From 54a30a8175dbb4773220eede2fe2223fdd5cd696 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Wed, 27 Mar 2024 13:33:33 +0200 Subject: [PATCH 01/12] Cloudformation yml to create elast-agent user and generate direct access key --- ...nt-direct-access-key-cspm-organization.yml | 175 ++++++++++++++++++ .../elastic-agent-direct-access-key-cspm.yml | 32 ++++ scripts/publish_cft.sh | 2 + 3 files changed, 209 insertions(+) create mode 100644 deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml create mode 100644 deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml new file mode 100644 index 0000000000..33c0077ab5 --- /dev/null +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml @@ -0,0 +1,175 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: Creates elastic-agent cspm user, role, and access key, and outputs the access key + +Parameters: + OrganizationalUnitIds: + Description: | + Comma-separated list of organizational units to deploy the IAM roles to. + Specify the unique IDs of the organizational units where the roles should be deployed. + Example: ou-abc123,ou-def456,ou-ghi789 + Type: CommaDelimitedList + AllowedPattern: ^(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}|r-[0-9a-z]{4,32})$ + + ScanManagementAccount: + Description: | + When set to "Yes", the Management Account resources will be scanned, + regardless of selected Organizational Unit IDs. Likewise, when set to + "No", the Management Account resources will not be scanned, even if + the Management Account belongs to a selected Organizational Unit. + Type: String + AllowedValues: + - "Yes" + - "No" + Default: "Yes" + ConstraintDescription: Must specify "Yes" or "No" + +Conditions: + ScanManagementAccountEnabled: !Equals + - !Ref ScanManagementAccount + - "Yes" + +Resources: + ElasticCSPMUser: + Type: "AWS::IAM::User" + Properties: + UserName: !Join + - '-' + - - "elasticagent-user-cspm" + - !Select + - 2 + - !Split + - / + - !Ref AWS::StackId + + CloudbeatRootRole: + Type: AWS::IAM::Role + Properties: + RoleName: cloudbeat-root + Description: Role that cloudbeat uses to assume roles in other accounts + Tags: + - Key: cloudbeat_scan_management_account + Value: !Ref ScanManagementAccount + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + AWS: !Ref AWS::AccountId + Action: + - sts:AssumeRole + - Effect: Allow + Principal: + AWS: !GetAtt ElasticCSPMUser.Arn + Action: + - sts:AssumeRole + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: cloudbeat-root-permissions + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - iam:GetRole + - iam:ListAccountAliases + - iam:ListGroup + - iam:ListRoles + - iam:ListUsers + Resource: '*' + - Effect: Allow + Action: + - organizations:List* + - organizations:Describe* + Resource: '*' + - Effect: Allow + Action: + - sts:AssumeRole + Resource: '*' + + CloudbeatRoleStackSet: + Type: AWS::CloudFormation::StackSet + Properties: + StackSetName: cloudbeat-role-stackset + Description: StackSet for deploying the cloudbeat-securityaudit IAM role to member accounts in the specified organizational units. + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + Capabilities: + - CAPABILITY_NAMED_IAM + ManagedExecution: + Active: true + Parameters: + - ParameterKey: RootRoleArn + ParameterValue: !GetAtt CloudbeatRootRole.Arn + PermissionModel: SERVICE_MANAGED + StackInstancesGroup: + - DeploymentTargets: + OrganizationalUnitIds: !Ref OrganizationalUnitIds + Regions: + - !Ref AWS::Region + TemplateBody: | + AWSTemplateFormatVersion: '2010-09-09' + Description: Creates IAM roles needed for multi-account access + Parameters: + RootRoleArn: + Type: String + Resources: + CloudbeatMemberRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: cloudbeat-securityaudit + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + AWS: !Ref RootRoleArn + Action: + - sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/SecurityAudit + + CloudbeatManagementAccountAuditRole: + Type: AWS::IAM::Role + Properties: + RoleName: cloudbeat-securityaudit + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + AWS: !GetAtt CloudbeatRootRole.Arn + Action: + - sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/SecurityAudit + Condition: ScanManagementAccountEnabled + + ElasticCSPMAccessKey: + Type: "AWS::IAM::AccessKey" + Properties: + UserName: !Ref ElasticCSPMUser + + +Outputs: + AccessKeyId: + Description: "Access Key ID" + Value: !Ref ElasticCSPMAccessKey + Export: + Name: "AccessKeyId" + + SecretAccessKey: + Description: "Secret Access Key" + Value: !GetAtt ElasticCSPMAccessKey.SecretAccessKey + Export: + Name: "SecretAccessKey" + diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml new file mode 100644 index 0000000000..4924559d5a --- /dev/null +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml @@ -0,0 +1,32 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: Creates elastic-agent cspm user, role, and access key, and outputs the access key + +Parameters: {} + +Resources: + ElasticCSPMUser: + Type: "AWS::IAM::User" + Properties: + UserName: "elasticagent-cspm" + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/SecurityAudit' + + ElasticCSPMAccessKey: + Type: "AWS::IAM::AccessKey" + Properties: + UserName: !Ref ElasticCSPMUser + +Outputs: + AccessKeyId: + Description: "Access Key ID" + Value: !Ref ElasticCSPMAccessKey + Export: + Name: "AccessKeyId" + + SecretAccessKey: + Description: "Secret Access Key" + Value: !GetAtt ElasticCSPMAccessKey.SecretAccessKey + Export: + Name: "SecretAccessKey" + diff --git a/scripts/publish_cft.sh b/scripts/publish_cft.sh index d4a8b28887..9e13038f9a 100755 --- a/scripts/publish_cft.sh +++ b/scripts/publish_cft.sh @@ -18,3 +18,5 @@ version=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"") upload_file deploy/cloudformation/elastic-agent-ec2-cnvm.yml "cloudformation-cnvm" "$version" upload_file deploy/cloudformation/elastic-agent-ec2-cspm.yml "cloudformation-cspm-single-account" "$version" upload_file deploy/cloudformation/elastic-agent-ec2-cspm-organization.yml "cloudformation-cspm-organization-account" "$version" +upload_file deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml "cloudformation-cspm-direct-access-key-single-account.yml" "$version" +upload_file deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml "cloudformation-cspm-direct-access-key-organization-account.yml" "$version" From 8e88ae800fd28606778cd10bb317e5b1426d723b Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Mon, 8 Apr 2024 09:52:02 +0300 Subject: [PATCH 02/12] cloudformation ga --- .github/workflows/cloudformation-ci.yml | 39 +++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index d68d5f887f..d602a5a78e 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -115,3 +115,42 @@ jobs: terraform destroy --auto-approve -target="module.ec_deployment" -target="module.ec_project" aws cloudformation delete-stack --stack-name ${{ env.CNVM_STACK_NAME }} aws cloudformation wait stack-delete-complete --stack-name ${{ env.CNVM_STACK_NAME }} + + + Deploy-CloudFormation-DirectKeys: + name: "Deploy CloudFormation DirectKeys" + runs-on: ubuntu-latest + timeout-minutes: 40 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Init Hermit + run: ./bin/hermit env -r >> $GITHUB_ENV + working-directory: ./ + + - name: Set up unique deployment names + run: | + suffix="$(date +%s | tail -c 3)" + echo "DIRECT_KEY_STACK_NAME=direct-key-stack-pr${{ github.event.number }}-$suffix" >> $GITHUB_ENV + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: "eu-west-1" + + - name: Deploy CloudFormation stack + env: + CF_FILE: 'deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml' + run: | + aws cloudformation validate-template --template-body file://${{ env.CF_FILE }} + aws cloudformation create-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --template-body file://${{ env.CF_FILE }} --capabilities CAPABILITY_NAMED_IAM + aws cloudformation wait stack-create-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} + + - name: Cleanup Environment + if: always() + run: | + aws cloudformation delete-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} + aws cloudformation wait stack-delete-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} From 9e3a26ae2f6e921114d5257590a1778b500793c0 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Mon, 8 Apr 2024 10:16:05 +0300 Subject: [PATCH 03/12] unique username --- ...astic-agent-direct-access-key-cspm-organization.yml | 2 +- .../elastic-agent-direct-access-key-cspm.yml | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml index 33c0077ab5..b0a4fcf308 100644 --- a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml @@ -35,7 +35,7 @@ Resources: Properties: UserName: !Join - '-' - - - "elasticagent-user-cspm" + - - 'elasticagent-user-cspm' - !Select - 2 - !Split diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml index 4924559d5a..52800a61d2 