-
-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new policy resources per DataDog docs #67
base: main
Are you sure you want to change the base?
Add new policy resources per DataDog docs #67
Conversation
/terratest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @StealthBadger747 - just a few small things
resource "aws_iam_policy" "resource_collection" { | ||
count = local.resource_collection_count | ||
name = module.resource_collection_label.id | ||
policy = data.aws_iam_policy_document.resource_collection[0].json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
policy = data.aws_iam_policy_document.resource_collection[0].json | |
policy = join("", data.aws_iam_policy_document.resource_collection.*.json) |
|
||
resource "aws_iam_role_policy_attachment" "resource_collection" { | ||
count = local.resource_collection_count | ||
role = aws_iam_role.default[0].name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
role = aws_iam_role.default[0].name | |
role = join("", aws_iam_role.default.*.name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joe-niland The new standard is
role = aws_iam_role.default[0].name | |
role = one(aws_iam_role.default[*].name) |
resource "aws_iam_role_policy_attachment" "resource_collection" { | ||
count = local.resource_collection_count | ||
role = aws_iam_role.default[0].name | ||
policy_arn = aws_iam_policy.resource_collection[0].arn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
policy_arn = aws_iam_policy.resource_collection[0].arn | |
policy_arn = join("", aws_iam_policy.resource_collection.*.arn) |
@@ -126,3 +123,59 @@ resource "aws_iam_role_policy_attachment" "all" { | |||
role = join("", aws_iam_role.default.*.name) | |||
policy_arn = join("", aws_iam_policy.all.*.arn) | |||
} | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be consistent, it would be good to have the below in iam_policy_resource-collection.tf
all_count = local.enabled && contains(split(",", lower(join(",", var.integrations))), "all") ? 1 : 0 | ||
integrations = split(",", lower(join(",", var.integrations))) | ||
all_count = local.enabled && contains(local.integrations, "all") ? 1 : 0 | ||
resource_collection_count = local.enabled && contains(local.integrations, "resource_collection") ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should also move to iam_policy_resource-collection.tf
@joe-niland Do you think it would be appropriate to parameterize these permissions so that users can add permissions as needed for their environments instead of having hardcoded lists that need updating? Could be a similar pattern to providing a base set of permissions that can be added to per environment as needed |
@StealthBadger747 Thank you for this PR. It appears Datadog has made several changes/updates and we need to make some more significant changes. This will become a Major release, although I would like it to not have any breaking changes anyway. If you are up for it, please change as follows (and if you are not up for it, no problem, we will get to it eventually, but probably not soon, or maybe @RoseSecurity will want to do it): [ ] Style update: change all [ ] Deprecate To deprecate
To add variable "policies" {
type = list(string)
description = <<-EOT
List of Datadog's names for AWS IAM policies names to apply to the role.
Valid options are "core-integration", "full-integration", "resource-collection", "CSMP", "SecurityAudit", "everything".
"CSMP" is for Cloud Security Posture Management, which also requires "full-integration".
"SecurityAudit" is for the AWS-managed `SecurityAudit` Policy.
"everything" means all permissions for offerings.
EOT
} Create a For compatibility, map Consider "CSMP" an alias for "SecurityAudit". [ ] Rename the "all" policy "full-integration" and update it. Rename Update the policy reference to
Update the permissions ( full-integration permissions
[ ] Rename Update the policy reference to
Update the permissions ( [ ] Create Follow the pattern of resource-collection permissions
[ ] Create Skip most of the content of the other files. I think it can be just locals {
security_audit_count = local.enabled &&
(contains(var.policies, "CSPM") || contains(var.policies, "SecurityAudit")) ? 1 : 0
}
resource "aws_iam_role_policy_attachment" "security_audit" {
count = local.security_audit_count
role = one(aws_iam_role.default[*].name)
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above
Just got caught up on my emails. @Nuru thanks for taking a look. I have personally deployed these changes in my workplace's environment at this point, but I would like to still see upstream changes. At the moment I'm a bit busy with some other issues internally, but I will be working on a lot of Datadog things next week so I might be able to get to this then. It looks like I can implement these changes. I would also be happy to sync with @RoseSecurity if they might want to pick this up, or take more suggestions. |
what
why
I saw the following on my DataDog AWS Integration page: