Update format and outputs

lorenzo-merici · lorenzo-merici · commit aa2781f3e218 · 2025-03-28T15:51:13.000+01:00
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
@@ -29,6 +29,8 @@ data "aws_caller_identity" "current" {}
 
 data "aws_region" "current" {}
 
+data "aws_partition" "current" {}
+
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
   cloud_provider = "aws"
 }
@@ -149,7 +151,7 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {
   }
 
   dynamic "statement" {
-    for_each = var.kms_key_arns != null && !local.is_cross_account ? [1] : []
+    for_each = var.kms_key_arn != null && !local.is_cross_account ? [1] : []
     content {
       sid = "CloudlogsKMSDecrypt"
       
@@ -159,7 +161,7 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {
         "kms:Decrypt"
       ]
       
-      resources = var.kms_key_arns
+      resources = [var.kms_key_arn]
     }
   }
 }
@@ -209,17 +211,16 @@ resource "aws_cloudformation_stack_set" "bucket_permissions" {
   name             = local.stackset_name
   description      = "StackSet to configure S3 bucket and KMS permissions for Sysdig Cloud Logs integration"
   template_body    = templatefile("${path.module}/stackset_template_body.tpl", {
-    bucket_name      = local.bucket_name
-    bucket_arn       = var.bucket_arn
-    kms_key_arns     = var.kms_key_arns
-    bucket_account_id = local.bucket_account_id
+    bucket_arn = var.bucket_arn
+    kms_key_arn = var.kms_key_arn
   })
 
   parameters = {
     RoleName = local.role_name
     BucketAccountId = local.bucket_account_id
     SysdigTrustedIdentity = local.trusted_identity
     SysdigExternalId = data.sysdig_secure_tenant_external_id.external_id.external_id
+    KmsKeyArn = var.kms_key_arn
   }
 
   permission_model       = "SERVICE_MANAGED"
diff --git a/modules/integrations/cloud-logs/outputs.tf b/modules/integrations/cloud-logs/outputs.tf
@@ -3,3 +3,15 @@ output "cloud_logs_component_id" {
   description = "Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion"
   depends_on  = [sysdig_secure_cloud_auth_account_component.aws_cloud_logs]
 }
+
+output "kms_policy_instructions" {
+  description = "Instructions for updating KMS key policy when KMS encryption is enabled"
+  value = (var.kms_key_arn != null) ? templatefile(
+    "${path.module}/templates/kms_policy_instructions.tpl",
+    {
+      role_arn = "arn:${data.aws_partition.current.partition}:iam::${local.bucket_account_id}:role/${local.role_name}"
+      region = data.aws_region.current.name
+      bucket_name = local.bucket_name
+    }
+  ) : ""
+}
diff --git a/modules/integrations/cloud-logs/stackset_template_body.tpl b/modules/integrations/cloud-logs/stackset_template_body.tpl
@@ -17,6 +17,10 @@
     "SysdigExternalId": {
       "Type": "String",
       "Description": "External ID for secure role assumption by Sysdig"
+    },
+    "KmsKeyArn": {
+      "Type": "String",
+      "Description": "ARN of the KMS key used for encryption"
     }
   },
   "Conditions": {
@@ -30,12 +34,12 @@
         }
       ]
     },
-    "HasKMSKeys": {
+    "HasKMSKey": {
       "Fn::Not": [
         {
           "Fn::Equals": [
             {
-              "Fn::Join": ["", ${jsonencode(kms_key_arns != null ? kms_key_arns : [""])}]
+              "Ref": "KmsKeyArn"
             },
             ""
           ]
@@ -99,13 +103,13 @@
                     "${bucket_arn}/*"
                   ]
                 }
-                %{ if kms_key_arns != null }
+                %{ if kms_key_arn != null && kms_key_arn != "" }
                 ,
                 {
                   "Sid": "KMSDecryptAccess",
                   "Effect": "Allow",
                   "Action": "kms:Decrypt",
-                  "Resource": ${jsonencode(kms_key_arns)}
+                  "Resource": "${kms_key_arn}"
                 }
                 %{ endif }
               ]
diff --git a/modules/integrations/cloud-logs/templates/kms_policy_instructions.tpl b/modules/integrations/cloud-logs/templates/kms_policy_instructions.tpl
@@ -0,0 +1,9 @@
+{
+  "Sid": "Sysdig-Decrypt",
+  "Effect": "Allow",
+  "Principal": {
+    "AWS": "${role_arn}"
+  },
+  "Action": "kms:Decrypt",
+  "Resource": "*"
+}
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
@@ -101,3 +101,9 @@ variable "org_units" {
   description = "List of AWS Organizations organizational unit (OU) IDs in which to create the StackSet instances. Required if is_organizational is true."
   default     = []
 }
+
+variable "kms_key_arn" {
+  description = "ARN of the KMS key used for encryption. If provided, the role will be granted decrypt permissions."
+  type        = string
+  default     = null
+}
diff --git a/outputs.tf b/outputs.tf