100644 --- a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml @@ -1,5 +1,4 @@ AWSTemplateFormatVersion: "2010-09-09" - Description: Creates elastic-agent cspm user, role, and access key, and outputs the access key Parameters: {} @@ -8,7 +7,14 @@ Resources: ElasticCSPMUser: Type: "AWS::IAM::User" Properties: - UserName: "elasticagent-cspm" + UserName: !Join + - '-' + - - 'elasticagent-user-cspm' + - !Select + - 2 + - !Split + - / + - !Ref AWS::StackId ManagedPolicyArns: - 'arn:aws:iam::aws:policy/SecurityAudit' From 35bb7413c3a85361e0e9017f1dc0a30e09f06b41 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Mon, 8 Apr 2024 10:33:33 +0300 Subject: [PATCH 04/12] add aws ci with new credentials --- .github/workflows/cloudformation-ci.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index d602a5a78e..f07ae1a286 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -149,6 +149,23 @@ jobs: aws cloudformation create-stack --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --template-body file://${{ env.CF_FILE }} --capabilities CAPABILITY_NAMED_IAM aws cloudformation wait stack-create-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} + - name: Get Direct Keys + shell: bash + run: | + BODY="$(aws cloudformation describe-stacks --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --query 'Stacks[0].Outputs' --output json)" + NEW_ACCESS_KEY_ID="$(echo "${BODY}" | jq '.[] | select(.OutputKey | test("AccessKeyId")) | .OutputValue')" + NEW_SECRET_ACCESS_KEY="$(echo "${BODY}" | jq '.[] | select(.OutputKey | test("SecretAccessKey")) | .OutputValue')" + echo "NEW_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}" >> $GITHUB_ENV + echo "NEW_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}" >> $GITHUB_ENV + + - name: Run AWS integration tests + uses: ./.github/actions/aws-ci + with: + elk-version: ${{ env.ELK_VERSION }} + aws-access-key-id: ${{ env.NEW_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.NEW_SECRET_ACCESS_KEY }} + aws-account-type: single-account + - name: Cleanup Environment if: always() run: | From 3cd3ced98a37c83fe2bf559dfae0c8034c2ab24a Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Tue, 9 Apr 2024 10:35:21 +0300 Subject: [PATCH 05/12] fix ci --- .github/workflows/cloudformation-ci.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index f07ae1a286..893f607886 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -125,9 +125,10 @@ jobs: - name: Check out the repo uses: actions/checkout@v4 - - name: Init Hermit - run: ./bin/hermit env -r >> $GITHUB_ENV - working-directory: ./ + - name: Hermit Environment + uses: ./.github/actions/hermit + with: + init-tools: 'true' - name: Set up unique deployment names run: | @@ -153,8 +154,8 @@ jobs: shell: bash run: | BODY="$(aws cloudformation describe-stacks --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --query 'Stacks[0].Outputs' --output json)" - NEW_ACCESS_KEY_ID="$(echo "${BODY}" | jq '.[] | select(.OutputKey | test("AccessKeyId")) | .OutputValue')" - NEW_SECRET_ACCESS_KEY="$(echo "${BODY}" | jq '.[] | select(.OutputKey | test("SecretAccessKey")) | .OutputValue')" + NEW_ACCESS_KEY_ID="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("AccessKeyId")) | .OutputValue')" + NEW_SECRET_ACCESS_KEY="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("SecretAccessKey")) | .OutputValue')" echo "NEW_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}" >> $GITHUB_ENV echo "NEW_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}" >> $GITHUB_ENV From 9e50654fee1fc8bd9004f9e8d4681b444c3f2bf6 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Tue, 9 Apr 2024 16:52:46 +0300 Subject: [PATCH 06/12] fmt --- ...ent-direct-access-key-cspm-organization.yml | 16 +++++++--------- .../elastic-agent-direct-access-key-cspm.yml | 18 +++++++++--------- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml index b0a4fcf308..817afa518e 100644 --- a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml @@ -31,11 +31,11 @@ Conditions: Resources: ElasticCSPMUser: - Type: "AWS::IAM::User" + Type: AWS::IAM::User Properties: UserName: !Join - '-' - - - 'elasticagent-user-cspm' + - - elasticagent-user-cspm - !Select - 2 - !Split @@ -155,21 +155,19 @@ Resources: Condition: ScanManagementAccountEnabled ElasticCSPMAccessKey: - Type: "AWS::IAM::AccessKey" + Type: AWS::IAM::AccessKey Properties: UserName: !Ref ElasticCSPMUser - Outputs: AccessKeyId: - Description: "Access Key ID" + Description: