search

cds-snc / cloud-based-sensor

Infrastructure configuration to manage CCCS's Cloud Based Sensor in AWS accounts
https://cyber.gc.ca/en/host-based-sensors
MIT License
0 stars 0 forks source link

Feat/setup resources cbs 2 3 #349

Closed gcharest closed 5 months ago

gcharest commented 5 months ago

Summary | Résumé

Setting up the CBS 2.3 resources for custom implementation

github-actions[bot] commented 5 months ago

Central account

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 5 to add, 2 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|--------------------------------------------------------------------| | update | `aws_s3_bucket_notification.cbs_transport_lambda` | | | `module.gh_oidc_roles.aws_iam_role.this[0]` | | add | `aws_cloudwatch_event_rule.cbs` | | | `aws_cloudwatch_event_target.cross_account` | | | `aws_iam_policy.event_bus_invoke_remote_event_bus` | | | `aws_iam_role.event_bus_invoke_remote_event_bus` | | | `aws_iam_role_policy_attachment.event_bus_invoke_remote_event_bus` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_cloudwatch_event_rule.cbs will be created + resource "aws_cloudwatch_event_rule" "cbs" { + arn = (known after apply) + description = "Sends replication events from cbs-log-archive-871282759583 to CBS." + event_bus_name = "default" + event_pattern = jsonencode( { + detail = { + additionalEventData = { + bytesTransferredIn = [ + { + numeric = [ + ">", + 0, ] }, ] } + eventName = [ + "PutObject", ] + requestParameters = { + bucketName = [ + "cbs-log-archive-871282759583", ] } + userIdentity = { + principalId = [ + { + suffix = ":s3-replication" }, ] } } + source = [ + "aws.s3", ] } ) + force_destroy = false + id = (known after apply) + name = "cbs" + name_prefix = (known after apply) + tags = { + "Owner" = "CBS" } + tags_all = { + "Owner" = "CBS" } } # aws_cloudwatch_event_target.cross_account will be created + resource "aws_cloudwatch_event_target" "cross_account" { + arn = "arn:aws:events:ca-central-1:346725238039:event-bus/default" + event_bus_name = "default" + force_destroy = false + id = (known after apply) + role_arn = (known after apply) + rule = "cbs" + target_id = (known after apply) } # aws_iam_policy.event_bus_invoke_remote_event_bus will be created + resource "aws_iam_policy" "event_bus_invoke_remote_event_bus" { + arn = (known after apply) + attachment_count = (known after apply) + id = (known after apply) + name = "event_bus_invoke_remote_event_bus" + name_prefix = (known after apply) + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = "events:PutEvents" + Effect = "Allow" + Resource = "arn:aws:events:ca-central-1:346725238039:event-bus/default" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags_all = (known after apply) } # aws_iam_role.event_bus_invoke_remote_event_bus will be created + resource "aws_iam_role" "event_bus_invoke_remote_event_bus" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "events.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "event-bus-invoke-remote-event-bus" + name_prefix = (known after apply) + path = "/" + tags = { + "Owner" = "CBS" } + tags_all = { + "Owner" = "CBS" } + unique_id = (known after apply) + inline_policy { + name = (known after apply) + policy = (known after apply) } } # aws_iam_role_policy_attachment.event_bus_invoke_remote_event_bus will be created + resource "aws_iam_role_policy_attachment" "event_bus_invoke_remote_event_bus" { + id = (known after apply) + policy_arn = (known after apply) + role = "event-bus-invoke-remote-event-bus" } # aws_s3_bucket_notification.cbs_transport_lambda will be updated in-place ~ resource "aws_s3_bucket_notification" "cbs_transport_lambda" { ~ eventbridge = false -> true id = "cbs-log-archive-871282759583" # (1 unchanged attribute hidden) # (1 unchanged block hidden) } # module.gh_oidc_roles.aws_iam_role.this[0] will be updated in-place ~ resource "aws_iam_role" "this" { ~ assume_role_policy = jsonencode( ~ { ~ Statement = [ { Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringLike = { token.actions.githubusercontent.com:sub = "repo:cds-snc/cloud-based-sensor:*" } } Effect = "Allow" Principal = { Federated = "arn:aws:iam::871282759583:oidc-provider/token.actions.githubusercontent.com" } }, ~ { ~ Principal = { ~ AWS = [ - "arn:aws:iam::687401027353:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::283582579564:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::066023111852:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::866996500832:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::472286471787:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::992382783569:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::975050085632:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::729164266357:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::637287734259:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::296255494825:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::239043911459:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::957818836222:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::730335533085:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::767397913019:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::866996500832:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::806545929748:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::800095993820:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::796730610681:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::794722365809:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::767397971970:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::767397913019:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::762579868088:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::730335533085:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::729164266357:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::723936812785:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::806545929748:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::687401027353:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::637287734259:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::521732289257:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::472286471787:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::414662622316:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::762579868088:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::307395567143:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::794722365809:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::796730610681:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::521732289257:role/ConfigTerraformAdminExecutionRole", - "arn:aws:iam::800095993820:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::296255494825:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::283582579564:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::239043911459:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::127893201980:role/ConfigTerraformAdminExecutionRole", + "arn:aws:iam::066023111852:role/ConfigTerraformAdminExecutionRole", ] } # (2 unchanged elements hidden) }, ] # (1 unchanged element hidden) } ) id = "ConfigTerraformAdministratorRole" name = "ConfigTerraformAdministratorRole" tags = { "CostCentre" = "cbs-871282759583" "Terraform" = "true" } # (8 unchanged attributes hidden) # (1 unchanged block hidden) } Plan: 5 to add, 2 to change, 0 to destroy. Warning: Argument is deprecated with module.log_archive_access_bucket.aws_s3_bucket.this, on .terraform/modules/log_archive_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 7 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cbs"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.event_bus_invoke_remote_event_bus"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.log_archive_read"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.event_bus_invoke_remote_event_bus"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.log_archive_read"] WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.log_archive_encrypt"] WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.log_archive"] 26 tests, 19 passed, 7 warnings, 0 failures, 0 exceptions ```