├── variables.tf
├── img
    ├── epsagon_dashboard.png
    └── cloudformation_params.png
├── main.tf
├── README.md
├── iam-policy.json
└── native
    └── epsagon-native.tf


/variables.tf:
--------------------------------------------------------------------------------
1 | variable "epsagon_external_id" {
2 |   type        = string
3 |   description = "Epsagon AWS external ID"
4 | }
5 | 


--------------------------------------------------------------------------------
/img/epsagon_dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/epsagon/epsagon-terraform-existing-cloudtrail/main/img/epsagon_dashboard.png


--------------------------------------------------------------------------------
/img/cloudformation_params.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/epsagon/epsagon-terraform-existing-cloudtrail/main/img/cloudformation_params.png


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_cloudformation_stack" "epsagon" {
 2 |   name = "epsagon"
 3 | 
 4 |   template_url = "https://s3.amazonaws.com/epsagon/template_existing_cloudtrail.json"
 5 |   capabilities = ["CAPABILITY_NAMED_IAM"]
 6 | 
 7 |   parameters = {
 8 |     ExternalId         = "${var.epsagon_external_id}"
 9 |   }
10 | }
11 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Epsagon Terraform AWS Integration - Existing Cloudtrail
 2 | 
 3 | Note: Only use this module if you already have an existing cloudtrail in your epsagon account.
 4 | Otherwise, check out our [regular terraform integration](https://github.com/epsagon/epsagon-terraform)
 5 | 
 6 | Setup Epsagon <-> AWS integration module
 7 | 
 8 | This module provides the ability to setup Epsagon integration via Terraform. This module will setup the following:
 9 | 
10 | - Cross account IAM role for Epsagon
11 | 
12 | ## Usage
13 | 
14 | To use this module you need to create a Terraform configuration that utilizes this module. A basic example configuration would look as follows (Be sure to adjust the git ref in the source value appropriately):
15 | 
16 | ```hcl
17 | module "epsagon_aws_integration" {
18 |   source                    = "github.com/epsagon/epsagon-terraform-existing-cloudtrail?ref=1.0.0"
19 |   epsagon_external_id       = "<EPSAGON_AWS_EXTERNAL_ID>"
20 | }
21 | ```
22 | 
23 | Run Terraform, all resources will be created and Epsagon will be configured without manual intervention.
24 | 
25 | ## Parameters
26 | 
27 | To find the right value to set for the External ID Epsagon parameter, go to your [Epsagon settings](https://dashboard.epsagon.com/settings/cloudformation) and click the CloudFormation deploy button:
28 | 
29 | ![Epsagon dashboard](./img/epsagon_dashboard.png)
30 | 
31 | Then copy the ExternalID into your Terraform file:
32 | 
33 | ![CloudFormation parameters](./img/cloudformation_params.png)
34 | 
35 | ## IAM Requirements
36 | 
37 | See `iam-policy.json` in this repository for an IAM policy that is sufficient to allow the terraform module to execute
38 | 