Access Key ID Value: !Ref ElasticCSPMAccessKey Export: - Name: "AccessKeyId" + Name: AccessKeyId SecretAccessKey: - Description: "Secret Access Key" + Description: Secret Access Key Value: !GetAtt ElasticCSPMAccessKey.SecretAccessKey Export: - Name: "SecretAccessKey" - + Name: SecretAccessKey diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml index 52800a61d2..f169e5aec4 100644 --- a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml @@ -1,38 +1,38 @@ AWSTemplateFormatVersion: "2010-09-09" + Description: Creates elastic-agent cspm user, role, and access key, and outputs the access key Parameters: {} Resources: ElasticCSPMUser: - Type: "AWS::IAM::User" + Type: AWS::IAM::User Properties: UserName: !Join - '-' - - - 'elasticagent-user-cspm' + - - elasticagent-user-cspm - !Select - 2 - !Split - / - !Ref AWS::StackId ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/SecurityAudit' + - arn:aws:iam::aws:policy/SecurityAudit ElasticCSPMAccessKey: - Type: "AWS::IAM::AccessKey" + Type: AWS::IAM::AccessKey Properties: UserName: !Ref ElasticCSPMUser Outputs: AccessKeyId: - Description: "Access Key ID" + Description: Access Key ID Value: !Ref ElasticCSPMAccessKey Export: - Name: "AccessKeyId" + Name: AccessKeyId SecretAccessKey: - Description: "Secret Access Key" + Description: Secret Access Key Value: !GetAtt ElasticCSPMAccessKey.SecretAccessKey Export: - Name: "SecretAccessKey" - + Name: SecretAccessKey From 0d77b47c45e40d27e9ea817ed3969c2e10a74ffa Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Thu, 11 Apr 2024 13:07:14 +0300 Subject: [PATCH 07/12] use ::add-mask --- .github/workflows/cloudformation-ci.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index 893f607886..a8a2b61ff4 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -151,20 +151,23 @@ jobs: aws cloudformation wait stack-create-complete --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} - name: Get Direct Keys + id: direct-keys shell: bash run: | BODY="$(aws cloudformation describe-stacks --stack-name ${{ env.DIRECT_KEY_STACK_NAME }} --query 'Stacks[0].Outputs' --output json)" NEW_ACCESS_KEY_ID="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("AccessKeyId")) | .OutputValue')" + echo "::add-mask::$NEW_ACCESS_KEY_ID" NEW_SECRET_ACCESS_KEY="$(echo "${BODY}" | jq -r '.[] | select(.OutputKey | test("SecretAccessKey")) | .OutputValue')" - echo "NEW_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}" >> $GITHUB_ENV - echo "NEW_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}" >> $GITHUB_ENV + echo "::add-mask::$NEW_SECRET_ACCESS_KEY" + echo "NEW_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}" >> $GITHUB_OUTPUT + echo "NEW_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}" >> $GITHUB_OUTPUT - name: Run AWS integration tests uses: ./.github/actions/aws-ci with: elk-version: ${{ env.ELK_VERSION }} - aws-access-key-id: ${{ env.NEW_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ env.NEW_SECRET_ACCESS_KEY }} + aws-access-key-id: ${{ steps.direct-keys.outputs.NEW_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ steps.direct-keys.outputs.NEW_SECRET_ACCESS_KEY }} aws-account-type: single-account - name: Cleanup Environment From fff04206c81d96b88fd3abc0f28f6cc7ef392788 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Thu, 11 Apr 2024 13:20:32 +0300 Subject: [PATCH 08/12] run cloudformation-ci also on push to main branch --- .github/workflows/cloudformation-ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index a8a2b61ff4..f30f23168e 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -9,6 +9,13 @@ on: paths: - deploy/cloudformation/*.yml - .github/workflows/cloudformation-ci.yml + push: + branches: + - main + - "[0-9]+.[0-9]+" + paths: + - deploy/cloudformation/*.yml + - .github/workflows/cloudformation-ci.yml env: WORKING_DIR: deploy/test-environments From 46be36aa4087a60a723388f907212022a63aa50d Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Thu, 11 Apr 2024 13:44:27 +0300 Subject: [PATCH 09/12] run temporarily from pull_request --- .github/workflows/cloudformation-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index f30f23168e..b6f288bf85 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -1,7 +1,7 @@ name: CloudFormation-CI on: - pull_request_target: + pull_request: branches: - main - "[0-9]+.