sysdiglabs · Chili-Man · Sep 2, 2022 · Sep 2, 2022 · Sep 8, 2022 · Sep 8, 2022
@@ -179,9 +179,9 @@ $ terraform apply
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_sysdig_secure_for_cloud_member_account_id"></a> [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose. | `bool` | `true` | no |
+| <a name="input_cloudtrail_kms_arn"></a> [cloudtrail\_kms\_arn](#input\_cloudtrail\_kms\_arn) | ARN of a pre-existing KMS key for encrypting the Cloudtrail logs. Incompatible with var.cloudtrail\_kms\_enable when set to true | `string` | `null` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
@@ -194,9 +194,10 @@ $ terraform apply
 | <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. If defaulted a new VPC will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
 | <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
-| <a name="input_existing_cloudtrail_config"></a> [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created<br/><br>If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.<br><ul><br>  <li>cloudtrail\_s3\_arn: Mandatory ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"</li><br>  <li>cloudtrail\_sns\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block</li><br>  <li>cloudtrail\_s3\_role\_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<</li><br></ul> | <pre>object({<br>    cloudtrail_s3_arn         = optional(string)<br>    cloudtrail_sns_arn        = optional(string)<br>    cloudtrail_s3_role_arn    = optional(string)<br>    cloudtrail_s3_sns_sqs_arn = optional(string)<br>    cloudtrail_s3_sns_sqs_url = optional(string)<br>  })</pre> | <pre>{<br>  "cloudtrail_s3_arn": "create",<br>  "cloudtrail_s3_role_arn": null,<br>  "cloudtrail_s3_sns_sqs_arn": null,<br>  "cloudtrail_s3_sns_sqs_url": null,<br>  "cloudtrail_sns_arn": "create"<br>}</pre> | no |
+| <a name="input_existing_cloudtrail_config"></a> [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created<br/><br>If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.<br><ul><br>  <li>cloudtrail\_s3\_arn: Mandatory ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"</li><br>  <li>cloudtrail\_kms\_arn: Optional. ARN of a cloudtrail KMS key used for encrypting the logs. Required in order to retrieve the encrypted logs from S3</li><br>  <li>cloudtrail\_sns\_arn: Optional CloudTrail SNS. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block</li><br>  <li>cloudtrail\_s3\_role\_arn: Optional. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_arn: CloudTrail S3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_url: CloudTrail S3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<</li><br></ul> | <pre>object({<br>    cloudtrail_s3_arn         = optional(string)<br>    cloudtrail_kms_arn        = optional(string)<br>    cloudtrail_sns_arn        = optional(string)<br>    cloudtrail_s3_role_arn    = optional(string)<br>    cloudtrail_s3_sns_sqs_arn = optional(string)<br>    cloudtrail_s3_sns_sqs_url = optional(string)<br>  })</pre> | <pre>{<br>  "cloudtrail_kms_arn": null,<br>  "cloudtrail_s3_arn": "create",<br>  "cloudtrail_s3_role_arn": null,<br>  "cloudtrail_s3_sns_sqs_arn": null,<br>  "cloudtrail_s3_sns_sqs_url": null,<br>  "cloudtrail_sns_arn": "create"<br>}</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
+| <a name="input_sysdig_secure_for_cloud_member_account_id"></a> [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
 ## Outputs

@@ -17,6 +17,7 @@ module "cloudtrail" {
   }
   is_multi_region_trail = var.cloudtrail_is_multi_region_trail
   cloudtrail_kms_enable = var.cloudtrail_kms_enable
+  cloudtrail_kms_arn    = var.cloudtrail_kms_arn
 
   tags = var.tags
 }
@@ -91,6 +91,7 @@ module "cloud_connector" {
 
   existing_cloudtrail_config = {
     cloudtrail_sns_arn        = local.cloudtrail_sns_arn
+    cloudtrail_kms_arn        = var.existing_cloudtrail_config.cloudtrail_kms_arn
     cloudtrail_s3_sns_sqs_url = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_url
     cloudtrail_s3_sns_sqs_arn = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_arn
   }