--------------------------------------------------------------------------------
/iam-policy.json:
--------------------------------------------------------------------------------
  1 | {
  2 |     "Version": "2012-10-17",
  3 |     "Statement": [
  4 |         {
  5 |             "Effect": "Allow",
  6 |             "Action": [
  7 |                 "s3:ListBucket",
  8 |                 "s3:ListAllMyBuckets"
  9 |             ],
 10 |             "Resource": [
 11 |                 "arn:aws:s3:::*"
 12 |             ]
 13 |         },
 14 |         {
 15 |             "Effect": "Allow",
 16 |             "Action": [
 17 |                 "s3:CreateBucket",
 18 |                 "s3:DeleteBucket",
 19 |                 "s3:DeleteBucketPolicy",
 20 |                 "s3:GetAccelerateConfiguration",
 21 |                 "s3:GetBucket*",
 22 |                 "s3:GetEncryptionConfiguration",
 23 |                 "s3:GetLifecycleConfiguration",
 24 |                 "s3:GetReplicationConfiguration",
 25 |                 "s3:ListBucket",
 26 |                 "s3:ListAllMyBuckets",
 27 |                 "s3:ListBucketVersions",
 28 |                 "s3:PutBucketAcl",
 29 |                 "s3:PutBucketCORS",
 30 |                 "s3:PutBucketLogging",
 31 |                 "s3:PutBucketPolicy",
 32 |                 "s3:PutBucketTagging",
 33 |                 "s3:PutBucketVersioning",
 34 |                 "s3:PutBucketWebsite",
 35 |                 "s3:PutEncryptionConfiguration",
 36 |                 "s3:PutLifecycleConfiguration",
 37 |                 "s3:PutReplicationConfiguration"
 38 |             ],
 39 |             "Resource": [
 40 |                 "arn:aws:s3:::epsagon-trail-bucket*"
 41 |             ]
 42 |         },
 43 |         {
 44 |             "Effect": "Allow",
 45 |             "Action": [
 46 |                 "cloudformation:CreateStack",
 47 |                 "cloudformation:CreateUploadBucket",
 48 |                 "cloudformation:DeleteStack",
 49 |                 "cloudformation:Describe*",
 50 |                 "cloudformation:GetTemplate",
 51 |                 "cloudformation:UpdateStack"
 52 |             ],
 53 |             "Resource": [
 54 |                 "arn:aws:cloudformation:*:*:stack/epsagon/*"
 55 |             ]
 56 |         },
 57 |         {
 58 |             "Effect": "Allow",
 59 |             "Action": [
 60 |                 "cloudtrail:DescribeTrails"
 61 |             ],
 62 |             "Resource": "*"
 63 |         },
 64 |         {
 65 |             "Effect": "Allow",
 66 |             "Action": [
 67 |                 "cloudtrail:CreateTrail",
 68 |                 "cloudtrail:DeleteTrail",
 69 |                 "cloudtrail:GetEventSelectors",
 70 |                 "cloudtrail:PutEventSelectors",
 71 |                 "cloudtrail:StartLogging",
 72 |                 "cloudtrail:StopLogging"
 73 |             ],
 74 |             "Resource": "arn:aws:cloudtrail:*:*:trail/EpsagonMonitoringTrail"
 75 |         },
 76 |         {
 77 |             "Effect": "Allow",
 78 |             "Action": [
 79 |                 "logs:DescribeLogStreams",
 80 |                 "logs:DescribeLogGroups",
 81 |                 "logs:FilterLogEvents"
 82 |             ],
 83 |             "Resource": [
 84 |                 "*"
 85 |             ]
 86 |         },
 87 |         {
 88 |             "Effect": "Allow",
 89 |             "Action": [
 90 |                 "logs:CreateLogGroup",
 91 |                 "logs:DeleteLogGroup",
 92 |                 "logs:PutRetentionPolicy"
 93 |             ],
 94 |             "Resource": [
 95 |                 "arn:aws:logs:*:*:log-group:EpsagonMonitoringLogGroup:log-stream:"
 96 |             ]
 97 |         },
 98 |         {
 99 |             "Effect": "Allow",
100 |             "Action": [
101 |                 "SNS:Publish"
102 |             ],
103 |             "Resource": [
104 |                 "arn:aws:sns:*:*:cloudformation-status-production"
105 |             ]
106 |         },
107 |         {
108 |             "Effect": "Allow",
109 |             "Sid": "DatastoreTerraformLogRole",
110 |             "Action": [
111 |                 "iam:GetRole",
112 |                 "iam:CreateRole",
113 |                 "iam:DeleteRole",
114 |                 "iam:AttachRolePolicy",
115 |                 "iam:DetachRolePolicy",
116 |                 "iam:GetRolePolicy",
117 |                 "iam:PutRolePolicy",
118 |                 "iam:DeleteRolePolicy",
119 |                 "iam:CreateServiceLinkedRole",
120 |                 "iam:ListAttachedRolePolicies",
121 |                 "iam:ListInstanceProfilesForRole",
122 |                 "iam:TagRole",
123 |                 "iam:PassRole"
124 |             ],
125 |             "Resource": [
126 |                 "arn:aws:iam::*:role/epsagon-EpsagonCloudTrailToCloudWatchLogsRole-*",
127 |                 "arn:aws:iam::*:role/EpsagonRole"
128 |             ]
129 |         }
130 |     ]
131 | }


