Aws Flow module

examples/aws_account/README.md

@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account | v1.1.1 |
+| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account | v1.2.0 |
 
 ## Resources
 

examples/aws_account/main.tf

@@ -8,7 +8,7 @@ provider "illumio-cloudsecure" {
 }
 
 module "aws_account_dev" {
-  source        = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account?ref=v1.1.1"
+  source        = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account?ref=v1.2.0"
   name          = "Test Account"
   tags = {
       Name  = "CloudSecure Account Policy"

examples/aws_account/variables.tf

@@ -2,7 +2,7 @@ variable "illumio_cloudsecure_client_id" {
   type        = string
   description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
   validation {
-    condition     = length(var.name) > 1
+    condition     = length(var.illumio_cloudsecure_client_id) > 1
     error_message = "The illumio_cloudsecure_client_id value must not be empty."
   }
 }
@@ -12,7 +12,7 @@ variable "illumio_cloudsecure_client_secret" {
   sensitive   = true
   description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
   validation {
-    condition     = length(var.name) > 1
+    condition     = length(var.illumio_cloudsecure_client_secret) > 1
     error_message = "The illumio_cloudsecure_client_secret value must not be empty."
   }
 }

examples/aws_flows/README.md

@@ -0,0 +1,35 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>3.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws_flows_dev"></a> [aws\_flows\_dev](#module\_aws\_flows\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_flows | v1.2.0 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_flow_logs_bucket_arns"></a> [flow\_logs\_bucket\_arns](#input\_flow\_logs\_bucket\_arns) | List of S3 buckets having flow logs | `list(string)` | n/a | yes |
+| <a name="input_illumio_cloudsecure_client_id"></a> [illumio\_cloudsecure\_client\_id](#input\_illumio\_cloudsecure\_client\_id) | The OAuth 2 client identifier used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+| <a name="input_illumio_cloudsecure_client_secret"></a> [illumio\_cloudsecure\_client\_secret](#input\_illumio\_cloudsecure\_client\_secret) | The OAuth 2 client secret used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+| <a name="input_illumio_cloudsecure_role_arn"></a> [illumio\_cloudsecure\_role\_arn](#input\_illumio\_cloudsecure\_role\_arn) | The ARN of the IAM role granted to the CloudSecure account. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/aws_flows/main.tf

@@ -0,0 +1,14 @@
+provider "aws" {
+  region = "us-west-1"
+}
+
+provider "illumio-cloudsecure" {
+  client_id     = var.illumio_cloudsecure_client_id
+  client_secret = var.illumio_cloudsecure_client_secret
+}
+
+module "aws_flows_dev" {
+  source        = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_flows?ref=v1.2.0"
+  role_arn      = var.illumio_cloudsecure_role_arn
+  flow_logs_bucket_arns = var.flow_logs_bucket_arns
+}

examples/aws_flows/variables.tf

@@ -0,0 +1,37 @@
+variable "flow_logs_bucket_arns" {
+  type        = list(string)
+  description = "List of S3 buckets having flow logs"
+  validation {
+    condition     = length(var.flow_logs_bucket_arns) > 0
+    error_message = "The flow_logs_bucket_arns value must not be empty."
+  }
+}
+
+variable "illumio_cloudsecure_client_id" {
+  type        = string
+  description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_id) > 1
+    error_message = "The illumio_cloudsecure_client_id value must not be empty."
+  }
+}
+
+variable "illumio_cloudsecure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_secret) > 1
+    error_message = "The illumio_cloudsecure_client_secret value must not be empty."
+  }
+}
+
+variable "illumio_cloudsecure_role_arn" {
+  type        = string
+  description = "The ARN of the IAM role granted to the CloudSecure account."
+  validation {
+    condition     = length(var.illumio_cloudsecure_role_arn) > 1
+    error_message = "The illumio_cloudsecure_role_arn value must not be empty."
+  }
+}
+

examples/aws_flows/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    illumio-cloudsecure = {
+      source  = "illumio/illumio-cloudsecure"
+      version = "~> 1.0.11"
+    }
+    aws = {
+      source = "hashicorp/aws"
+      version = "~>3.0"
+    }
+  }
+}

examples/k8s_cluster/README.md

@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster | v1.1.1 |
+| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster | v1.2.0 |
 
 ## Resources
 

examples/k8s_cluster/main.tf

@@ -10,7 +10,7 @@ provider "illumio-cloudsecure" {
 }
 
 module "k8s_cluster_dev" {
-  source            = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v1.1.1"
+  source            = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v1.2.0"
   illumio_region    = "aws-us-west-2"
   name              = "example-release"
   description       = "Dev cluster in aws-us-west-2"

modules/aws_account/README.md

@@ -27,7 +27,7 @@ No modules.
 | [aws_iam_role_policy.protection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [illumio-cloudsecure_aws_account.account](https://registry.terraform.io/providers/illumio/illumio-cloudsecure/latest/docs/resources/aws_account) | resource |
-| [random_uuid.role_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_password.role_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_organizations_organization.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -47,4 +47,5 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role granted to the CloudSecure account. |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the IAM role granted to the CloudSecure account. |
 <!-- END_TF_DOCS -->

modules/aws_account/main.tf

@@ -17,7 +17,12 @@ terraform {
 
 data "aws_partition" "current" {}
 
-resource "random_uuid" "role_secret" {}
+resource "random_password" "role_secret" {
+  length  = 36
+  special = false
+  upper   = false
+  min_numeric = 6
+}
 
 resource "aws_iam_role_policy" "read" {
   name = "${var.iam_name_prefix}Policy"
@@ -157,7 +162,7 @@ resource "aws_iam_role" "role" {
         Action    = "sts:AssumeRole"
         Condition = {
           StringEquals = {
-            "sts:ExternalId" = random_uuid.role_secret.result
+            "sts:ExternalId" = random_password.role_secret.result
           }
         }
       }
@@ -182,5 +187,5 @@ resource "illumio-cloudsecure_aws_account" "account" {
   name             = var.name
   organization_id  = data.aws_organizations_organization.current.id
   role_arn         = aws_iam_role.role.arn
-  role_external_id = random_uuid.role_secret.result
+  role_external_id = random_password.role_secret.result
 }

modules/aws_account/outputs.tf

@@ -1,4 +1,9 @@
 output "role_arn" {
   value       = aws_iam_role.role.arn
   description = "The ARN of the IAM role granted to the CloudSecure account."
+}
+
+output "role_name" {
+  value       = aws_iam_role.role.name
+  description = "The name of the IAM role granted to the CloudSecure account."
 }

modules/aws_flows/README.md

@@ -0,0 +1,41 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.0 |
+| <a name="provider_illumio-cloudsecure"></a> [illumio-cloudsecure](#provider\_illumio-cloudsecure) | ~> 1.0.11 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role_policy.IllumioCloudBucketListPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.IllumioCloudBucketReadPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [illumio-cloudsecure_aws_flow_logs_s3_bucket.buckets](https://registry.terraform.io/providers/illumio/illumio-cloudsecure/latest/docs/resources/aws_flow_logs_s3_bucket) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_role.illumio_cloud_integration_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_flow_logs_bucket_arns"></a> [flow\_logs\_bucket\_arns](#input\_flow\_logs\_bucket\_arns) | List of S3 buckets having flow logs | `list(string)` | n/a | yes |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the IAM role granted to the CloudSecure account. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/aws_flows/main.tf

@@ -0,0 +1,77 @@
+terraform {
+  required_providers {
+    illumio-cloudsecure = {
+      source  = "illumio/illumio-cloudsecure"
+      version = "~> 1.0.11"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+locals {
+  # Extract just the bucket ARN (without paths) for ListBucket actions
+  flow_logs_bucket_list = [
+    for bucket_arn in var.flow_logs_bucket_arns : regex("^arn:aws:s3:::[^/]+", bucket_arn)
+  ]
+
+  # Use the full ARN with path for GetObject actions
+  flow_logs_bucket_read = [
+    for bucket_arn in var.flow_logs_bucket_arns : "${bucket_arn}/*"
+  ]
+}
+
+data "aws_iam_role" "illumio_cloud_integration_role" {
+  name = var.role_name
+}
+
+resource "aws_iam_role_policy" "IllumioCloudBucketListPolicy" {
+  count = length(local.flow_logs_bucket_list) > 0 ? 1 : 0
+  name  = "IllumioCloudBucketListPolicy"
+  role  = data.aws_iam_role.illumio_cloud_integration_role.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Sid    = "IllumioBucketListAccess"
+      Action = [
+        "s3:ListBucket",
+        "s3:ListBucketVersion",
+        "s3:GetBucketLocation"
+      ]
+      Resource = local.flow_logs_bucket_list
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "IllumioCloudBucketReadPolicy" {
+  count = length(local.flow_logs_bucket_read) > 0 ? 1 : 0
+  name  = "IllumioCloudBucketReadPolicy"
+  role  = data.aws_iam_role.illumio_cloud_integration_role.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Sid    = "IllumioBucketReadAccess"
+      Action = ["s3:GetObject"]
+      Resource = local.flow_logs_bucket_read
+    }]
+  })
+}
+
+# Data source to get the AWS account ID.
+data "aws_caller_identity" "current" {}
+
+
+// Onboards this AWS account with CloudSecure.
+resource "illumio-cloudsecure_aws_flow_logs_s3_bucket" "buckets" {
+  for_each = toset(var.flow_logs_bucket_arns)
+  account_id       = data.aws_caller_identity.current.account_id
+  s3_bucket_arn    = each.key
+}

modules/aws_flows/variables.tf

@@ -0,0 +1,17 @@
+variable "flow_logs_bucket_arns" {
+  description = "List of S3 buckets having flow logs"
+  type        = list(string)
+  validation {
+    condition     = length(var.flow_logs_bucket_arns) > 0
+    error_message = "The flow_logs_bucket_arns value must not be empty."
+  }
+}
+
+variable "role_name" {
+  description = "The name of the IAM role granted to the CloudSecure account."
+  type        = string
+  validation {
+    condition     = length(var.role_name) > 1
+    error_message = "The role_name value must not be empty."
+  }
+}