add cloudformation templates to create the eks service account roles

cloudformation/self-hosted/eks-iam-roles/organization-eks-iam-role/deepfence-cloud-scanner-organization-iam-role.template

@@ -0,0 +1,53 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description:  Deepfence Cloud Scanner IAM role for Organization Deployment
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+    - Label:
+        default: Configuration
+      Parameters:
+      - TaskIAMRole
+      - ParentStackName
+      - CloudScannerAccountId
+    ParameterLabels:
+      TaskIAMRole:
+        default: If SecurityAudit role is chosen, cloud scanner may not find configuration issues in some of the AWS resources like WAF. Also updates will happen only once every day.
+      ParentStackName:
+        default: Parent Stack Name
+      CloudScannerAccountId:
+        default: aws account where cloud scanner is deployed
+Parameters:
+  TaskIAMRole:
+    Type: String
+    Description: Task Role
+    Default: arn:aws:iam::aws:policy/SecurityAudit
+    AllowedValues:
+    - arn:aws:iam::aws:policy/SecurityAudit
+    - arn:aws:iam::aws:policy/ReadOnlyAccess
+  ParentStackName:
+    Type: String
+  CloudScannerAccountId:
+    Type: String
+Resources:
+  ReadOnlyRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: /
+      RoleName: !Ref ParentStackName
+      AssumeRolePolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::${CloudScannerAccountId}:role/${ParentStackName}"
+              },
+              "Action": "sts:AssumeRole"
+            }
+          ]
+        }
+      MaxSessionDuration: 3600
+      ManagedPolicyArns:
+      - !Ref TaskIAMRole
+      Description: Provide AssumeRole permission to Deepfence Managed Cloud Scanner

cloudformation/self-hosted/eks-iam-roles/organization-eks-iam-role/deepfence-cloud-scanner-organization-stackset-iam-role.template

@@ -0,0 +1,128 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Deepfence Cloud Scanner StackSet and EKS IAM role for Organization Deployment
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+    - Label:
+        default: Configuration
+      Parameters:
+      - TaskIAMRole
+      - OrganizationalUnitIds
+    ParameterLabels:
+      EKSClusterName:
+        default: EKS cluster where cloud-scanner will be deployed
+      EKSClusterOIDCURL:
+        default: The OpenID Connect URL without protocol (the "https://" prefix)
+      K8sNamespace:
+        default: k8s namespace for the cloud-scanner
+      K8sServiceAccountName:
+        default: k8s service account for the cloud-scanner
+      TaskIAMRole:
+        default: If SecurityAudit role is chosen, cloud scanner may not find configuration issues in some of the AWS resources like WAF. Also updates will happen only once every day.
+      OrganizationalUnitIds:
+        default: List of Organizational Unit IDs to deploy the StackSet (IAM Roles)
+Parameters:
+  EKSClusterName:
+    Type: String
+  EKSClusterOIDCURL:
+    Type: String
+    Description: The OpenID Connect URL without protocol (the "https://" prefix)
+  K8sNamespace:
+    Type: String
+    Default: deepfence
+  K8sServiceAccountName:
+    Type: String
+    Default: deepfence-cloud-scanner
+  TaskIAMRole:
+    Type: String
+    Description: Task Role
+    Default: arn:aws:iam::aws:policy/SecurityAudit
+    AllowedValues:
+    - arn:aws:iam::aws:policy/SecurityAudit
+    - arn:aws:iam::aws:policy/ReadOnlyAccess
+  OrganizationalUnitIds:
+    Type: List<String>
+    Description: Organizational Unit IDs
+Resources:
+  ReadOnlyRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: /
+      RoleName: !Ref 'AWS::StackName'
+      AssumeRolePolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${EKSClusterOIDCURL}"
+              },
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Condition": {
+                "StringEquals": {
+                  "${EKSClusterOIDCURL}:sub": "system:serviceaccount:${K8sNamespace}:${K8sServiceAccountName}",
+                  "${EKSClusterOIDCURL}:aud": "sts.amazonaws.com"
+                }
+              }
+            }
+          ]
+        }
+      MaxSessionDuration: 3600
+      ManagedPolicyArns:
+      - !Ref TaskIAMRole
+      - arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess
+      Policies:
+      - PolicyName: !Sub "${AWS::StackName}-AllowAssumeRoleInChildAccounts"
+        PolicyDocument: !Sub |
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Resource": ["arn:aws:iam::*:role/${AWS::StackName}"],
+                "Action": "sts:AssumeRole"
+              }
+            ]
+          }
+      Description: Provide AssumeRole permission to Deepfence Cloud Scanner on child accounts
+  StackSet:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      Description: 'Deploy IAM role across accounts in the Organization to provide permission to Cloud Scanner'
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      Capabilities:
+      - CAPABILITY_NAMED_IAM
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        FailureToleranceCount: 99
+        MaxConcurrentCount: 100
+        RegionConcurrencyType: PARALLEL
+      Parameters:
+      - ParameterKey: TaskIAMRole
+        ParameterValue: !Ref TaskIAMRole
+      - ParameterKey: ParentStackName
+        ParameterValue: !Ref 'AWS::StackName'
+      - ParameterKey: CloudScannerAccountId
+        ParameterValue: !Ref 'AWS::AccountId'
+      PermissionModel: SERVICE_MANAGED
+      StackInstancesGroup:
+      - DeploymentTargets:
+          AccountFilterType: NONE
+          OrganizationalUnitIds: !Ref OrganizationalUnitIds
+        Regions:
+        - !Ref AWS::Region
+      StackSetName: !Ref AWS::StackName
+      TemplateURL: https://deepfence-public.s3.amazonaws.com/cloud-scanner/self-hosted/eks-iam-roles/organization-eks-iam-role/deepfence-cloud-scanner-organization-iam-role.template
+Outputs:
+  EKSClusterName:
+    Value: !Ref EKSClusterName
+  K8sNamespace:
+    Value: !Ref K8sNamespace
+  K8sServiceAccountName:
+    Value: !Ref K8sServiceAccountName
+  ReadOnlyRoleIAMRoleARN:
+    Value: !GetAtt ReadOnlyRole.Arn

cloudformation/self-hosted/eks-iam-roles/single-account-eks-iam-role/deepfence-cloud-scanner-single-account-iam-role.template