--------------------------------------------------------------------------------
/native/epsagon-native.tf:
--------------------------------------------------------------------------------
  1 | data "aws_caller_identity" "current" {}
  2 | 
  3 | locals {
  4 |   epsagon_trail_bucket_name = aws_s3_bucket.epsagon_trail_bucket.id
  5 | }
  6 | 
  7 | variable "epsagon_aws_account_id" {}
  8 | variable "epsagon_external_id" {}
  9 | variable "region" {}
 10 | 
 11 | resource "aws_s3_bucket" "epsagon_trail_bucket" {
 12 |   bucket = "epsagon-trail-bucket"
 13 |   acl    = "private"
 14 |   lifecycle_rule {
 15 |     expiration {
 16 |       days = 1
 17 |     }
 18 |     enabled = true
 19 |   }
 20 | }
 21 | 
 22 | resource "aws_s3_bucket_policy" "epsagon_trail_bucket_policy" {
 23 |   bucket = local.epsagon_trail_bucket_name
 24 |   policy = <<POLICY
 25 | {
 26 |   "Version": "2012-10-17",
 27 |   "Id": "epsagon_trail_bucket_policy",
 28 |   "Statement": [
 29 |     {
 30 |       "Sid": "GetBucket",
 31 |       "Effect": "Allow",
 32 |       "Principal": {
 33 |         "Service": [
 34 |           "cloudtrail.amazonaws.com"
 35 |         ]
 36 |       },
 37 |       "Action": "s3:GetBucket*",
 38 |       "Resource": "arn:aws:s3:::${local.epsagon_trail_bucket_name}"
 39 |     },
 40 |      {
 41 |       "Sid": "PutObject",
 42 |       "Effect": "Allow",
 43 |       "Principal": {
 44 |         "Service": [
 45 |           "cloudtrail.amazonaws.com"
 46 |         ]
 47 |       },
 48 |       "Action": "s3:PutObject*",
 49 |       "Resource": "arn:aws:s3:::${local.epsagon_trail_bucket_name}/*"
 50 |     }   
 51 |   ]
 52 | }
 53 | POLICY
 54 | }
 55 | 
 56 | resource "aws_cloudwatch_log_group" "epsagon_monitoring_log_group" {
 57 |   name              = "epsagon_monitoring_log_group"
 58 |   retention_in_days = 1
 59 | }
 60 | 
 61 | resource "aws_iam_role" "epsagon_cloudtrail_to_cloudwatch_logs_role" {
 62 |   name               = "epsagon_cloudtrail_to_cloudwatch_logs_role"
 63 |   assume_role_policy = <<POLICY
 64 | {
 65 |   "Version": "2012-10-17",
 66 |   "Statement": [
 67 |     {
 68 |       "Effect": "Allow",
 69 |       "Principal": {
 70 |         "Service": [
 71 |           "cloudtrail.amazonaws.com"
 72 |         ]
 73 |       },
 74 |       "Action": [
 75 |         "sts:AssumeRole"
 76 |       ]
 77 |     }
 78 |   ]
 79 | }
 80 | POLICY
 81 | }
 82 | 
 83 | resource "aws_iam_policy" "epsagon_cloudtrail_to_cloudwatch_logs_role_policy" {
 84 |   name   = "epsagon_cloudtrail_to_cloudwatch_logs_role_policy"
 85 |   policy = <<POLICY
 86 | {
 87 |   "Version": "2012-10-17",
 88 |   "Statement": [
 89 |     {
 90 |       "Effect": "Allow",
 91 |       "Action": [
 92 |         "logs:PutLogEvents",
 93 |         "logs:CreateLogStream"
 94 |       ],
 95 |       "Resource": "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:epsagon_monitoring_log_group:log-stream:*"
 96 |     }
 97 |   ]
 98 | }
 99 | POLICY
100 | }
101 | 
102 | resource "aws_iam_role_policy_attachment" "epsagon_cloudtrail_to_cloudwatch_logs_role_policy_attachment" {
103 |   role       = aws_iam_role.epsagon_cloudtrail_to_cloudwatch_logs_role.name
104 |   policy_arn = aws_iam_policy.epsagon_cloudtrail_to_cloudwatch_logs_role_policy.arn
105 | }
106 | 
107 | resource "aws_cloudtrail" "epsagon_cloudtrail" {
108 |   name                       = "epsagon_monitoring_trail"
109 |   s3_bucket_name             = local.epsagon_trail_bucket_name
110 |   cloud_watch_logs_group_arn = aws_cloudwatch_log_group.epsagon_monitoring_log_group.arn
