Moved IAM to sub-modules

README.md

@@ -5,19 +5,45 @@
 ## Usage
 
 ```terraform
+resource "aws_s3_bucket" "enrichment_bucket" {
+  bucket = "corelight-enrichment"
+}
+
+module "enrichment_eventbridge_role" {
+  source = "github.com/corelight/terraform-aws-enrichment//modules/iam/eventbridge"
+
+  primary_event_bus_arn = module.enrichment.primary_event_bus_arn
+}
+
+module "enrichment_lambda_role" {
+  source = "github.com/corelight/terraform-aws-enrichment//modules/iam/lambda"
+
+  enrichment_bucket_arn           = aws_s3_bucket.enrichment_bucket.arn
+  enrichment_ecr_repository_arn   = data.aws_ecr_repository.enrichment_repo.arn
+  lambda_cloudwatch_log_group_arn = module.enrichment.cloudwatch_log_group_arn
+}
+
 module "enrichment" {
   source = "github.com/corelight/terraform-aws-enrichment"
 
   corelight_cloud_enrichment_image = "123456789111.dkr.ecr.us-east-1.amazonaws.com/corelight-sensor-enrichment-aws"
   corelight_cloud_enrichment_image_tag = "0.1.0"
-  enrichment_bucket_name = "corelight-enrichment"
+  enrichment_bucket_name = aws_s3_bucket.enrichment_bucket.bucket
+  eventbridge_iam_cross_region_role_arn = module.enrichment_eventbridge_role.cross_region_role_arn
+  lambda_iam_role_arn                   = module.enrichment_lambda_role.lambda_iam_role_arn
+}
 
-  tags = {
-    terraform : true,
-    example : true,
-    purpose : "Corelight"
-  }
+# Used in tandem with the Corelight Sensor Module: https://github.com/corelight/terraform-aws-sensor
+module "enrichment_sensor_role" {
+  source = "github.com/corelight/terraform-aws-enrichment//modules/iam/sensor"
+  enrichment_bucket_arn = aws_s3_bucket.enrichment_bucket.arn
 }
+
+resource "aws_iam_instance_profile" "corelight_sensor" {
+  name = "corelight-sensor-profile"
+  role = module.enrichment_sensor_role.sensor_role_name
+}
+
 ```
 
 ## Preparation

data.tf

@@ -1,7 +1,3 @@
 data "aws_s3_bucket" "enrichment_bucket" {
   bucket = var.enrichment_bucket_name
-}
-
-data "aws_ecr_repository" "enrichment_repo" {
-  name = split("/", var.corelight_cloud_enrichment_image)[1]
 }

eventbridge_primary.tf

@@ -56,5 +56,5 @@ resource "aws_cloudwatch_event_rule" "default_bus_ec2_state_change_rule_arn" {
 resource "aws_cloudwatch_event_target" "primary_bus_target_primary" {
   rule     = aws_cloudwatch_event_rule.default_bus_ec2_state_change_rule_arn.name
   arn      = aws_cloudwatch_event_bus.primary_bus.arn
-  role_arn = aws_iam_role.cross_region.arn
+  role_arn = var.eventbridge_iam_cross_region_role_arn
 }

examples/deployment/main.tf

@@ -49,17 +49,41 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "enrichment_bucket
 # Deploy the lambda and supporting resources for the primary region
 # Replace relative source with "source = github.com/corelight/terraform-aws-enrichment"
 ####################################################################################################
+data "aws_ecr_repository" "enrichment_repo" {
+  name = split("/", local.image_name)[1]
+}
+
+module "enrichment_eventbridge_role" {
+  source = "../../modules/iam/eventbridge"
+
+  primary_event_bus_arn = module.enrichment.primary_event_bus_arn
+
+  tags = local.tags
+}
+
+module "enrichment_lambda_role" {
+  source = "../../modules/iam/lambda"
+
+  enrichment_bucket_arn           = aws_s3_bucket.enrichment_bucket.arn
+  enrichment_ecr_repository_arn   = data.aws_ecr_repository.enrichment_repo.arn
+  lambda_cloudwatch_log_group_arn = module.enrichment.cloudwatch_log_group_arn
+
+  tags = local.tags
+}
+
 module "enrichment" {
   source = "../.."
 
