Introduce Elastio Asset Account CloudFormation StackSet

Author: Veetaha

.github/ci.yml

@@ -0,0 +1,47 @@
+name: ci
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+
+jobs:
+  typos:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: crate-ci/typos@v1.30.2
+
+  terraform-fmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ^1
+          terraform_wrapper: false
+
+      - run: terraform fmt -check
+
+  terraform-validate:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        project:
+          - asset-account/terraform/stack-set/examples/basic
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ^1
+          terraform_wrapper: false
+
+      - run: terraform init -input=false
+        working-directory: ${{ matrix.project }}
+
+      - run: terraform validate
+        working-directory: ${{ matrix.project }}

.gitignore

@@ -0,0 +1,4 @@
+.terraform
+terraform.tfstate
+terraform.tfstate.backup
+terraform.tfvars

asset-account/README.md

@@ -0,0 +1,11 @@
+# Elastio Asset Account Stack
+
+Elastio Asset Account stack creates IAM roles to link the AWS account with the Elastio Connector. This allows the Elastio Connector to scan the assets available in the account where the Elastio Asset Account stack is deployed.
+
+There are several ways to deploy the Elastio Asset Account stack, that we'll review below.
+
+## AWS CloudFormation StackSet
+
+You can generate the CloudFormation template link for your Elastio Asset Account using the Elastio Portal UI and then deploy it via a CloudFormation StackSet either manually, or using the Elastio official Terraform wrapper module for this.
+
+See the [`terraform/stack-set`](./terraform/stack-set) to get started.

asset-account/terraform/stack-set/README.md

@@ -0,0 +1,7 @@
+# Elastio Asset Account CloudFormation StackSet
+
+This is a Terraform module, that is a thin wrapper on top of an [`aws_cloudformation_stack_set`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) and [`aws_cloudformation_stack_instances`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_instances) resources used to deploy the Elastio Asset Account stack.
+
+It creates IAM roles to link the AWS accounts with the Elastio Connector. This allows the Elastio Connector to scan the assets available in the account where the Elastio Asset Account stack instances are deployed.
+
+See the `examples` directory for some examples of how this module can be used.

asset-account/terraform/stack-set/examples/self-managed/.terraform.lock.hcl

@@ -0,0 +1,7 @@
+# Self-Managed StackSet Example
+
+This is a basic example of using the `elastio-asset-account-stack-set` terraform module with the self-managed AWS Cloudformation StackSet.
+
+You can deploy it even within a single account. Just specify the `template_url` input variable at minimum.
+
+You can specify the `admin_account_aws_profile` and `asset_account_aws_profile` to use separate Admin and Asset accounts. If you don't specify them, then the default AWS account configured in your environment will be used as both the Admin and the Asset account.

asset-account/terraform/stack-set/examples/self-managed/README.md

@@ -0,0 +1,68 @@
+module "elastio_asset_accounts" {
+  # Use the link from the real terraform registry here. Relative path is used for testing purposes.
+  source = "../../"
+  providers = {
+    aws = aws.admin
+  }
+
+  # Needs to be deployed only after the execution role in the asset account is created
+  depends_on = [aws_iam_role.execution]
+
+  template_url = var.template_url
+
+  # we are deploying just into a single asset account in this example
+  accounts     = [local.asset_account_id]
+
+  stack_set = {
+    administration_role_arn = aws_iam_role.admin.arn
+  }
+}
+
+# Admin role, that StackSets will use to access the asset accounts to deploy the stacks
+resource "aws_iam_role" "admin" {
+  provider = aws.admin
+
+  assume_role_policy = data.aws_iam_policy_document.admin_trust.json
+  name               = "AWSCloudFormationStackSetAdministrationRole"
+}
+
+data "aws_iam_policy_document" "admin_trust" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      identifiers = ["cloudformation.amazonaws.com"]
+      type        = "Service"
+    }
+
+    # Conditions to prevent the confused deputy attack
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.admin_account_id]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:cloudformation:*:${local.admin_account_id}:stackset/*"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "admin_execution" {
+  statement {
+    actions   = ["sts:AssumeRole"]
+    effect    = "Allow"
+    resources = ["arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"]
+  }
+}
+
+resource "aws_iam_role_policy" "admin_execution" {
+  provider = aws.admin
+
+  name   = "AssumeExecutionRole"
+  policy = data.aws_iam_policy_document.admin_execution.json
+  role   = aws_iam_role.admin.name
+}

asset-account/terraform/stack-set/examples/self-managed/admin.tf

@@ -0,0 +1,35 @@
+resource "aws_iam_role" "execution" {
+  provider = aws.asset
+
+  name               = "AWSCloudFormationStackSetExecutionRole"
+  assume_role_policy = data.aws_iam_policy_document.execution_trust.json
+}
+
+data "aws_iam_policy_document" "execution_trust" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      identifiers = [aws_iam_role.admin.arn]
+      type        = "AWS"
+    }
+  }
+}
+
+# Specifies the set of permissions required for the deployment of the Cloudfomation stack
+data "aws_iam_policy_document" "execution_deployment" {
+  statement {
+    actions   = ["*"]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role_policy" "execution_deployment" {
+  provider = aws.asset
+
+  name   = "Deployment"
+  policy = data.aws_iam_policy_document.execution_deployment.json
+  role   = aws_iam_role.execution.name
+}

asset-account/terraform/stack-set/examples/self-managed/asset.tf

@@ -0,0 +1,22 @@
+provider "aws" {
+  alias   = "admin"
+  profile = var.admin_account_aws_profile
+}
+
+provider "aws" {
+  alias   = "asset"
+  profile = var.asset_account_aws_profile
+}
+
+data "aws_caller_identity" "admin" {
+  provider = aws.admin
+}
+
+data "aws_caller_identity" "asset" {
+  provider = aws.asset
+}
+
+locals {
+  admin_account_id = data.aws_caller_identity.admin.account_id
+  asset_account_id = data.aws_caller_identity.asset.account_id
+}

asset-account/terraform/stack-set/examples/self-managed/providers.tf

@@ -0,0 +1,23 @@
+variable "template_url" {
+  description = <<-DESCR
+    The URL of the Elastio Asset Account CloudFormation template obtained from
+    the Elastio Portal.
+
+    This parameter is sensitive, because anyone who knows this URL can deploy
+    Elastio Account stack and linking it to your Elastio tenant.
+  DESCR
+
+  sensitive = true
+  type      = string
+  nullable  = false
+}
+
+variable "admin_account_aws_profile" {
+  type    = string
+  default = null
+}
+
+variable "asset_account_aws_profile" {
+  type    = string
+  default = null
+}