From 49326887237a2ea94a4ee7fe6f9ea59bf79baa9e Mon Sep 17 00:00:00 2001 From: jerrcarr Date: Tue, 5 May 2020 14:19:18 -0700 Subject: [PATCH 1/4] add option to use terraform for AWS connector setup --- deepsecurity/manager/aws/terraform/README.md | 40 +++++++++ deepsecurity/manager/aws/terraform/main.tf | 84 +++++++++++++++++++ deepsecurity/manager/aws/terraform/outputs.tf | 4 + .../manager/aws/terraform/variables.tf | 16 ++++ .../manager/aws/terraform/versions.tf | 3 + 5 files changed, 147 insertions(+) create mode 100644 deepsecurity/manager/aws/terraform/README.md create mode 100644 deepsecurity/manager/aws/terraform/main.tf create mode 100644 deepsecurity/manager/aws/terraform/outputs.tf create mode 100644 deepsecurity/manager/aws/terraform/variables.tf create mode 100644 deepsecurity/manager/aws/terraform/versions.tf diff --git a/deepsecurity/manager/aws/terraform/README.md b/deepsecurity/manager/aws/terraform/README.md new file mode 100644 index 0000000..97ae5bb --- /dev/null +++ b/deepsecurity/manager/aws/terraform/README.md @@ -0,0 +1,40 @@ + +# AWS Terraform Support + +## AWS Connector via Terraform +Some organizations may not want to use AWS Cloudformation to connect their AWS account to Trend Micro Deep Security Manager. To help allow other methods to do this, we can use Terraform to provision the connection. This terraform code will create the following: +* An IAM role with access to: + - Creates a role with cross-account access to Deep Security as a Service Account ID: 147995105371 + - Policy for the role with read access to AWS EC2, Workspaces, and IAM. + +## Requirements + +There is one variable that is required to entered when applying: +* var.external_id + +The externalID can be found within Deep Security Manager if you go to Computers at the top. Click Add -> Add AWS Account. A wizard will appear, select Advanced as the setup type and click Next. Then click the eye icon next to the obscured externalID to reveal it. Copy the external ID to a secure place as you will need it when applying the terraform code. + +## Usage + +1. Apply the terraform code to your AWS account. If the code was applied successfully, Terraform will output the Role ARN for you to copy into Deep Security Manager. + +Example output: +``` +aws_iam_role_policy_attachment.tmds_role_policy_attachment: Creation complete after 1s [id=dev-trend-micro-deep-security-20200505204655560300000001] + +Apply complete! Resources: 3 added, 0 changed, 0 destroyed. + +Outputs: + +trend_micro_aws_iam_role_arn = arn:aws:iam::{YOUR_AWS_ACCOUNT_ID}:role/dev-trend-micro-deep-security +``` + +2. Copy the Role ARN from the output and go in to Deep Security Manager. + +3. Once you are logged in to Deep Security Manager, go to the Computers at the top. + +4. Next, you will select Add -> Add AWS Account and a new pop up window will open. In the pop up window, select Advanced setup type, and click Next. + +5. Add the Role ARN in the textbox next to Cross Account Role ARN and then selet Next. + +6. Once that's done, you're all set! Go back to Deep Security Manager -> Computers, and on the left side pane you will see your AWS account loaded into your Deep Security Manager account! diff --git a/deepsecurity/manager/aws/terraform/main.tf b/deepsecurity/manager/aws/terraform/main.tf new file mode 100644 index 0000000..8b41e49 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/main.tf @@ -0,0 +1,84 @@ +provider "aws" { + region = "us-east-1" +} + +# (Optional) backend configuration to manage terraform state file via S3. +#terraform { +# backend "s3" { +# bucket = "terraform-state-bucket" +# key = "environment/trend-micro-deep-security/terraform.tfstate" +# region = "us-east-1" +# encrypt = "true" +# } +#} + +data "aws_iam_policy_document" "tmds_assume_role_policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.tmds_aws_account_id}:root"] + } + + condition { + test = "StringEquals" + variable = "sts:ExternalId" + + values = [var.external_id] + } + } +} + +data "aws_iam_policy_document" "tmds_role_policy_document" { + statement { + actions = [ + "ec2:DescribeRegions", + "ec2:DescribeImages", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:ListAccountAlias" + ] + + resources = ["*"] + } + + statement { + actions = [ + "iam:GetRole", + "iam:GetRolePolicy" + ] + + resources = [aws_iam_role.tmds_role.arn] + } + + statement { + actions = [ + "workspaces:DescribeWorkspaces", + "workspaces:DescribeWorkspaceDirectories", + "workspaces:DescribeWorkspaceBundles", + "workspaces:DescribeTags" + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "tmds_role_policy" { + name = "${var.environment}-${var.service_name}-role-policy" + policy = data.aws_iam_policy_document.tmds_role_policy_document.json +} + +resource "aws_iam_role_policy_attachment" "tmds_role_policy_attachment" { + role = aws_iam_role.tmds_role.id + policy_arn = aws_iam_policy.tmds_role_policy.arn +} + +resource "aws_iam_role" "tmds_role" { + name = "${var.environment}-${var.service_name}" + assume_role_policy = data.aws_iam_policy_document.tmds_assume_role_policy.json +} diff --git a/deepsecurity/manager/aws/terraform/outputs.tf b/deepsecurity/manager/aws/terraform/outputs.tf new file mode 100644 index 0000000..5c54133 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/outputs.tf @@ -0,0 +1,4 @@ +output "trend_micro_aws_iam_role_arn" { + description = "The role ARN for the AWS IAM role to connect to Deep Security Manager" + value = aws_iam_role.tmds_role.arn +} diff --git a/deepsecurity/manager/aws/terraform/variables.tf b/deepsecurity/manager/aws/terraform/variables.tf new file mode 100644 index 0000000..c073750 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/variables.tf @@ -0,0 +1,16 @@ +variable environment { + description = "Available values: dev, qa, prod." +} + +variable service_name { + default = "trend-micro-deep-security" +} + +variable tmds_aws_account_id { + description = "Account ID for Trend Micro Deep Security AWS" + default = "147995105371" +} + +variable external_id { + description = "The External ID for assume role policy for cross account access" +} diff --git a/deepsecurity/manager/aws/terraform/versions.tf b/deepsecurity/manager/aws/terraform/versions.tf new file mode 100644 index 0000000..d9b6f79 --- /dev/null +++ b/deepsecurity/manager/aws/terraform/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.12" +} From 5291e682a54f5af75d05df75c2da5a3f5b9b6aa0 Mon Sep 17 00:00:00 2001 From: jerrcarr Date: Tue, 5 May 2020 14:24:58 -0700 Subject: [PATCH 2/4] Update README.md --- deepsecurity/manager/aws/terraform/README.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/deepsecurity/manager/aws/terraform/README.md b/deepsecurity/manager/aws/terraform/README.md index 97ae5bb..ce2095e 100644 --- a/deepsecurity/manager/aws/terraform/README.md +++ b/deepsecurity/manager/aws/terraform/README.md @@ -2,17 +2,23 @@ # AWS Terraform Support ## AWS Connector via Terraform -Some organizations may not want to use AWS Cloudformation to connect their AWS account to Trend Micro Deep Security Manager. To help allow other methods to do this, we can use Terraform to provision the connection. This terraform code will create the following: +Some organizations may not want to use AWS Cloudformation to connect their AWS account to **Trend Micro Deep Security Manager**. To help allow other methods to do this, we can use **Terraform** to provision the connection. This terraform code will create the following: * An IAM role with access to: - Creates a role with cross-account access to Deep Security as a Service Account ID: 147995105371 - Policy for the role with read access to AWS EC2, Workspaces, and IAM. ## Requirements -There is one variable that is required to entered when applying: -* var.external_id +There are a couple variables that are required to be entered when applying: -The