`5`	`}`