Skip to content
/ terraform-aws-ksoc-connect Public

A terraform module for allowing KSOC to connect to your AWS account.

License

Apache-2.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ksoclabs/terraform-aws-ksoc-connect

BranchesTags

Repository files navigation

terraform-aws-ksoc-connect

The module allows you to connect your AWS account to KSOC to allow them to be able to scan and analyze your AWS resources.

Terraform Registry

This module is available in the Terraform Registry see here. It uses the official KSOC Provider to authenticate and connect your AWS account to KSOC. The KSOC Provider can be found here in the Terraform Provider Registry.

Contributing

The most important thing to be aware of when contributing is that we leverage the Semantic Release Action to automate our changelog, see here.

This requires us to use conventional git commits when committing to this repository.

Each PR merge into the main branch will execute the release process defined here.

Usage

This module requires you to obtain a set of cloud API credentials from KSOC (access_key/secret). It will use those credentials to connect your AWS account to your KSOC account.

The module needs an AWS provider to be configured. It will create an IAM Role in your account called ksoc-connect. The IAM Role has fine-grained policies attached (prefixed with ksoc_connect_policy), which will allow the ksoc-connector role in KSOC's AWS account to assume the permissions necessary to interact with AWS resources in your account.

When the ksoc-connect Role is created, it will be added to your KSOC account through the ksoc_aws_register resource.

EKS Audit Logs

There is an optional flag enable_eks_audit_logs_pipeline which will create a CloudWatch Logs -> FireHose -> S3 pipeline for all EKS clusters in the account. This is required for KSOC to be able to analyse EKS audit logs. Make sure to enable EKS audit logs for EKS clusters you wish to be analysed. By default, the pipeline creates policy for CloudWatch in all four US regions. If you have EKS clusters in other regions, you can override the eks_audit_logs_regions variable.

Also, only clusters in the same region as your AWS provider will be included in the pipeline. If you have EKS clusters in multiple regions, you need to enable eks_audit_logs_multi_region flag and create subscription filters in each region outside of this module (see example in the examples/audit_logs_multi_region directory).

Requirements

Name Version
terraform >= 1.0.8
aws >= 5.0.0
ksoc >= 0.1.0

Providers

Name Version
aws >= 5.0.0
ksoc >= 0.1.0
random n/a

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_subscription_filter.subscription_filter resource
aws_iam_instance_profile.this resource
aws_iam_policy.connect_policy resource
aws_iam_policy.ksoc_s3_access resource
aws_iam_role.cloudwatch resource
aws_iam_role.firehose resource
aws_iam_role.ksoc_s3_access resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.ksoc_connect_policy_attachment resource
aws_iam_role_policy_attachment.ksoc_s3_access resource
aws_kinesis_firehose_delivery_stream.firehose resource
aws_s3_bucket.audit_logs resource
aws_s3_bucket_versioning.audit_logs resource
ksoc_aws_register.this resource
random_id.uniq resource
aws_caller_identity.current data source
aws_cloudwatch_log_groups.eks data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.cloudwatch_assume data source
aws_iam_policy_document.firehose_assume data source
aws_iam_policy_document.firehose_to_s3 data source
aws_iam_policy_document.ksoc_assume data source
aws_iam_policy_document.ksoc_s3_access data source
aws_iam_policy_document.logs_to_firehose data source

Inputs

Name Description Type Default Required
eks_audit_logs_bucket_versioning_enabled Enable versioning for the S3 bucket that will store EKS audit logs bool true no
eks_audit_logs_filter_pattern The Cloudwatch Log Subscription Filter pattern string "{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }" no
eks_audit_logs_multi_region Enable multi-region support for the EKS audit logs. This requires creating subscription filters in each region outside of this module. See documentation for more information. bool false no
eks_audit_logs_regions Regions from which Cloudwatch will be allowed to send logs to the Firehose list(string) 
[
  "us-east-1",
  "us-east-2",
  "us-west-1",
  "us-west-2"
]
 no
enable_eks_audit_logs_pipeline Enable EKS Audit Logs Pipeline (CloudWatch Logs -> FireHose -> S3) bool false no
ksoc_assumed_role_arn KSOC Role that will assume the ksoc-connect IAM role you create to interact with resources in your account string "arn:aws:iam::955322216602:role/ksoc-connector" no
ksoc_eks_audit_logs_assumed_role_arn KSOC Role dedicated for EKS audit logs that will be allowed to assume string "arn:aws:iam::955322216602:role/ksoc-data-pipeline" no

Outputs

Name Description
eks_audit_logs_cloudwatch_iam_role_arn AWS IAM Role ARN for Cloudwatch to Firehose
eks_audit_logs_filter_pattern The Cloudwatch Log Subscription Filter pattern
eks_audit_logs_firehose_arn The Firehose delivery stream ARN
role_arn AWS IAM Role ARN which Ksoc uses to connect

License

Apache 2 Licensed. See LICENSE for full details.

About

A terraform module for allowing KSOC to connect to your AWS account.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

7 watching

Forks

1 fork
Report repository

Releases 16

v1.5.0 Latest
Apr 24, 2024
+ 15 releases

Contributors 9

Languages