111 |   cloud_watch_logs_role_arn  = aws_iam_role.epsagon_cloudtrail_to_cloudwatch_logs_role.arn
112 |   is_multi_region_trail      = true
113 |   event_selector {
114 |     read_write_type = "WriteOnly"
115 |   }
116 |   depends_on = [
117 |     aws_s3_bucket_policy.epsagon_trail_bucket_policy,
118 |     aws_s3_bucket.epsagon_trail_bucket
119 |   ]
120 | 
121 | }
122 | 
123 | resource "aws_iam_role" "epsagon_role" {
124 |   name               = "epsagon_role"
125 |   assume_role_policy = <<POLICY
126 | {
127 |   "Version": "2012-10-17",
128 |   "Statement": [
129 |     {
130 |       "Sid": "AllowEpsagon",
131 |       "Effect": "Allow",
132 |       "Principal": {
133 |         "AWS": [
134 |           "${var.epsagon_aws_account_id}"
135 |         ]
136 |       },
137 |       "Condition": {
138 |         "StringEquals": {
139 |           "sts:ExternalId":
140 |             "${var.epsagon_external_id}"
141 |         }
142 |       },      
143 |       "Action": [
144 |         "sts:AssumeRole"
145 |       ]
146 |     },
147 |     {
148 |       "Sid": "AllowAppsync",
149 |       "Effect": "Allow",
150 |       "Principal": {
151 |         "Service": "appsync.amazonaws.com"
152 |       },
153 |       "Action": "sts:AssumeRole"
154 |     }    
155 |   ]
156 | }
157 | POLICY
158 | }
159 | 
160 | resource "aws_iam_policy" "epsagon_role_policy" {
161 |   name   = "epsagon_role_policy"
162 |   policy = <<POLICY
163 | {
164 |   "Version": "2012-10-17",
165 | 
166 |   "Statement": [
167 |     {
168 |       "Effect": "Allow",
169 |       "Action": [
170 |         "apigateway:GET",
171 |         "appsync:GetDataSource",
172 |         "appsync:GetGraphqlApi",
173 |         "appsync:GetIntrospectionSchema",
174 |         "appsync:GetResolver",
175 |         "appsync:GetSchemaCreationStatus",
176 |         "appsync:GetType",
177 |         "appsync:GraphQL",
178 |         "appsync:ListApiKeys",
179 |         "appsync:ListDataSources",
180 |         "appsync:ListGraphqlApis",
181 |         "appsync:ListResolvers",
182 |         "appsync:ListTypes",
183 |         "appsync:UpdateGraphqlAPI",
184 |         "appsync:UpdateResolver",
185 |         "appsync:UpdateType",        
186 |         "batch:Describe*",
187 |         "cloudwatch:Get*",
188 |         "cloudwatch:List*",
189 |         "ec2:Describe*",
190 |         "ec2:Get*",
191 |         "ecs:Describe*",
192 |         "ecs:List*",
193 |         "events:PutRule",
194 |         "events:PutTargets",
195 |         "iam:ListAccountAliases",
196 |         "lambda:Get*",
197 |         "lambda:List*",
198 |         "logs:CreateLogGroup",
199 |         "logs:CreateLogStream",
200 |         "logs:DeleteSubscriptionFilter",
201 |         "logs:DescribeLogGroups",
202 |         "logs:DescribeLogStreams",
203 |         "logs:DescribeSubscriptionFilters",
204 |         "logs:FilterLogEvents",
205 |         "logs:PutLogEvents",
206 |         "logs:PutSubscriptionFilter",
207 |         "states:Describe*",
208 |         "states:Get*",
209 |         "states:List*",
210 |         "xray:BatchGet*",
211 |         "xray:Get*"
212 |       ],
213 |       "Resource": "*"
214 |     },
215 |     {
216 |       "Effect": "Allow",
217 |       "Action": "iam:PassRole",
218 |       "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/epsagon_role_policy"
219 |     }
220 |   ]
221 | }
222 | POLICY
223 | }
224 | 
225 | resource "aws_iam_role_policy_attachment" "epsagon_role_policy_attachment" {
226 |   role       = aws_iam_role.epsagon_role.name
227 |   policy_arn = aws_iam_policy.epsagon_role_policy.arn
228 | }
229 | 


--------------------------------------------------------------------------------