initial commit

Author: dawhalen

.circleci/config.yml

@@ -0,0 +1,67 @@
+---
+version: 2.1
+
+orbs:
+  terraform: circleci/[email protected]
+
+workflows:
+  validate-and-security-scan:
+    jobs:
+      - checkout-code:
+          filters:
+            branches:
+              only:
+                - /.*/
+            tags:
+              ignore:
+                - /.*/
+      - validate:
+          requires:
+            - checkout-code
+          filters:
+            branches:
+              only:
+                - /.*/
+            tags:
+              ignore:
+                - /.*/
+      - security-scan:
+          requires:
+            - validate
+          filters:
+            branches:
+              only:
+                - /.*/
+            tags:
+              ignore:
+                - /.*/
+
+jobs:
+  checkout-code:
+    docker:
+      - image: cimg/base:2022.02
+    steps:
+      - checkout
+      - persist_to_workspace:
+          root: .
+          paths:
+            - "./*"
+  validate:
+    executor:
+      name: terraform/default
+      tag: "1.1.3"
+    steps:
+      - attach_workspace:
+          at: .
+      - terraform/fmt
+      - terraform/validate
+  security-scan:
+    docker:
+      - image: aquasec/tfsec-ci:v1.0
+        user: root
+    steps:
+      - attach_workspace:
+          at: .
+      - run:
+          name: perform security scan
+          command: tfsec .

.gitignore

@@ -0,0 +1,27 @@
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+*.terraform.lock.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.terraform-docs.yaml

@@ -0,0 +1,20 @@
+formatter: "markdown table"
+
+sort:
+  enabled: true
+  by: required
+
+content: |-
+  {{ .Requirements }}
+  {{ .Providers }}
+  {{ .Inputs }}
+  {{ .Outputs }}
+  {{ .Resources }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- begin-tf-docs -->
+    {{ .Content }}
+    <!-- end-tf-docs -->

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Expel, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,2 @@
+docs:
+	terraform-docs ./

