feat(modules): add volume access

.github/workflows/ci-pull-request-modules-volume_access.yaml

@@ -0,0 +1,46 @@
+name: CI - Pull Request CSPM
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'modules/volume_access/**'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: cfn-lint
+      uses: scottbrenner/cfn-lint-action@v2
+
+    - name: Lint
+      run: make link
+
+  build:
+    name: Build and Upload CSPM templates
+    runs-on: ubuntu-latest
+    needs: [lint]
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1
+
+    - name: Publish Templates
+      run: make publish
+      working-directory: modules/volume_access
+      env:
+        S3_BUCKET: cf-templates-cloudvision-ci
+        S3_PREFIX: pr/${{ github.event.pull_request.number }}

modules/volume_access/Makefile

@@ -0,0 +1,40 @@
+# requires AWS_PROFILE
+# bucket must exist, prefix will be created
+S3_BUCKET ?= "s4c-cft"
+S3_PREFIX ?= "test"
+# We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
+S3_REGION ?= "eu-west-1" # ireland
+SECURE_API_TOKEN ?= ""
+STACK_NAME = "Sysdig-Secure-$(PARAM_NAME_SUFFIX)"
+PARAM_NAME_SUFFIX ?= "test"
+PARAM_IS_ORGANIZATIONAL ?= "false"
+
+.PHONY: validate lint deploy test clean
+validate:
+	aws cloudformation validate-template --template-body file://./template.yaml
+
+lint:
+	cfn-lint *.yaml
+	yq '.Resources.OrganizationRoleStackSet.Properties.TemplateBody' template.yaml | cfn-lint -
+	yq '.Resources.ScanningKmsKeyStackSet.Properties.TemplateBody' template.yaml | cfn-lint -
+	yq '.Resources.OrganizationKMSKeyStackSet.Properties.TemplateBody' template.yaml | cfn-lint -
+
+publish:
+	aws s3 cp ./template.yaml s3://$(S3_BUCKET)/modules/volume_access/$(S3_PREFIX)/template.yaml
+
+deploy:
+	aws cloudformation deploy \
+		--stack-name $(STACK_NAME) \
+		--template-file template.yaml \
+		--capabilities "CAPABILITY_NAMED_IAM" "CAPABILITY_AUTO_EXPAND" \
+		--parameter-overrides \
+			"NameSuffix=$(PARAM_NAME_SUFFIX)" \
+			"ExternalID=$(PARAM_EXTERNAL_ID)" \
+			"TrustedIdentity=$(PARAM_TRUSTED_IDENTITY)" \
+			"IsOrganizational=$(PARAM_IS_ORGANIZATIONAL)" \
+			"OrganizationUnitIDs=$(PARAM_ORGANIZATION_UNIT_IDS)"
+
+clean:
+	aws cloudformation delete-stack --stack-name $(STACK_NAME)
+
+

modules/volume_access/template.components.json

@@ -0,0 +1,25 @@
+[
+  {
+    "type": "COMPONENT_TRUSTED_ROLE",
+    "instance": "secure-scanning",
+    "trustedRoleMetadata": {
+        "aws": {
+            "roleName": "sysdig-secure-scanning-{{NameSuffix}}"
+        }
+    }
+  },
+  {
+    "type": "COMPONENT_CRYPTO_KEY",
+    "instance": "secure-scanning",
+    "cryptoKeyMetadata": {
+        "aws": {
+            "kms": {
+                "alias": "alias/sysdig-secure-scanning-{{NameSuffix}}",
+                "regions": [
+                  "{{regions}}"
+                ]
+            }
+        }
+    }
+}
+]