From d8431c4977c269c361dd5fc358c487a353d8d217 Mon Sep 17 00:00:00 2001
From: Marat Salakhutdinov <marat.salakhutdinov@sysdig.com>
Date: Mon, 10 Mar 2025 16:22:06 -0400
Subject: [PATCH] add extra logic to cloud logs module to support bucket in
 different account and enabled KMS encryption of the files

---
 modules/integrations/cloud-logs/README.md    | 73 +++++++++++---------
 modules/integrations/cloud-logs/main.tf      | 17 +++++
 modules/integrations/cloud-logs/outputs.tf   | 50 ++++++++++++++
 modules/integrations/cloud-logs/variables.tf | 18 +++++
 4 files changed, 127 insertions(+), 31 deletions(-)

diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
index be29c42..59ff540 100644
--- a/modules/integrations/cloud-logs/README.md
+++ b/modules/integrations/cloud-logs/README.md
@@ -11,21 +11,22 @@ The following resources will be created in each instrumented account:
 If instrumenting an AWS Gov account/organization, resources will be created in `aws-us-gov` region.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Requirements
 
-| Name                                                                      | Version   |
-|---------------------------------------------------------------------------|-----------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0  |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 5.60.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig)          | ~>1.39    |
-| <a name="requirement_random"></a> [random](#requirement\_random)          | >= 3.1    |
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.60.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | ~> 1.44 |
 
 ## Providers
 
-| Name                                              | Version   |
-|---------------------------------------------------|-----------|
+| Name | Version |
+|------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.60.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | ~> 1.44 |
 
 ## Modules
 
@@ -33,35 +34,45 @@ No modules.
 
 ## Resources
 
-| Name                                                                                                                                                                             | Type        |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id)                                                                            | resource    |
-| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)                                                         | resource    |
-| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy)                                    | resource    |
-| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                    | data source |
-| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                                | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)                                                    | data source |
-| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity)        | data source |
-| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id)                     | data source |
-| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource    |
+| Name | Type |
+|------|------|
+| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_sns_topic.cloudtrail_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.cloudtrail_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.cloudtrail_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [sysdig_secure_cloud_ingestion_assets.assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 
 ## Inputs
 
-| Name                                                                                                             | Description                                                                                                                                   | Type          | Default                                                     | Required |
-|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
-| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string`      | n/a                                                         |   yes    |
-| <a name="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn)                                               | (Required) The ARN of your CloudTrail Bucket Folder                                                                                           | `string`      | n/a                                                         |   yes    |
-| <a name="input_tags"></a> [tags](#input\_tags)                                                                   | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required.                                        | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> |    no    |
-| <a name="input_name"></a> [name](#input\_name)                                                                   | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning                           | `string`      | sysdig-secure-cloudlogs                                     |    no    |
-| <a name="input_regions"></a> [regions](#input\_regions)                                                          | (Optional) The list of AWS regions we want to scrape data from                                                                                | `set(string)` | `[]`                                                        |    no    |
-| <a name="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud](#input\_is\_gov\_cloud\_onboarding)                | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not                                                       | `bool`        | `false`                                                     |    no    |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_arn"></a> [bucket\_arn](#input\_bucket\_arn) | (Required) The ARN of your CloudTrail Bucket | `string` | n/a | yes |
+| <a name="input_create_topic"></a> [create\_topic](#input\_create\_topic) | true/false whether terraform should create the SNS Topic | `bool` | `false` | no |
+| <a name="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
+| <a name="input_is_log_file_kms_encryption_enabled"></a> [is\_log\_file\_kms\_encryption\_enabled](#input\_is\_log\_file\_kms\_encryption\_enabled) | needed only if cloudtrail s3 bucket is located in different account. true/false whether log file encryption is enabled | `bool` | `false` | no |
+| <a name="input_is_s3_bucket_in_different_account"></a> [is\_s3\_bucket\_in\_different\_account](#input\_is\_s3\_bucket\_in\_different\_account) | true/false whether cloudtrail s3 bucket is located in different account | `bool` | `false` | no |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key ARN that is used to encrypt log files in s3 bucket | `string` | `""` | no |
+| <a name="input_name"></a> [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sysdig-secure-cloudlogs"` | no |
+| <a name="input_regions"></a> [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
+| <a name="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_topic_arn"></a> [topic\_arn](#input\_topic\_arn) | SNS Topic ARN that will forward CloudTrail notifications to Sysdig Secure | `string` | n/a | yes |
 