@@ -40,17 +40,24 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether the created cloudtrail should deliver encrypted events to s3"
 }
 
+variable "cloudtrail_kms_arn" {
+  type        = string
+  default     = null
+  description = "ARN of a pre-existing KMS key for encrypting the Cloudtrail logs. Incompatible with var.cloudtrail_kms_enable when set to true"
+}
 
 variable "existing_cloudtrail_config" {
   type = object({
     cloudtrail_s3_arn         = optional(string)
+    cloudtrail_kms_arn        = optional(string)
     cloudtrail_sns_arn        = optional(string)
     cloudtrail_s3_role_arn    = optional(string)
     cloudtrail_s3_sns_sqs_arn = optional(string)
     cloudtrail_s3_sns_sqs_url = optional(string)
   })
   default = {
     cloudtrail_s3_arn         = "create"
+    cloudtrail_kms_arn        = null
     cloudtrail_sns_arn        = "create"
     cloudtrail_s3_role_arn    = null
     cloudtrail_s3_sns_sqs_arn = null
@@ -62,10 +69,11 @@ variable "existing_cloudtrail_config" {
     If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.
     <ul>
       <li>cloudtrail_s3_arn: Mandatory ARN of a pre-existing cloudtrail_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"</li>
-      <li>cloudtrail_sns_arn: Optional 1. ARN of a pre-existing cloudtrail_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns_permissions.tf block</li>
-      <li>cloudtrail_s3_role_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature</li>
-      <li>cloudtrail_s3_sns_sqs_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns</li>
-      <li>cloudtrail_s3_sns_sqs_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns<</li>
+      <li>cloudtrail_kms_arn: Optional. ARN of a cloudtrail KMS key used for encrypting the logs. Required in order to retrieve the encrypted logs from S3</li>
+      <li>cloudtrail_sns_arn: Optional CloudTrail SNS. ARN of a pre-existing cloudtrail_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns_permissions.tf block</li>
+      <li>cloudtrail_s3_role_arn: Optional. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature</li>
+      <li>cloudtrail_s3_sns_sqs_arn: CloudTrail S3. ARN of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns</li>
+      <li>cloudtrail_s3_sns_sqs_url: CloudTrail S3. URL of the queue that will ingest events forwarded from an existing cloudtrail_s3_sns<</li>
     </ul>
   EOT
 }

@@ -98,7 +98,8 @@ $ terraform apply
 |------|-------------|------|---------|:--------:|
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
-| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
+| <a name="input_cloudtrail_kms_arn"></a> [cloudtrail\_kms\_arn](#input\_cloudtrail\_kms\_arn) | When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs | `string` | `null` | no |
+| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |

@@ -10,6 +10,7 @@ module "cloudtrail" {
   is_organizational     = false
   is_multi_region_trail = var.cloudtrail_is_multi_region_trail
   cloudtrail_kms_enable = var.cloudtrail_kms_enable
+  cloudtrail_kms_arn    = var.cloudtrail_kms_arn
 
   tags = var.tags
 }
@@ -52,10 +52,10 @@ module "cloud_connector" {
   build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
 
   existing_cloudtrail_config = {
+    cloudtrail_kms_arn = var.cloudtrail_kms_arn
     cloudtrail_sns_arn = local.cloudtrail_sns_arn
   }
 
-
   ecs_cluster_name            = local.ecs_cluster_name
   ecs_vpc_id                  = local.ecs_vpc_id
   ecs_vpc_subnets_private_ids = local.ecs_vpc_subnets_private_ids

@@ -1,5 +1,3 @@
-
-
 #---------------------------------
 # optionals - with defaults
 #---------------------------------
@@ -8,6 +6,18 @@
 #
 # cloudtrail configuration
 #
+variable "cloudtrail_kms_enable" {
+  type        = bool
+  default     = true
+  description = "true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created"
+}
+
+variable "cloudtrail_kms_arn" {
+  type        = string
+  default     = null
+  description = "When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs"
+}
+
 variable "cloudtrail_sns_arn" {
   type        = string
   default     = "create"
@@ -20,13 +30,6 @@ variable "cloudtrail_is_multi_region_trail" {
   description = "true/false whether cloudtrail will ingest multiregional events"
 }
 
