search

lacework / terraform-aws-agentless-scanning

Terraform module for configuring an integration with Lacework and AWS for agentless scanning
MIT License
4 stars 9 forks source link

feat: Support "aws" GovCloud accounts #43

Open xomgc3 opened 1 year ago

xomgc3 commented 1 year ago

Describe the bug The module does not use the correct partition for ARNs in GovCloud accounts. Instead of arn:aws:logs:* the ARN should be arn:aws-us-gov:logs:*.

Steps to reproduce

module "lacework_agentless_scanning_govcloud_org" {
  source  = "lacework/agentless-scanning/aws"
  version = "~> 0.6"

  providers = {
    aws = aws.secops
  }

  global       = true
  organization = {
    // This list may contain account IDs, OUs, or the organization root.
    monitored_accounts = [data.aws_organizations_organization.master.roots[0].id]
    // This account ID must be the AWS organizations "management account".
    // This wil be used to enumerate the accounts and OUs in the list of monitored accounts.
    // This account must also have the snapshot_role installed.
    management_account = local.aws_master_account_id
  }

  lacework_integration_name = "our-govcloud-agentless"
}

Expected behavior Leverage:

data "aws_partition" "current" {}
# data.aws_partition.current.partition

Ensure the correct partition is used for all ARNs and policies.

Screenshots

Error: 1 error occurred: creating inline policy (AllowCloudWatch): MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:logs:::log-group:/ecs/lacework-agentless-scanning-". status code: 400, request id: with module.lacework_agentless_scanning_govcloud_org.aws_iam_role.agentless_scan_ecs_execution_role[0] on .terraform/modules/lacework_agentless_scanning_govcloud_org/main.tf line 326, in resource "aws_iam_role" "agentless_scan_ecs_execution_role"

Please complete the following information):

Additional context Works fine in normal AWS accounts.

jon-stewart commented 1 year ago

Hi @xomgc3 , thanks for raising this bug. Looking at it now.

jon-stewart commented 1 year ago

Hi @xomgc3 this module doesn't support the aws-us-gov ARN partition as it is hardcoded to make use of the aws partition.

We will consider this as a feature request. Thanks for the feedback.

bebold-jhr commented 1 year ago

Hello @xomgc3, I tried myself on a PR. See #70