 ## Outputs
 
-| Name                                                                                                            | Description                                                                                |
-|-----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| Name | Description |
+|------|-------------|
 | <a name="output_cloud_logs_component_id"></a> [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
-
+| <a name="output_extra_permissions_kms_key"></a> [extra\_permissions\_kms\_key](#output\_extra\_permissions\_kms\_key) | Extra permissions to add to KMS key policy |
+| <a name="output_extra_permissions_s3_bucket"></a> [extra\_permissions\_s3\_bucket](#output\_extra\_permissions\_s3\_bucket) | Extra permissions to add to s3 bucket |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index 4c821a2..d0ce366 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -119,6 +119,23 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {
       "${var.bucket_arn}/*"
     ]
   }
+
+  dynamic "statement" {
+    for_each = var.is_s3_bucket_in_different_account && var.is_log_file_kms_encryption_enabled ? [1] : []
+    content {
+      sid = "AllowDecryptWithCrossAccountKey"
+
+      effect = "Allow"
+
+      actions = [
+        "kms:Decrypt"
+      ]
+
+      resources = [
+        var.kms_key_arn
+      ]
+    }
+  }
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
diff --git a/modules/integrations/cloud-logs/outputs.tf b/modules/integrations/cloud-logs/outputs.tf
index 35b6b1e..b2e609e 100644
--- a/modules/integrations/cloud-logs/outputs.tf
+++ b/modules/integrations/cloud-logs/outputs.tf
@@ -3,3 +3,53 @@ output "cloud_logs_component_id" {
   description = "Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion"
   depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
 }
+
+output "extra_permissions_s3_bucket" {
+  value       = ( var.is_s3_bucket_in_different_account
+    ? <<-EOT
+
+      Please add following extra permissions to cloudtrail S3 bucket:
+
+              {
+                "Sid": "Sysdig-Get",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "${aws_iam_role.cloudlogs_s3_access.arn}"
+                },
+                "Action": "s3:GetObject",
+                "Resource": "${var.bucket_arn}/*"
+              }
+      EOT
+    : null )
+  description = "Extra permissions to add to s3 bucket"
+  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
+}
+
+output "extra_permissions_kms_key" {
+  value       = ( var.is_log_file_kms_encryption_enabled
+    ? <<-EOT
+
+      Please add following extra permissions to KMS key policy:
+
+              {
+                "Sid": "Sysdig-Decrypt",
+                "Effect": "Allow",
+                "Principal": {
+                  "AWS": "${aws_iam_role.cloudlogs_s3_access.arn}"
+                },
+                "Action": "kms:Decrypt",
+                "Resource": "*",
+                "Condition": {
+                  "StringEquals": {
+                    "kms:ViaService": "s3.${regex("^arn:aws:kms:([^:]+):\\d+:key/.*$", var.kms_key_arn)[0]}.amazonaws.com"
+                  },
+                  "StringLike": {
+                    "kms:EncryptionContext:aws:s3:arn": "${var.bucket_arn}/*"
+                  }
+                }
+              }
+      EOT
+    : null )
+  description = "Extra permissions to add to KMS key policy"
+  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
+}
\ No newline at end of file
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 7f9a22a..cbe286f 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -35,6 +35,24 @@ variable "is_gov_cloud_onboarding" {
   description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
 }
 
+variable "is_s3_bucket_in_different_account" {
+  type        = bool
+  default     = false
+  description = "true/false whether cloudtrail s3 bucket is located in different account"
+}
+
+variable "is_log_file_kms_encryption_enabled" {
+  type        = bool
+  default     = false
+  description = "needed only if cloudtrail s3 bucket is located in different account. true/false whether log file encryption is enabled"
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "KMS key ARN that is used to encrypt log files in s3 bucket"
+  default     = ""
+}
+
 variable "topic_arn" {
   type        = string
   description = "SNS Topic ARN that will forward CloudTrail notifications to Sysdig Secure"