   providers = {
     aws = aws.primary
   }
 
-  corelight_cloud_enrichment_image     = local.image_name
-  corelight_cloud_enrichment_image_tag = local.image_tag
-  enrichment_bucket_name               = aws_s3_bucket.enrichment_bucket.bucket
-  scheduled_sync_regions               = local.my_regions
+  corelight_cloud_enrichment_image      = local.image_name
+  corelight_cloud_enrichment_image_tag  = local.image_tag
+  enrichment_bucket_name                = aws_s3_bucket.enrichment_bucket.bucket
+  scheduled_sync_regions                = local.my_regions
+  eventbridge_iam_cross_region_role_arn = module.enrichment_eventbridge_role.cross_region_role_arn
+  lambda_iam_role_arn                   = module.enrichment_lambda_role.lambda_iam_role_arn
 
   tags = local.tags
 }
@@ -69,7 +93,7 @@ module "enrichment" {
 ####################################################################################################
 
 module "sensor_iam" {
-  source = "../../modules/sensor_iam"
+  source = "../../modules/iam/sensor"
 
   enrichment_bucket_arn = aws_s3_bucket.enrichment_bucket.arn
 
@@ -100,7 +124,7 @@ module "secondary_eventbridge_rule_us-east-2" {
     aws = aws.us-east-2
   }
 
-  cross_region_eventbridge_role_arn    = module.enrichment.cross_region_iam_role_arn
+  cross_region_eventbridge_role_arn    = module.enrichment_eventbridge_role.cross_region_role_arn
   primary_event_bus_arn                = module.enrichment.primary_event_bus_arn
   secondary_ec2_state_change_rule_name = "${local.secondary_rule_name}-us-east-2"
 
@@ -119,7 +143,7 @@ module "secondary_eventbridge_rule_us-west-1" {
     aws = aws.us-west-1
   }
 
-  cross_region_eventbridge_role_arn    = module.enrichment.cross_region_iam_role_arn
+  cross_region_eventbridge_role_arn    = module.enrichment_eventbridge_role.cross_region_role_arn
   primary_event_bus_arn                = module.enrichment.primary_event_bus_arn
   secondary_ec2_state_change_rule_name = "${local.secondary_rule_name}-us-west-1"
 
@@ -138,7 +162,7 @@ module "secondary_eventbridge_rule_us-west-2" {
     aws = aws.us-west-2
   }
 
-  cross_region_eventbridge_role_arn    = module.enrichment.cross_region_iam_role_arn
+  cross_region_eventbridge_role_arn    = module.enrichment_eventbridge_role.cross_region_role_arn
   primary_event_bus_arn                = module.enrichment.primary_event_bus_arn
   secondary_ec2_state_change_rule_name = "${local.secondary_rule_name}-us-west-2"
 

lambda.tf

@@ -7,11 +7,12 @@ resource "aws_cloudwatch_log_group" "log_group" {
 
 resource "aws_lambda_function" "enrichment_lambda" {
   function_name = var.lambda_name
-  role          = aws_iam_role.lambda_role.arn
+  role          = var.lambda_iam_role_arn
   image_uri     = "${var.corelight_cloud_enrichment_image}:${var.corelight_cloud_enrichment_image_tag}"
   package_type  = "Image"
   timeout       = var.lambda_timeout
   architectures = var.lambda_architecture
+
   environment {
     variables = {
       BUCKET_NAME   = var.enrichment_bucket_name

modules/iam/eventbridge/README.md

@@ -0,0 +1,36 @@
+# IAM Role
+An AWS IAM role needs to be created with the following assume role policy and permissions
+
+# Assume Role Policy
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "events.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+
+```
+
+# Permissions
+
+```json
+{
+    "Statement": [
+        {
+            "Action": [
+              "events:PutEvents"
+            ],
+            "Effect": "Allow",
+            "Resource": "{ARN primary eventbridge bus deployed in the main module}:*"
+        }
+    ],
+    "Version": "2012-10-17"
+}
+```

eventbridge_iam.tf → modules/iam/eventbridge/main.tf

@@ -28,7 +28,7 @@ resource "aws_iam_policy" "event_bus_put_events_on_central_bus" {
           "events:PutEvents"
         ]
         Effect   = "Allow"
-        Resource = [aws_cloudwatch_event_bus.primary_bus.arn]
+        Resource = [var.primary_event_bus_arn]
       }
     ]
   })

modules/iam/eventbridge/outputs.tf

@@ -0,0 +1,7 @@
+output "cross_region_role_arn" {
+  value = aws_iam_role.cross_region.arn
+}
+
+output "cross_region_policy_arn" {
+  value = aws_iam_policy.event_bus_put_events_on_central_bus.arn
+}

