diff --git a/deepsecurity/manager/aws/terraform/README.md b/deepsecurity/manager/aws/terraform/README.md new file mode 100644 index 0000000..90579c4 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/README.md @@ -0,0 +1,51 @@ + +# AWS Terraform Support + +## AWS Connector via Terraform +Some organizations may not want to use AWS Cloudformation to connect their AWS account to **Trend Micro Deep Security Manager**. To help allow other methods to do this, we can use **Terraform** to provision the connection. This terraform code will create the following: +* An IAM role with access to: + - Creates a role with cross-account access to Deep Security as a Service Account ID: 147995105371 + - Policy for the role with read access to AWS EC2, Workspaces, and IAM. + +## Requirements + +This code will only work on **Terraform version 0.12** or **later**. + +There are a couple variables that are required to be entered when applying: + +``` +environment +external_id +``` + +The **externalID** can be found within Deep Security Manager: + 1. Once logged in, go to **Computers** at the top. + 2. Click **Add** -> **Add AWS Account**. + 3. A wizard will appear, select **Advanced** and click **Next**. Then click the eye icon next to the obscured **externalID** to reveal it. + +**Copy the external ID to a secure place as you will need it when applying the terraform code.** + +## Usage + +1. Apply the terraform code to your AWS account. If the code was applied successfully, Terraform will output the Role ARN for you to copy into Deep Security Manager. + +Example output: +``` +aws_iam_role_policy_attachment.tmds_role_policy_attachment: Creation complete after 1s [id=dev-trend-micro-deep-security-20200505204655560300000001] + +Apply complete! Resources: 3 added, 0 changed, 0 destroyed. + +Outputs: + +trend_micro_aws_iam_role_arn = arn:aws:iam::{YOUR_AWS_ACCOUNT_ID}:role/dev-trend-micro-deep-security +``` + +2. Copy the Role ARN from the output and go in to Deep Security Manager. + +3. Once you are logged in to Deep Security Manager, go to the **Computers** at the top. + +4. Next, you will select **Add** -> **Add AWS Account** and a new pop up window will open. In the pop up window, select **Advanced** setup type, and click **Next**. + +5. Add the Role ARN in the textbox next to Cross Account Role ARN and then selet Next. + +6. Once that's done, you're all set! Go back to Deep Security Manager and click **Computers** on the top, and on the left side pane you will see your AWS account loaded into your Deep Security Manager account! diff --git a/deepsecurity/manager/aws/terraform/main.tf b/deepsecurity/manager/aws/terraform/main.tf new file mode 100644 index 0000000..8b41e49 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/main.tf @@ -0,0 +1,84 @@ +provider "aws" { + region = "us-east-1" +} + +# (Optional) backend configuration to manage terraform state file via S3. +#terraform { +# backend "s3" { +# bucket = "terraform-state-bucket" +# key = "environment/trend-micro-deep-security/terraform.tfstate" +# region = "us-east-1" +# encrypt = "true" +# } +#} + +data "aws_iam_policy_document" "tmds_assume_role_policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.tmds_aws_account_id}:root"] + } + + condition { + test = "StringEquals" + variable = "sts:ExternalId" + + values = [var.external_id] + } + } +} + +data "aws_iam_policy_document" "tmds_role_policy_document" { + statement { + actions = [ + "ec2:DescribeRegions", + "ec2:DescribeImages", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:ListAccountAlias" + ] + + resources = ["*"] + } + + statement { + actions = [ + "iam:GetRole", + "iam:GetRolePolicy" + ] + + resources = [aws_iam_role.tmds_role.arn] + } + + statement { + actions = [ + "workspaces:DescribeWorkspaces", + "workspaces:DescribeWorkspaceDirectories", + "workspaces:DescribeWorkspaceBundles", + "workspaces:DescribeTags" + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "tmds_role_policy" { + name = "${var.environment}-${var.service_name}-role-policy" + policy = data.aws_iam_policy_document.tmds_role_policy_document.json +} + +resource "aws_iam_role_policy_attachment" "tmds_role_policy_attachment" { + role = aws_iam_role.tmds_role.id + policy_arn = aws_iam_policy.tmds_role_policy.arn +} + +resource "aws_iam_role" "tmds_role" { + name = "${var.environment}-${var.service_name}" + assume_role_policy = data.aws_iam_policy_document.tmds_assume_role_policy.json +} diff --git a/deepsecurity/manager/aws/terraform/outputs.tf b/deepsecurity/manager/aws/terraform/outputs.tf new file mode 100644 index 0000000..5c54133 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/outputs.tf @@ -0,0 +1,4 @@ +output "trend_micro_aws_iam_role_arn" { + description = "The role ARN for the AWS IAM role to connect to Deep Security Manager" + value = aws_iam_role.tmds_role.arn +} diff --git a/deepsecurity/manager/aws/terraform/variables.tf b/deepsecurity/manager/aws/terraform/variables.tf new file mode 100644 index 0000000..c073750 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/variables.tf @@ -0,0 +1,16 @@ +variable environment { + description = "Available values: dev, qa, prod." +} + +variable service_name { + default = "trend-micro-deep-security" +} + +variable tmds_aws_account_id { + description = "Account ID for Trend Micro Deep Security AWS" + default = "147995105371" +} + +variable external_id { + description = "The External ID for assume role policy for cross account access" +} diff --git a/deepsecurity/manager/aws/terraform/versions.tf b/deepsecurity/manager/aws/terraform/versions.tf new file mode 100644 index 0000000..d9b6f79 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.12" +}