You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/integrations/event-bridge/README.md
+28-29Lines changed: 28 additions & 29 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,17 +1,17 @@
1
1
# AWS Event Bridge Module
2
2
3
-
This Module creates the resources required to send CloudTrail logs to Sysdig via AWS EventBridge API Destinations for Log Ingestion. These resources enable Threat Detection in the given single account, or AWS Organization.
3
+
This Module creates the resources required to send CloudTrail logs to Sysdig via AWS EventBridge for Log Ingestion. These resources enable Threat Detection in the given single account, or AWS Organization.
4
4
5
5
The following resources will be created in each instrumented account through CloudFormation StackSet in provided regions:
6
-
- An `EventBridge Rule` that captures all CloudTrail events from the default EventBridge Bus
7
-
- An `EventBridge API Destination` that forwards these events to Sysdig's secure endpoint
8
-
- An `EventBridge Connection`that handles authentication for the API Destination
9
-
- An `IAM Role` and associated policies that gives the EventBridge Rule permission to invoke the API Destination
6
+
- An `EventBridge Rule` that captures all CloudTrail events from the defaul EventBridge Bus
7
+
- An `EventBridge Target` that sends these events to an EventBridge Bus is Sysdig's AWS Account
8
+
- An `IAM Role` and associated policies that gives the EventBridge Bus in the source account permission to call PutEvent on the EventBridge Bus in Sysdig's Account.
9
+
10
10
When run in Organizational mode, this module will be deployed via CloudFormation StackSets that should be created in the management account. They will create the above resources in each account in the organization, and automatically in any member accounts that are later added to the organization.
11
11
12
-
This module will also deploy a Webhook Datasource Component in Sysdig Backend for the onboarded Sysdig Cloud Account, which tracks and validates the API Destination configuration.
12
+
This module will also deploy an Event Bridge Component in Sysdig Backend for onboarded Sysdig Cloud Account.
13
13
14
-
If instrumenting an AWS Gov account/organization, IAM policies and EventBridge resources will be created in `aws-us-gov`region.
14
+
If instrumenting an AWS Gov account/organization, IAM policies and event bridge resources will be created in `aws-us-gov`region.
15
15
16
16
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
17
17
## Requirements
@@ -21,15 +21,15 @@ If instrumenting an AWS Gov account/organization, IAM policies and EventBridge r
|[aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)| data source |
57
57
|[aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization)| data source |
58
-
| sysdig_secure_cloud_ingestion_assets.assets | data source |
59
-
| sysdig_secure_tenant_external_id.external_id | data source |
60
-
| sysdig_secure_trusted_cloud_identity.trusted_identity | data source |
58
+
|[aws_organizations_organizational_unit_descendant_accounts.ou_accounts_to_exclude](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts)| data source |
59
+
|[sysdig_secure_cloud_ingestion_assets.assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets)| data source |
60
+
|[sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id)| data source |
61
+
|[sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity)| data source |
61
62
62
63
## Inputs
63
64
64
65
| Name | Description | Type | Default | Required |
| <aname="input_api_dest_rate_limit"></a> [api\_dest\_rate\_limit](#input\_api\_dest\_rate\_limit)| Rate limit for API Destinations |`number`|`300`| no |
67
67
| <aname="input_auto_create_stackset_roles"></a> [auto\_create\_stackset\_roles](#input\_auto\_create\_stackset\_roles)| Whether to auto create the custom stackset roles to run SELF\_MANAGED stackset. Default is true |`bool`|`true`| no |
68
68
| <aname="input_event_pattern"></a> [event\_pattern](#input\_event\_pattern)| Event pattern for CloudWatch Event Rule |`string`|`"{\n \"detail-type\": [\n \"AWS API Call via CloudTrail\",\n \"AWS Console Sign In via CloudTrail\",\n \"AWS Service Event via CloudTrail\",\n \"Object Access Tier Changed\",\n \"Object ACL Updated\",\n \"Object Created\",\n \"Object Deleted\",\n \"Object Restore Completed\",\n \"Object Restore Expired\",\n \"Object Restore Initiated\",\n \"Object Storage Class Changed\",\n \"Object Tags Added\",\n \"Object Tags Deleted\",\n \"GuardDuty Finding\"\n ]\n}\n"`| no |