modules/iam/eventbridge/variables.tf

@@ -0,0 +1,23 @@
+variable "primary_event_bus_arn" {
+  description = "ARN of the primary event bus that all events will fan-in to"
+  type        = string
+}
+
+### Variables with defaults
+variable "cross_region_event_bus_policy_name" {
+  description = "Name of the Corelight Event Bus"
+  type        = string
+  default     = "corelight-primary-event-bus-policy"
+}
+
+variable "cross_region_event_bus_role_name" {
+  description = "Name of the IAM Role granting "
+  type        = string
+  default     = "corelight-cross-region-event-role"
+}
+
+variable "tags" {
+  description = "(optional) Any tags that should be applied to resources deployed by the module"
+  type        = object({})
+  default     = {}
+}

modules/iam/lambda/README.md

@@ -0,0 +1,67 @@
+# IAM Role
+An AWS IAM role needs to be created with the following assume role policy and permissions
+
+# Assume Role Policy
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "lambda.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+
+```
+
+# Permissions
+
+```json
+{
+  "Statement": [
+    {
+      "Action": [
+        "logs:PutLogEvents",
+        "logs:CreateLogStream"
+      ],
+      "Effect": "Allow",
+      "Resource": "{ARN of the log group the enrichment Lambda will use to create streams and write logs}:*"
+    },
+    {
+      "Action": [
+        "ec2:DescribeInstances",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeVpcEndpoints"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:ListObjects",
+        "s3:DeleteObject"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "{ARN of the S3 bucket used to store enrichment data}",
+        "{ARN of the S3 bucket used to store enrichment data}/*"
+      ]
+    },
+    {
+      "Action": [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer"
+      ],
+      "Effect": "Allow",
+      "Resource": "{ARN of the ECR repository used to store the enrichment dockerhub image}"
+    }
+  ],
+  "Version": "2012-10-17"
+}
+```

lambda_iam.tf → modules/iam/lambda/main.tf

@@ -33,12 +33,11 @@ resource "aws_iam_policy" "lambda_access_policy" {
       },
       {
         Action = [
-          "logs:CreateLogGroup",
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ]
         Effect   = "Allow"
-        Resource = "${aws_cloudwatch_log_group.log_group.arn}:*"
+        Resource = "${var.lambda_cloudwatch_log_group_arn}:*"
       },
       {
         Action = [
@@ -49,8 +48,8 @@ resource "aws_iam_policy" "lambda_access_policy" {
         ]
         Effect = "Allow"
         Resource = [
-          data.aws_s3_bucket.enrichment_bucket.arn,
-          "${data.aws_s3_bucket.enrichment_bucket.arn}/*"
+          var.enrichment_bucket_arn,
+          "${var.enrichment_bucket_arn}/*"
         ]
       },
       {
@@ -59,7 +58,7 @@ resource "aws_iam_policy" "lambda_access_policy" {
           "ecr:GetDownloadUrlForLayer"
         ]
         Effect   = "Allow"
-        Resource = data.aws_ecr_repository.enrichment_repo.arn
+        Resource = var.enrichment_ecr_repository_arn
       }
 
     ]

modules/iam/lambda/outputs.tf

@@ -0,0 +1,7 @@
+output "lambda_iam_role_arn" {
+  value = aws_iam_role.lambda_role.arn
+}
+
+output "lambda_policy_arn" {
+  value = aws_iam_policy.lambda_access_policy.arn
+}

modules/iam/lambda/variables.tf

@@ -0,0 +1,34 @@
+variable "lambda_cloudwatch_log_group_arn" {
+  description = "ARN of the log group the Lambda will use to create streams and write logs"
+  type        = string
+}
+
+variable "enrichment_bucket_arn" {
+  description = "ARN of the s3 bucket cloud enrichment will use to store cloud resource data"
+  type        = string
+}
+
+variable "enrichment_ecr_repository_arn" {
+  description = "ARN of the ECR repository used to store the AWS enrichment docker image"
+  type        = string
+}
+
+
+# Variables with defaults
+variable "lambda_iam_role_name" {
+  description = "Name of the IAM role used to grant the cloud enrichment lambda permission to enumerate cloud resources and write results to the bucket"
+  type        = string
+  default     = "corelight-cloud-enrichment-lambda-role"
+}
+
+variable "lambda_iam_policy_name" {
+  description = "Name of the Lambda IAM policy"
+  type        = string
+  default     = "corelight-cloud-enrichment-lambda-policy"
+}
+
+variable "tags" {
+  description = "(optional) Any tags that should be applied to resources deployed by the module"
+  type        = object({})
+  default     = {}
+}