Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support "aws" GovCloud accounts #43

Open
xomgc3 opened this issue Dec 13, 2022 · 3 comments
Open

feat: Support "aws" GovCloud accounts #43

xomgc3 opened this issue Dec 13, 2022 · 3 comments
Labels
feat New feature

Comments

@xomgc3
Copy link

xomgc3 commented Dec 13, 2022

Describe the bug
The module does not use the correct partition for ARNs in GovCloud accounts. Instead of arn:aws:logs:* the ARN should be arn:aws-us-gov:logs:*.

Steps to reproduce

module "lacework_agentless_scanning_govcloud_org" {
  source  = "lacework/agentless-scanning/aws"
  version = "~> 0.6"

  providers = {
    aws = aws.secops
  }

  global       = true
  organization = {
    // This list may contain account IDs, OUs, or the organization root.
    monitored_accounts = [data.aws_organizations_organization.master.roots[0].id]
    // This account ID must be the AWS organizations "management account".
    // This wil be used to enumerate the accounts and OUs in the list of monitored accounts.
    // This account must also have the snapshot_role installed.
    management_account = local.aws_master_account_id
  }

  lacework_integration_name = "our-govcloud-agentless"
}

Expected behavior
Leverage:

data "aws_partition" "current" {}
# data.aws_partition.current.partition

Ensure the correct partition is used for all ARNs and policies.

Screenshots

Error: 1 error occurred: * creating inline policy (AllowCloudWatch): MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:logs:::log-group:/ecs/lacework-agentless-scanning-*". status code: 400, request id:
with module.lacework_agentless_scanning_govcloud_org.aws_iam_role.agentless_scan_ecs_execution_role[0]
on .terraform/modules/lacework_agentless_scanning_govcloud_org/main.tf line 326, in resource "aws_iam_role" "agentless_scan_ecs_execution_role"

Please complete the following information):

  • Terraform Version: v1.0.9
  • Module Version ~> 0.6

Additional context
Works fine in normal AWS accounts.
@xomgc3 xomgc3 added the bug Something isn't working label Dec 13, 2022
@jon-stewart
Copy link
Contributor

jon-stewart commented Dec 20, 2022
edited
Loading

Hi @xomgc3 , thanks for raising this bug. Looking at it now.

@jon-stewart
Copy link
Contributor

Hi @xomgc3 this module doesn't support the aws-us-gov ARN partition as it is hardcoded to make use of the aws partition.

We will consider this as a feature request. Thanks for the feedback.

@afiune afiune added feat New feature and removed bug Something isn't working labels Dec 23, 2022
@afiune afiune changed the title bug: Partition "aws" is not valid for GovCloud accounts feat: Partition "aws" is not valid for GovCloud accounts Dec 23, 2022
@afiune afiune changed the title feat: Partition "aws" is not valid for GovCloud accounts feat: Support "aws" GovCloud accounts Dec 23, 2022
bebold-jhr added a commit to bebold-jhr/terraform-aws-agentless-scanning that referenced this issue Apr 11, 2023
@bebold-jhr
Added support for multiple aws partitions which closes lacework#43
03fa718
@bebold-jhr bebold-jhr mentioned this issue Apr 11, 2023
Closed
@bebold-jhr
Copy link
Contributor

Hello @xomgc3,
I tried myself on a PR. See #70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@afiune @jon-stewart @bebold-jhr @xomgc3