69
+
| <aname="input_exclude_accounts"></a> [exclude\_accounts](#input\_exclude\_accounts)| (Optional) accounts to exclude for organization |`set(string)`|`[]`| no |
70
+
| <aname="input_exclude_ouids"></a> [exclude\_ouids](#input\_exclude\_ouids)| (Optional) ouids to exclude for organization |`set(string)`|`[]`| no |
69
71
| <aname="input_failure_tolerance_percentage"></a> [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage)| The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region |`number`|`90`| no |
72
+
| <aname="input_include_accounts"></a> [include\_accounts](#input\_include\_accounts)| (Optional) accounts to include for organization |`set(string)`|`[]`| no |
73
+
| <aname="input_include_ouids"></a> [include\_ouids](#input\_include\_ouids)| (Optional) ouids to include for organization |`set(string)`|`[]`| no |
70
74
| <aname="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding)| true/false whether EventBridge should be deployed in a govcloud account/org or not |`bool`|`false`| no |
71
75
| <aname="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)| (Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs) |`bool`|`false`| no |
72
76
| <aname="input_mgt_stackset"></a> [mgt\_stackset](#input\_mgt\_stackset)| (Optional) Indicates if the management stackset should be deployed |`bool`|`true`| no |
73
77
| <aname="input_name"></a> [name](#input\_name)| (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances |`string`|`"sysdig-secure-events"`| no |
74
-
| <aname="input_org_units"></a> [org\_units](#input\_org\_units)|(Optional) List of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`|`set(string)`|`[]`| no |
78
+
| <aname="input_org_units"></a> [org\_units](#input\_org\_units)|DEPRECATED: Defaults to `[]`, use `include_ouids` instead.<br>When set, list of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization."|`set(string)`|`[]`| no |
75
79
| <aname="input_regions"></a> [regions](#input\_regions)| (Optional) List of regions in which to setup EventBridge. By default, current region is selected |`set(string)`|`[]`| no |
76
80
| <aname="input_rule_state"></a> [rule\_state](#input\_rule\_state)| State of the rule. When state is ENABLED, the rule is enabled for all events except those delivered by CloudTrail. To also enable the rule for events delivered by CloudTrail, set state to ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. |`string`|`"ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"`| no |
77
81
| <aname="input_stackset_admin_role_arn"></a> [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn)| (Optional) stackset admin role arn to run SELF\_MANAGED stackset |`string`|`""`| no |
78
82
| <aname="input_stackset_execution_role_name"></a> [stackset\_execution\_role\_name](#input\_stackset\_execution\_role\_name)| (Optional) stackset execution role name to run SELF\_MANAGED stackset |`string`|`""`| no |
79
83
| <aname="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)| ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) |`string`| n/a | yes |
80
84
| <aname="input_tags"></a> [tags](#input\_tags)| (Optional) Tags to be attached to all Sysdig resources. |`map(string)`| <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
81
85
| <aname="input_timeout"></a> [timeout](#input\_timeout)| Default timeout values for create, update, and delete operations |`string`|`"30m"`| no |
82
-
| <aname="input_include_ouids"></a> [include\_ouids](#input\_include\_ouids)| ouids to include for organization |`set(string)`|`[]`| no |
83
-
| <aname="input_exclude_ouids"></a> [exclude\_ouids](#input\_exclude\_ouids)| ouids to exclude for organization |`set(string)`|`[]`| no |
84
-
| <aname="input_include_accounts"></a> [include\_accounts](#input\_include\_accounts)| accounts to include for organization |`set(string)`|`[]`| no |
85
-
| <aname="input_exclude_accounts"></a> [exclude\_accounts](#input\_exclude\_accounts)| accounts to exclude for organization |`set(string)`|`[]`| no |
0 commit comments