README.md

@@ -0,0 +1,85 @@
+# terraform-aws-eks
+Terraform module for configuring Amazon EKS to integrate with [Expel Workbench](https://workbench.expel.io/).
+
+Configures a CloudWatch subscription filter to send data to a Kinesis data stream that
+[Expel Workbench](https://workbench.expel.io/) consumes.
+
+## Usage
+```hcl
+module "expel_aws_eks" {
+  source  = "expel-io/cloudtrail/eks"
+  version = "1.1.0"
+
+  expel_customer_organization_guid = "Replace with your organization GUID from Expel Workbench"
+  region = "AWS region in which Kinesis data stream will be created"
+}
+```
+Once you have configured your AWS environment, go to
+https://workbench.expel.io/settings/security-devices?setupIntegration=aws and create an AWS EKS
+security device to enable Expel to begin monitoring your AWS environment.
+
+## Permissions
+The permissions allocated by this module allow Expel Workbench to perform investigations and get a broad understanding of your AWS footprint.
+
+## Limitations
+1. Only supports onboarding a single AWS account, not an entire AWS Organization.
+2. Will always create a new CloudWatch subscription filter (AWS has a limit of 2 subscription filters per CloudWatch log group)
+3. Will always create a new Kinesis data stream.
+4. Does not modify cluster configuration to grant Expel's IAM role read-only access (must be done separately)
+
+See Expel's Getting Started Guide for Amazon EKS for options if you
+have an AWS Organization or already have a Kinesis data stream you want to re-use.
+
+<!-- begin-tf-docs -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.9.0 |
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_eks_log_group_name"></a> [eks\_log\_group\_name](#input\_eks\_log\_group\_name) | The EKS log group name to integrate with Expel Workbench. | `string` | n/a | yes |
+| <a name="input_expel_customer_organization_guid"></a> [expel\_customer\_organization\_guid](#input\_expel\_customer\_organization\_guid) | Expel customer's organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench. | `string` | n/a | yes |
+| <a name="input_enable_stream_encryption"></a> [enable\_stream\_encryption](#input\_enable\_stream\_encryption) | Optionally encrypt data in the Kinesis stream with a Kinesis-owned KMS key. | `bool` | `true` | no |
+| <a name="input_expel_assume_role_session_name"></a> [expel\_assume\_role\_session\_name](#input\_expel\_assume\_role\_session\_name) | The session name Expel will use when authenticating. | `string` | `"ExpelEKSServiceSession"` | no |
+| <a name="input_expel_aws_account_arn"></a> [expel\_aws\_account\_arn](#input\_expel\_aws\_account\_arn) | Expel's AWS Account ARN to allow assuming role to gain EKS access. | `string` | `"arn:aws:iam::012205512454:user/ExpelCloudService"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | A prefix to group all Expel integration resources. | `string` | `"expel-aws-eks"` | no |
+| <a name="input_stream_capacity_mode"></a> [stream\_capacity\_mode](#input\_stream\_capacity\_mode) | The data stream capacity mode: ON\_DEMAND (recommended) or PROVISIONED. See: https://docs.aws.amazon.com/streams/latest/dev/how-do-i-size-a-stream.html | `string` | `"ON_DEMAND"` | no |
+| <a name="input_stream_retention_hours"></a> [stream\_retention\_hours](#input\_stream\_retention\_hours) | The number of hours data will be retained in the stream. See: https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html | `number` | `1` | no |
+| <a name="input_stream_shard_count"></a> [stream\_shard\_count](#input\_stream\_shard\_count) | The number of shards for the Kinesis stream. Only required if `stream_capacity_mode` is `PROVISIONED`. See: https://docs.aws.amazon.com/streams/latest/dev/how-do-i-size-a-stream.html | `number` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A set of tags to group resources. | `map` | `{}` | no |
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_region"></a> [aws\_region](#output\_aws\_region) | The AWS Region where the Kinesis resources exist |
+| <a name="output_kinesis_stream_name"></a> [kinesis\_stream\_name](#output\_kinesis\_stream\_name) | Name of the Kinesis data stream Expel will consume from |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | IAM Role ARN of the role for Expel to assume to access Kinesis data |
+| <a name="output_role_session_name"></a> [role\_session\_name](#output\_role\_session\_name) | The session name Expel will use when authenticating |
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_subscription_filter.eks_subscription_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
+| [aws_iam_policy.eks_consumer_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.eks_producer_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.expel_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.eks_consumer_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.eks_producer_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kinesis_stream.kinesis_data_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_role_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudwatch_assume_role_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.eks_consumer_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.eks_producer_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+<!-- end-tf-docs -->

examples/basic/README.md

@@ -0,0 +1,24 @@
+# Basic
+
+This configuration sets up appropriate AWS resources that are necessary to integrate Expel Workbench with an existing EKS instance.
+
+This `Basic` example is the simplest onboarding experience, as it assumes a single AWS Account is being onboarded with one EKS instance.
+
+## Usage
+
+
+To run this example you need to execute:
+
+```bash
+terraform init
+terraform apply -var-file="terraform.tfvars"
+```
+
+Note that this example may create resources which can cost money (AWS Kinesis data stream, for example). Run `terraform destroy` when you don't need these resources.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | = 1.1.3 |
+| aws | = 4.0 |

examples/basic/main.tf

@@ -0,0 +1,37 @@
+variable "region" {
+  type = string
+}
+
+variable "expel_customer_organization_guid" {
+  description = "Use your organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench"
+  type        = string
+}
+
+variable "eks_log_group_name" {
+  description = "Use the log group name in CloudWatch containing EKS logs."
+  type        = string
+}
+
+provider "aws" {
+  region = var.region
+}
+
+module "expel_aws_eks_integration" {
+  source = "../../"
+
+  expel_customer_organization_guid = var.expel_customer_organization_guid
+  expel_assume_role_session_name   = "ExpelServiceAssumeRoleForEKSAccess"
+  eks_log_group_name = var.eks_log_group_name
+  stream_capacity_mode = "ON_DEMAND"
+  stream_retention_hours = 24
+  enable_stream_encryption = true
+
+  prefix = "expel-aws-eks"
+  tags = {
+    "is_external" = "true"
+  }
+}
+
+output "expel_aws_eks_integration" {
+  value = module.expel_aws_eks_integration
+}

