This PR adds support for a new terraform module that will make it easy
to configure Fleet instances for S3 backend for file carving results.
Its intended to be applied in two phases.
1) apply target-account which will provision the s3 bucket, IAM role and
policy permissions
2) apply carve on the fleet instance, bootstrapping environment
variables for Fleet server & attaching the IAM policy.
# Checklist for submitter
- [X] Manual QA for all new/changed functionality
Since this was missing on the outputs, it broke apple mdm secret
population in existing implementations. This should re-assert backwards
compatibility.
These items fix the github action for use with the updates to the
monitoring module.
Additionally there were some changes needed to the monitoring module to
make it behave inside the GH action.
Once this is approved/merged, the new tag for them monitoring module
will be created as `tf-mod-addon-monitoring-v1.1.1`
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
This changes the behavior of Secrets Manager resources to prevent the
minimum scheduled deletion time of 7 days to allow for more rapid
terraform destroy and apply scenarios.
Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
…1648567704
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
This should allow us to pass in policies for kms and both s3 buckets.
This is needed in order to allow for the new sns alerting lambda to
query athena for 5xx errors.
Add support for Fleet audit logs by adding a new variable
`firehose_audit_name` to the `firehose` module. If the variable is set,
a new delivery stream is created for Fleet audit logs. The IAM role is
updated to allow writing to the new delivery stream. The `outputs.tf`
file is updated to include the new environment variable
`FLEET_ACTIVITY_ENABLE_AUDIT_LOG` and `FLEET_ACTIVITY_AUDIT_LOG_PLUGIN`
to the `fleet_extra_environment_variables` output. The `firehose_policy`
in `firehose.tf` is updated to allow writing to the new delivery stream.
The `firehose_audit` policy is created and attached to the IAM role if
the `firehose_audit_name` variable is set.
---------
Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Closes#10716
rename aws_iam_policy and aws_iam_policy_attachment resources to use
underscore instead of hyphen in their names. Also, change
aws_iam_policy_attachment to aws_iam_role_policy_attachment to match the
correct resource type.
feat(firehose): add Terraform documentation to README.md
feat(firehose): add Terraform module for IAM policy
feat(firehose): add Terraform output for IAM policy ARN
docs(byo-firehose-logging-destination): add introduction and explanation
of IAM role and policy
This commit adds an introduction and explanation of the IAM role and
policy defined in the Terraform code. Specifically, it explains that the
IAM role named `fleet_role` is being defined in the AWS account, and
that it will be assumed by the Fleet application being hosted. The
commit also explains that the IAM role is being given specific
permissions to perform certain actions on the Firehose service, and that
the associated IAM policy specifies the minimum allowed permissions.
Additionally, the commit explains that the Firehose service is KMS
encrypted, and that the IAM role needs permission to the KMS key being
used to encrypt the data going into Firehose. Finally, the commit
explains that the code sets up a secure and controlled environment for
the Fleet application to perform its necessary actions on the Firehose
service within the AWS account.
refactor(byo-firehose-logging-destination): reformat table of resources
and inputs
feat(byo-firehose-logging-destination): add KMS key resource for
firehose encryption
feat(byo-firehose-logging-destination): add S3 bucket resource for
logging destination
feat(byo-firehose-logging-destination): add IAM policy and role
resources for firehose
feat(byo-firehose-logging-destination): add IAM policy attachment
resource for fleet-firehose policy
feat(byo-firehose-logging-destination): add data source for current AWS
region
feat(byo-firehose-logging-destination): add data source for KMS alias
feat(byo-firehose-logging-destination): add data source for IAM policy
documents
feat(byo-firehose-logging-destination): add outputs for firehose IAM
role, delivery streams, and S3 bucket
fix(iam.tf): change aws_iam_policy and aws_iam_policy_attachment
resource names to include fleet prefix
closes https://github.com/fleetdm/fleet/issues/11331
The zone_id variable is added to the ses module to allow the module to
be used with different Route53 zones. The variable is used in the
aws_route53_record resource to set the zone_id attribute. The
aws_route53_zone data source is removed from the module and the zone_id
attribute is set directly. The count attribute is added to the
aws_route53_record resource to allow for multiple DKIM records to be
created.
two things here:
1. create addon for use in new modular terraform
2. create vuln processing terraform for legacy terraform, but by default
its disabled
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