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ data "aws_caller_identity" "current" {}`
`29`	`29`
`30`	`30`	`data "aws_region" "current" {}`
`31`	`31`
	`32`	`+data "aws_partition" "current" {}`
	`33`	`+`
`32`	`34`	`data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {`
`33`	`35`	`cloud_provider = "aws"`
`34`	`36`	`}`
`@@ -149,7 +151,7 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {`
`149`	`151`	`}`
`150`	`152`
`151`	`153`	`dynamic "statement" {`
`152`		`- for_each = var.kms_key_arns != null && !local.is_cross_account ? [1] : []`
	`154`	`+ for_each = var.kms_key_arn != null && !local.is_cross_account ? [1] : []`
`153`	`155`	`content {`
`154`	`156`	`sid = "CloudlogsKMSDecrypt"`
`155`	`157`
`@@ -159,7 +161,7 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {`
`159`	`161`	`"kms:Decrypt"`
`160`	`162`	`]`
`161`	`163`
`162`		`- resources = var.kms_key_arns`
	`164`	`+ resources = [var.kms_key_arn]`
`163`	`165`	`}`
`164`	`166`	`}`
`165`	`167`	`}`
`@@ -209,17 +211,16 @@ resource "aws_cloudformation_stack_set" "bucket_permissions" {`
`209`	`211`	`name = local.stackset_name`
`210`	`212`	`description = "StackSet to configure S3 bucket and KMS permissions for Sysdig Cloud Logs integration"`
`211`	`213`	`template_body = templatefile("${path.module}/stackset_template_body.tpl", {`
`212`		`- bucket_name = local.bucket_name`
`213`		`- bucket_arn = var.bucket_arn`
`214`		`- kms_key_arns = var.kms_key_arns`
`215`		`- bucket_account_id = local.bucket_account_id`
	`214`	`+ bucket_arn = var.bucket_arn`
	`215`	`+ kms_key_arn = var.kms_key_arn`
`216`	`216`	`})`
`217`	`217`
`218`	`218`	`parameters = {`
`219`	`219`	`RoleName = local.role_name`
`220`	`220`	`BucketAccountId = local.bucket_account_id`
`221`	`221`	`SysdigTrustedIdentity = local.trusted_identity`
`222`	`222`	`SysdigExternalId = data.sysdig_secure_tenant_external_id.external_id.external_id`
	`223`	`+ KmsKeyArn = var.kms_key_arn`
`223`	`224`	`}`
`224`	`225`
`225`	`226`	`permission_model = "SERVICE_MANAGED"`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,10 @@`
`17`	`17`	`"SysdigExternalId": {`
`18`	`18`	`"Type": "String",`
`19`	`19`	`"Description": "External ID for secure role assumption by Sysdig"`
	`20`	`+ },`
	`21`	`+ "KmsKeyArn": {`
	`22`	`+ "Type": "String",`
	`23`	`+ "Description": "ARN of the KMS key used for encryption"`
`20`	`24`	`}`
`21`	`25`	`},`
`22`	`26`	`"Conditions": {`
`@@ -30,12 +34,12 @@`
`30`	`34`	`}`
`31`	`35`	`]`
`32`	`36`	`},`
`33`		`- "HasKMSKeys": {`
	`37`	`+ "HasKMSKey": {`
`34`	`38`	`"Fn::Not": [`
`35`	`39`	`{`
`36`	`40`	`"Fn::Equals": [`
`37`	`41`	`{`
`38`		`- "Fn::Join": ["", ${jsonencode(kms_key_arns != null ? kms_key_arns : [""])}]`
	`42`	`+ "Ref": "KmsKeyArn"`
`39`	`43`	`},`
`40`	`44`	`""`
`41`	`45`	`]`
`@@ -99,13 +103,13 @@`
`99`	`103`	`"${bucket_arn}/*"`
`100`	`104`	`]`
`101`	`105`	`}`
`102`		`- %{ if kms_key_arns != null }`
	`106`	`+ %{ if kms_key_arn != null && kms_key_arn != "" }`
`103`	`107`	`,`
`104`	`108`	`{`
`105`	`109`	`"Sid": "KMSDecryptAccess",`
`106`	`110`	`"Effect": "Allow",`
`107`	`111`	`"Action": "kms:Decrypt",`
`108`		`- "Resource": ${jsonencode(kms_key_arns)}`
	`112`	`+ "Resource": "${kms_key_arn}"`
`109`	`113`	`}`
`110`	`114`	`%{ endif }`
`111`	`115`	`]`