@@ -0,0 +1,58 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Deepfence Cloud Scanner Single account EKS IRSA role'
+Parameters:
+  EKSClusterName:
+    Type: String
+  EKSClusterOIDCURL:
+    Type: String
+    Description: The OpenID Connect URL without protocol (the "https://" prefix)
+  K8sNamespace:
+    Type: String
+    Default: deepfence
+  K8sServiceAccountName:
+    Type: String
+    Default: deepfence-cloud-scanner
+  TaskIAMRole:
+    Type: String
+    Description: Task Role
+    Default: arn:aws:iam::aws:policy/SecurityAudit
+    AllowedValues:
+    - arn:aws:iam::aws:policy/SecurityAudit
+    - arn:aws:iam::aws:policy/ReadOnlyAccess
+Resources:
+  ReadOnlyRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: "/"
+      RoleName: !Sub "${AWS::StackName}-cloud-scanner-role"
+      ManagedPolicyArns:
+        - !Ref TaskIAMRole
+      AssumeRolePolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${EKSClusterOIDCURL}"
+              },
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Condition": {
+                "StringEquals": {
+                  "${EKSClusterOIDCURL}:sub": "system:serviceaccount:${K8sNamespace}:${K8sServiceAccountName}",
+                  "${EKSClusterOIDCURL}:aud": "sts.amazonaws.com"
+                }
+              }
+            }
+          ]
+        }
+Outputs:
+  EKSClusterName:
+    Value: !Ref EKSClusterName
+  K8sNamespace:
+    Value: !Ref K8sNamespace
+  K8sServiceAccountName:
+    Value: !Ref K8sServiceAccountName
+  ReadOnlyRoleIAMRoleARN:
+    Value: !GetAtt ReadOnlyRole.Arn

helm-chart/README.md

@@ -3,9 +3,10 @@
 ### Single Account Cloud Scanner on EKS cluster using IAM roles for service accounts
 
 1. **Prerequsite:** associate oidc provider with the EKS cluster where cloud scanner is installed ([aws docs](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html))
-2. Create the EKS IRSA role using the terrafrom script [terraform/self-hosted/single-account-eks-iam-role](terraform/self-hosted/single-account-eks-iam-role)
-3. Note *namespace*, *service account name* and *iam role arn* from the terrafrom output
-4. Update the deepfence-cloud-scanner helm chart values with deepfence key and console url, add service account annotation and service account name
+2. Create the EKS IRSA role using the terrafrom script [cloudformation/self-hosted/eks-iam-roles/single-account-eks-iam-role](cloudformation/self-hosted/eks-iam-roles/single-account-eks-iam-role)
+3. Or create the EKS IRSA role using the cloudformation template [cloudformation/self-hosted/eks-iam-roles/single-account-eks-iam-role/deepfence-cloud-scanner-single-account-iam-role.template](cloudformation/self-hosted/eks-iam-roles/single-account-eks-iam-role/deepfence-cloud-scanner-single-account-iam-role.template)
+4. Note *namespace*, *service account name* and *iam role arn* from the terrafrom or cloudformation output
+5. Update the deepfence-cloud-scanner helm chart values with deepfence key and console url, add service account annotation and service account name
     ```yaml
     serviceAccount:
       # Specifies whether a service account should be created
@@ -14,9 +15,30 @@
       automount: true
       # Annotations to add to the service account
       annotations: 
-        "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789:role/test1-cloud-scanner"
+        "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789:role/test-cloud-scanner"
       # The name of the service account to use.
       # If not set and create is true, a name is generated using the fullname template
       name: "deepfence-cloud-scanner"
     ```
-5. Install the helm chart in the same *namespace* from Step 3.
+6. Install the helm chart in the same *namespace* from Step 3.
+
+### Organization Account Cloud Scanner on EKS cluster using IAM roles for service accounts
+
+1. **Prerequsite:** associate oidc provider with the EKS cluster where cloud scanner is installed ([aws docs](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html))
+2. Create the EKS IRSA role using the cloudformation template [cloudformation/self-hosted/eks-iam-roles/organization-eks-iam-role/deepfence-cloud-scanner-organization-stackset-iam-role.template](cloudformation/self-hosted/eks-iam-roles/organization-eks-iam-role/deepfence-cloud-scanner-organization-stackset-iam-role.template)
+3. Note *namespace*, *service account name* and *iam role arn* from the cloudformation output
+4. Update the deepfence-cloud-scanner helm chart values with deepfence key and console url along with org details, add service account annotation and service account name
+    ```yaml
+    serviceAccount:
+      # Specifies whether a service account should be created
+      create: true
+      # Automatically mount a ServiceAccount's API credentials?
+      automount: true
+      # Annotations to add to the service account
+      annotations: 
+        "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789:role/test-cloud-scanner"
+      # The name of the service account to use.
+      # If not set and create is true, a name is generated using the fullname template
+      name: "deepfence-cloud-scanner"
+    ```
+6. Install the helm chart in the same *namespace* from Step 3.