-variable "cloudtrail_kms_enable" {
-  type        = bool
-  default     = true
-  description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
-}
-
-
 #
 # ecs, security group,  vpc
 #

@@ -11,6 +11,7 @@ module "cloudtrail" {
   is_organizational     = false
   is_multi_region_trail = var.cloudtrail_is_multi_region_trail
   cloudtrail_kms_enable = var.cloudtrail_kms_enable
+  cloudtrail_kms_arn    = var.cloudtrail_kms_arn
 
   tags = var.tags
 }
@@ -21,7 +21,13 @@ variable "cloudtrail_is_multi_region_trail" {
 variable "cloudtrail_kms_enable" {
   type        = bool
   default     = true
-  description = "true/false whether s3 should be encrypted. testing/economization purpose."
+  description = "true/false whether cloudtrail delivered events to S3 should persist encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created"
+}
+
+variable "cloudtrail_kms_arn" {
+  type        = string
+  default     = null
+  description = "When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs"
 }
 
 variable "name" {

@@ -41,7 +41,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted | `bool` | `true` | no |
+| <a name="input_cloudtrail_kms_arn"></a> [cloudtrail\_kms\_arn](#input\_cloudtrail\_kms\_arn) | When `var.cloudtrail_kms_enable` is set to true, ARN of a pre-existing KMS key for encrypting the Cloudtrail logs | `string` | `null` | no |
+| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. If `var.cloudtrail_kms_arn` is set, then the pre-existing KMS key will be used, otherwise a new KMS key will be created | `bool` | `true` | no |
 | <a name="input_is_multi_region_trail"></a> [is\_multi\_region\_trail](#input\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether cloudtrail is organizational or not | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |

@@ -1,5 +1,5 @@
 resource "aws_kms_key" "cloudtrail_kms" {
-  count                   = var.cloudtrail_kms_enable ? 1 : 0
+  count                   = local.create_kms_key ? 1 : 0
   is_enabled              = true
   enable_key_rotation     = true
   policy                  = data.aws_iam_policy_document.cloudtrail_kms[0].json
@@ -9,13 +9,13 @@ resource "aws_kms_key" "cloudtrail_kms" {
 }
 
 resource "aws_kms_alias" "kms" {
-  count         = var.cloudtrail_kms_enable ? 1 : 0
+  count         = local.create_kms_key ? 1 : 0
   target_key_id = aws_kms_key.cloudtrail_kms[0].id
   name          = "alias/${var.name}"
 }
 
 data "aws_iam_policy_document" "cloudtrail_kms" {
-  count = var.cloudtrail_kms_enable ? 1 : 0
+  count = local.create_kms_key ? 1 : 0
   statement {
     sid    = "Enable IAM User Permissions"
     effect = "Allow"

@@ -0,0 +1,4 @@
+locals {
+  # We don't create the KMS key when an existing KMS key ARN is provided
+  create_kms_key = var.cloudtrail_kms_enable && (var.cloudtrail_kms_arn != null || var.cloudtrail_kms_arn != "")
+}
@@ -8,7 +8,7 @@ resource "aws_cloudtrail" "cloudtrail" {
   s3_bucket_name        = aws_s3_bucket.cloudtrail.id
   is_multi_region_trail = var.is_multi_region_trail
 
-  kms_key_id     = var.cloudtrail_kms_enable ? aws_kms_key.cloudtrail_kms[0].arn : null
+  kms_key_id     = var.cloudtrail_kms_enable ? (local.create_kms_key ? aws_kms_key.cloudtrail_kms[0].arn : var.var.cloudtrail_kms_arn) : null
   sns_topic_name = aws_sns_topic.cloudtrail.id
 
   enable_logging                = true