From f596db79cf36e7e7c5c3e486377b95c7ec278a20 Mon Sep 17 00:00:00 2001 From: panther-bot Date: Fri, 28 Jul 2023 20:51:37 +0000 Subject: [PATCH] sync changes from panther-labs/panther-enterprise#14267 --- cloudformation/panther-deployment-role.yml | 13 +++++++------ terraform/osquery_firehose/provider.tf | 2 +- .../provider.tf | 2 +- .../provider.tf | 2 +- terraform/panther_cloudsec_iam/provider.tf | 2 +- terraform/panther_cloudwatch_events/provider.tf | 2 +- terraform/panther_cloudwatch_firehose/provider.tf | 4 ++-- terraform/panther_deployment_role/main.tf | 10 +++++++--- terraform/panther_deployment_role/provider.tf | 2 +- .../panther_gcs_transport_type_infra/provider.tf | 2 +- terraform/panther_log_analysis_iam/provider.tf | 2 +- .../provider.tf | 2 +- terraform/panther_src_deployment_role/provider.tf | 2 +- .../panther_stackset_iam_admin_role/provider.tf | 2 +- 14 files changed, 27 insertions(+), 22 deletions(-) diff --git a/cloudformation/panther-deployment-role.yml b/cloudformation/panther-deployment-role.yml index fd02eee..891e0ab 100644 --- a/cloudformation/panther-deployment-role.yml +++ b/cloudformation/panther-deployment-role.yml @@ -32,6 +32,7 @@ Resources: Type: AWS::IAM::Role Properties: RoleName: !If [RoleNameSpecified, !Ref DeploymentRoleName, !Ref AWS::NoValue] + Description: IAM role for deploying Panther AssumeRolePolicyDocument: Version: 2012-10-17 Statement: @@ -45,17 +46,16 @@ Resources: Condition: Bool: aws:SecureTransport: true - - Effect: Allow Principal: AWS: !If - OpsAccountSpecified - !Sub arn:${AWS::Partition}:iam::${OpsAccountId}:role/PulumiCodeBuild - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PulumiCodeBuild + Action: sts:AssumeRole Condition: Bool: aws:SecureTransport: true - - Effect: Allow Principal: Service: cloudformation.amazonaws.com @@ -63,7 +63,6 @@ Resources: Condition: Bool: aws:SecureTransport: true - Description: IAM role for deploying Panther Tags: - Key: Application Value: Panther @@ -146,9 +145,8 @@ Resources: - s3:*ReplicationConfiguration - s3:CreateAccessPoint - s3:PutObject* - - secretsmanager:CancelRotateSecret - - secretsmanager:DescribeSecret - - secretsmanager:RotateSecret + - secretsmanager:Describe* + - secretsmanager:List* - servicequotas:* - sns:* - sqs:*Permission* @@ -164,6 +162,9 @@ Resources: - wafv2:TagResource - wafv2:UpdateRuleGroup Resource: '*' + - Effect: Allow + Action: secretsmanager:* + Resource: !Sub arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:panther* - Effect: Allow Action: firehose:* Resource: !Sub arn:${AWS::Partition}:firehose:*:${AWS::AccountId}:deliverystream/* diff --git a/terraform/osquery_firehose/provider.tf b/terraform/osquery_firehose/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/osquery_firehose/provider.tf +++ b/terraform/osquery_firehose/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_azure_blob_storage_transport_type_infra/provider.tf b/terraform/panther_azure_blob_storage_transport_type_infra/provider.tf index 9695cdd..fe618e4 100644 --- a/terraform/panther_azure_blob_storage_transport_type_infra/provider.tf +++ b/terraform/panther_azure_blob_storage_transport_type_infra/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.5" + required_version = ">= 1.1.7, < 2.0.0" required_providers { azurerm = { source = "hashicorp/azurerm" diff --git a/terraform/panther_cloud_pubsub_transport_type_infra/provider.tf b/terraform/panther_cloud_pubsub_transport_type_infra/provider.tf index 7b09023..5e11894 100644 --- a/terraform/panther_cloud_pubsub_transport_type_infra/provider.tf +++ b/terraform/panther_cloud_pubsub_transport_type_infra/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { google = { source = "hashicorp/google" diff --git a/terraform/panther_cloudsec_iam/provider.tf b/terraform/panther_cloudsec_iam/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_cloudsec_iam/provider.tf +++ b/terraform/panther_cloudsec_iam/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_cloudwatch_events/provider.tf b/terraform/panther_cloudwatch_events/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_cloudwatch_events/provider.tf +++ b/terraform/panther_cloudwatch_events/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_cloudwatch_firehose/provider.tf b/terraform/panther_cloudwatch_firehose/provider.tf index 3d14a88..b32ce24 100644 --- a/terraform/panther_cloudwatch_firehose/provider.tf +++ b/terraform/panther_cloudwatch_firehose/provider.tf @@ -6,11 +6,11 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" version = ">= 4.8.0, < 5.0.0" } } -} \ No newline at end of file +} diff --git a/terraform/panther_deployment_role/main.tf b/terraform/panther_deployment_role/main.tf index 91fca0e..31676f4 100644 --- a/terraform/panther_deployment_role/main.tf +++ b/terraform/panther_deployment_role/main.tf @@ -118,9 +118,8 @@ resource "aws_iam_policy" "deployment" { "s3:*ReplicationConfiguration", "s3:CreateAccessPoint", "s3:PutObject*", - "secretsmanager:CancelRotateSecret", - "secretsmanager:DescribeSecret", - "secretsmanager:RotateSecret", + "secretsmanager:Describe*", + "secretsmanager:List*", "servicequotas:*", "sns:*", "sqs:*Permission*", @@ -139,6 +138,11 @@ resource "aws_iam_policy" "deployment" { "Effect": "Allow", "Resource": "*" }, + { + "Action": "secretsmanager:*", + "Effect": "Allow", + "Resource": "arn:${var.aws_partition}:secretsmanager:*:${var.aws_account_id}:secret:panther*" + }, { "Action": "firehose:*", "Effect": "Allow", diff --git a/terraform/panther_deployment_role/provider.tf b/terraform/panther_deployment_role/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_deployment_role/provider.tf +++ b/terraform/panther_deployment_role/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_gcs_transport_type_infra/provider.tf b/terraform/panther_gcs_transport_type_infra/provider.tf index 7b09023..5e11894 100644 --- a/terraform/panther_gcs_transport_type_infra/provider.tf +++ b/terraform/panther_gcs_transport_type_infra/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { google = { source = "hashicorp/google" diff --git a/terraform/panther_log_analysis_iam/provider.tf b/terraform/panther_log_analysis_iam/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_log_analysis_iam/provider.tf +++ b/terraform/panther_log_analysis_iam/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_log_processing_notifications/provider.tf b/terraform/panther_log_processing_notifications/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_log_processing_notifications/provider.tf +++ b/terraform/panther_log_processing_notifications/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_src_deployment_role/provider.tf b/terraform/panther_src_deployment_role/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_src_deployment_role/provider.tf +++ b/terraform/panther_src_deployment_role/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws" diff --git a/terraform/panther_stackset_iam_admin_role/provider.tf b/terraform/panther_stackset_iam_admin_role/provider.tf index 3d14a88..ee02e5e 100644 --- a/terraform/panther_stackset_iam_admin_role/provider.tf +++ b/terraform/panther_stackset_iam_admin_role/provider.tf @@ -6,7 +6,7 @@ # rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement. terraform { - required_version = ">= 1.1.7, < 1.2.0" + required_version = ">= 1.1.7, < 2.0.0" required_providers { aws = { source = "hashicorp/aws"