externalID can be found within Deep Security Manager if you go to Computers at the top. Click Add -> Add AWS Account. A wizard will appear, select Advanced as the setup type and click Next. Then click the eye icon next to the obscured externalID to reveal it. Copy the external ID to a secure place as you will need it when applying the terraform code. +``` +environment +external_id +``` + +The **externalID** can be found within Deep Security Manager if you go to **Computers** at the top. Click **Add** -> **Add AWS Account**. A wizard will appear, select **Advanced** as the setup type and click **Next**. Then click the eye icon next to the obscured *externalID* to reveal it. + +**Copy the external ID to a secure place as you will need it when applying the terraform code.** ## Usage @@ -31,10 +37,10 @@ trend_micro_aws_iam_role_arn = arn:aws:iam::{YOUR_AWS_ACCOUNT_ID}:role/dev-trend 2. Copy the Role ARN from the output and go in to Deep Security Manager. -3. Once you are logged in to Deep Security Manager, go to the Computers at the top. +3. Once you are logged in to Deep Security Manager, go to the **Computers** at the top. -4. Next, you will select Add -> Add AWS Account and a new pop up window will open. In the pop up window, select Advanced setup type, and click Next. +4. Next, you will select **Add** -> **Add AWS Account** and a new pop up window will open. In the pop up window, select **Advanced** setup type, and click **Next**. 5. Add the Role ARN in the textbox next to Cross Account Role ARN and then selet Next. -6. Once that's done, you're all set! Go back to Deep Security Manager -> Computers, and on the left side pane you will see your AWS account loaded into your Deep Security Manager account! +6. Once that's done, you're all set! Go back to Deep Security Manager and click **Computers** on the top, and on the left side pane you will see your AWS account loaded into your Deep Security Manager account! From 02896ff4321563b220f0d19a493ef652254c8faa Mon Sep 17 00:00:00 2001 From: jerrcarr Date: Tue, 5 May 2020 14:27:21 -0700 Subject: [PATCH 3/4] Update README.md once more --- deepsecurity/manager/aws/terraform/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deepsecurity/manager/aws/terraform/README.md b/deepsecurity/manager/aws/terraform/README.md index ce2095e..849dbd3 100644 --- a/deepsecurity/manager/aws/terraform/README.md +++ b/deepsecurity/manager/aws/terraform/README.md @@ -16,7 +16,10 @@ environment external_id ``` -The **externalID** can be found within Deep Security Manager if you go to **Computers** at the top. Click **Add** -> **Add AWS Account**. A wizard will appear, select **Advanced** as the setup type and click **Next**. Then click the eye icon next to the obscured *externalID* to reveal it. +The **externalID** can be found within Deep Security Manager: + 1. Once logged in, go to **Computers** at the top. + 2. Click **Add** -> **Add AWS Account**. + 3. A wizard will appear, select **Advanced** and click **Next**. Then click the eye icon next to the obscured **externalID** to reveal it. **Copy the external ID to a secure place as you will need it when applying the terraform code.** From 4ffcfb834c33349ef92c833afb75b92c0c19f0d0 Mon Sep 17 00:00:00 2001 From: jerrcarr Date: Tue, 5 May 2020 14:46:11 -0700 Subject: [PATCH 4/4] Note version requirement in README.md --- deepsecurity/manager/aws/terraform/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deepsecurity/manager/aws/terraform/README.md b/deepsecurity/manager/aws/terraform/README.md index 849dbd3..90579c4 100644 --- a/deepsecurity/manager/aws/terraform/README.md +++ b/deepsecurity/manager/aws/terraform/README.md @@ -9,6 +9,8 @@ Some organizations may not want to use AWS Cloudformation to connect their AWS a ## Requirements +This code will only work on **Terraform version 0.12** or **later**. + There are a couple variables that are required to be entered when applying: ```