examples/basic/terraform.tfvars

@@ -0,0 +1,8 @@
+# region                           = "Replace with the AWS region in which you want the Kinesis data stream to be configured for EKS logs"
+# expel_customer_organization_guid = "Replace with your organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench"
+# eks_log_group_name               = "Replace with your EKS log group name"
+
+
+region                           = "us-east-2"
+expel_customer_organization_guid = "9a5434c2-66b8-49e3-a544-6e8797f4a1d3"
+eks_log_group_name               = "/aws/eks/dan-cluster/cluster"

iam.tf

@@ -0,0 +1,67 @@
+
+data "aws_iam_policy_document" "assume_role_iam_document" {
+  # Allow Expel to assume the role
+  statement {
+    actions       = ["sts:AssumeRole"]
+    effect        = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [var.expel_aws_account_arn]
+    }
+
+    condition {
+      test        = "StringEquals"
+      variable    = "sts:ExternalId"
+      values      = [var.expel_customer_organization_guid]
+    }
+  }
+}
+
+resource "aws_iam_role" "expel_assume_role" {
+  name               = "ExpelServiceAssumeRole"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_iam_document.json
+  tags               = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "eks_consumer_policy_attachment" {
+  role       = aws_iam_role.expel_assume_role.name
+  policy_arn = aws_iam_policy.eks_consumer_policy.arn
+}
+
+resource "aws_iam_policy" "eks_consumer_policy" {
+  name   = "${var.prefix}-eks-consumer-policy"
+  policy = data.aws_iam_policy_document.eks_consumer_iam_document.json
+  tags   = local.tags
+}
+
+data "aws_iam_policy_document" "eks_consumer_iam_document" {
+
+  # Allow Expel Workbench to retrieve data from Kinesis
+  statement {
+    actions   = [
+      "kinesis:DescribeLimits",
+      "kinesis:DescribeStream",
+      "kinesis:DescribeStreamSummary",
+      "kinesis:GetRecords",
+      "kinesis:GetShardIterator",
+      "kinesis:ListShards"
+    ]
+    resources = [aws_kinesis_stream.kinesis_data_stream.arn]
+    effect    = "Allow"
+  }
+
+  # Allow Expel Workbench to gather information about EKS clusters
+  statement {
+    actions   = [
+      "eks:AccessKubernetesApi",
+      "eks:DescribeCluster",
+      "eks:DescribeNodegroup",
+      "eks:ListClusters",
+      "eks:ListNodegroups",
+      "eks:ListUpdates",
+      "sts:GetCallerIdentity"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+  }
+}

kinesis.tf

@@ -0,0 +1,26 @@
+
+
+# If encryption was disabled, create an unencrypted stream
+resource "aws_kinesis_stream" "kinesis_data_stream" {
+  name                = "${var.prefix}-kinesis-data-stream"
+  retention_period    = var.stream_retention_hours
+
+  shard_level_metrics = [
+    "IncomingBytes",
+    "OutgoingBytes",
+    "IncomingRecords",
+    "OutgoingRecords",
+    "IteratorAgeMilliseconds",
+  ]
+
+  stream_mode_details {
+    stream_mode       = var.stream_capacity_mode
+  }
+  shard_count         = var.stream_capacity_mode == "PROVISIONED" ? var.stream_shard_count : null 
+
+  # Optionally configure stream encryption
+  encryption_type     = var.enable_stream_encryption ? "KMS": "NONE"
+  kms_key_id          = var.enable_stream_encryption ? "alias/aws/kinesis" : null
+
+  tags                = local.tags
+}