[0-9]+" From 5d1c4a00124fd4bae816bc60a53db69851d36f86 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Fri, 12 Apr 2024 19:14:11 +0300 Subject: [PATCH 10/12] fixes --- .github/actions/aws-ci/action.yml | 2 +- .github/workflows/cloudformation-ci.yml | 4 ++-- deploy/aws/cloudbeat-aws.yml | 2 +- .../elastic-agent-direct-access-key-cspm-organization.yml | 1 + .../cloudformation/elastic-agent-direct-access-key-cspm.yml | 1 + 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/actions/aws-ci/action.yml b/.github/actions/aws-ci/action.yml index 3d141c8f92..9e56340777 100644 --- a/.github/actions/aws-ci/action.yml +++ b/.github/actions/aws-ci/action.yml @@ -4,7 +4,7 @@ inputs: elk-version: description: 'ELK version' required: true - aws-access-key-id: + -access-awskey-id: description: 'AWS access key id' required: true aws-secret-access-key: diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index b6f288bf85..b3fe443203 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -145,8 +145,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }} aws-region: "eu-west-1" - name: Deploy CloudFormation stack diff --git a/deploy/aws/cloudbeat-aws.yml b/deploy/aws/cloudbeat-aws.yml index f61ee84230..b4a773a7ef 100644 --- a/deploy/aws/cloudbeat-aws.yml +++ b/deploy/aws/cloudbeat-aws.yml @@ -6,7 +6,7 @@ cloudbeat: credentials: access_key_id: ${AWS_ACCESS_KEY_ID:""} secret_access_key: ${AWS_SECRET_ACCESS_KEY:""} - account_type: ${AWS_ACCOUNT_TYPE:""} + account_type: ${AWS_ACCOUNT_TYPE:""} type: cloudbeat/cis_aws # Defines how often an event is sent to the output period: 30s diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml index 817afa518e..c58ab2b66c 100644 --- a/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml @@ -41,6 +41,7 @@ Resources: - !Split - / - !Ref AWS::StackId + Path: / CloudbeatRootRole: Type: AWS::IAM::Role diff --git a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml index f169e5aec4..896100c37f 100644 --- a/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml +++ b/deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml @@ -18,6 +18,7 @@ Resources: - !Ref AWS::StackId ManagedPolicyArns: - arn:aws:iam::aws:policy/SecurityAudit + Path: / ElasticCSPMAccessKey: Type: AWS::IAM::AccessKey From 712e7c899bb1ecd238bef5145cbf271141a927f8 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Fri, 12 Apr 2024 19:27:23 +0300 Subject: [PATCH 11/12] restore pull_requst_target --- .github/workflows/cloudformation-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml index b3fe443203..9296a75150 100644 --- a/.github/workflows/cloudformation-ci.yml +++ b/.github/workflows/cloudformation-ci.yml @@ -1,7 +1,7 @@ name: CloudFormation-CI on: - pull_request: + pull_request_target: branches: - main - "[0-9]+.[0-9]+" From 16b8336c19c77eeeeda3418e9a3b03de7743c6d7 Mon Sep 17 00:00:00 2001 From: Kostas Stamatakis Date: Mon, 15 Apr 2024 13:28:23 +0300 Subject: [PATCH 12/12] fix typos --- .github/actions/aws-ci/action.yml | 2 +- scripts/publish_cft.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/aws-ci/action.yml b/.github/actions/aws-ci/action.yml index 9e56340777..3d141c8f92 100644 --- a/.github/actions/aws-ci/action.yml +++ b/.github/actions/aws-ci/action.yml @@ -4,7 +4,7 @@ inputs: elk-version: description: 'ELK version' required: true - -access-awskey-id: + aws-access-key-id: description: 'AWS access key id' required: true aws-secret-access-key: diff --git a/scripts/publish_cft.sh b/scripts/publish_cft.sh index 9e13038f9a..7921c57f90 100755 --- a/scripts/publish_cft.sh +++ b/scripts/publish_cft.sh @@ -18,5 +18,5 @@ version=$(grep defaultBeatVersion version/version.go | cut -f2 -d "\"") upload_file deploy/cloudformation/elastic-agent-ec2-cnvm.yml "cloudformation-cnvm" "$version" upload_file deploy/cloudformation/elastic-agent-ec2-cspm.yml "cloudformation-cspm-single-account" "$version" upload_file deploy/cloudformation/elastic-agent-ec2-cspm-organization.yml "cloudformation-cspm-organization-account" "$version" -upload_file deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml "cloudformation-cspm-direct-access-key-single-account.yml" "$version" -upload_file deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml "cloudformation-cspm-direct-access-key-organization-account.yml" "$version" +upload_file deploy/cloudformation/elastic-agent-direct-access-key-cspm.yml "cloudformation-cspm-direct-access-key-single-account" "$version" +upload_file deploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.yml "cloudformation-cspm-direct-access-key-organization-account" "$version"