revert templates changes

Author: lorenzo-merici

templates_cloudlogs/CloudLogs.yaml

@@ -1,8 +1,8 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: >
-  CloudFormation template for provisioning the necessary resources for the
-  `cloud-logs` component. This includes IAM roles, policies, and optional SNS
-  topic and subscription for CloudTrail notifications.
+  CloudFormation single template for provisioning
+  the necessary resources for the `cloud-logs`
+  component.
 
 Metadata:
   AWS::CloudFormation::Interface:
@@ -14,9 +14,6 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
-          - CreateTopic
-          - TopicARN
-          - Endpoint
 
     ParameterLabels:
       CloudLogsRoleName:
@@ -27,50 +24,22 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
-      CreateTopic:
-        default: "Create SNS Topic"
-      TopicARN:
-        default: "SNS Topic ARN"
-      Endpoint:
-        default: "Sysdig Secure endpoint"
 
 Parameters:
   CloudLogsRoleName:
     Type: String
-    Description: The name of the IAM Role that will enable access to the CloudTrail logs.
-
+    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
   ExternalID:
     Type: String
     Description: Random string generated unique to a customer.
-
   TrustedIdentity:
     Type: String
-    Description: The name of Sysdig's trusted identity.
-
+    Description: The name of Sysdig trusted identity.
   BucketARN:
     Type: String
-    Description: The ARN of your S3 bucket associated with your CloudTrail trail.
-
-  CreateTopic:
-    Type: String
-    AllowedValues:
-      - "true"
-      - "false"
-    Default: "false"
-    Description: "Whether to create a new SNS Topic for CloudTrail notifications."
-
-  TopicARN:
-    Type: String
-    Default: ""
-    Description: "The ARN of an existing SNS Topic. If CreateTopic is true, this will be used as the name of the new topic."
-
-  Endpoint:
-    Type: String
-    Default: ""
-    Description: "Sysdig Secure endpoint to receive CloudTrail notifications."
+    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
 
 Resources:
-  # IAM Role
   CloudLogsRole:
     Type: "AWS::IAM::Role"
     Properties:
@@ -86,8 +55,6 @@ Resources:
             Condition:
               StringEquals:
                 "sts:ExternalId": !Ref ExternalID
-
-  # IAM Policy
   CloudLogsRolePolicies:
     Type: "AWS::IAM::Policy"
     Properties:
@@ -110,45 +77,4 @@ Resources:
               - !Sub '${BucketARN}'
               - !Sub '${BucketARN}/*'
       Roles:
-        - !Ref CloudLogsRole
-
-  CloudTrailNotificationsTopic:
-    Condition: CreateSNSTopic
-    Type: "AWS::SNS::Topic"
-    Properties:
-      TopicName: !Select [ 5, !Split [ ":", !Ref TopicARN ] ]
-
-  CloudTrailNotificationsSubscription:
-    Type: "AWS::SNS::Subscription"
-    Properties:
-      TopicArn: !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
-      Protocol: "https"
-      Endpoint: !Ref Endpoint
-
-  CloudTrailNotificationsPolicy:
-    Condition: CreateSNSTopic
-    Type: "AWS::SNS::TopicPolicy"
-    Properties:
-      Topics:
-        - !Ref CloudTrailNotificationsTopic
-      PolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Sid: "AllowCloudTrailPublish"
-            Effect: "Allow"
-            Principal:
-              Service: "cloudtrail.amazonaws.com"
-            Action: "SNS:Publish"
-            Resource: !Ref CloudTrailNotificationsTopic
-
-Conditions:
-  CreateSNSTopic: !Equals [!Ref CreateTopic, "true"]
-
-Outputs:
-  RoleARN:
-    Description: "The ARN of the IAM Role created for CloudTrail logs."
-    Value: !GetAtt CloudLogsRole.Arn
-
-  TopicARN:
-    Description: "The ARN of the SNS Topic created for CloudTrail notifications."
-    Value: !If [CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN]
+        - Ref: "CloudLogsRole"

templates_cloudlogs/OrgCloudLogs.yaml

@@ -1,7 +1,9 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: >
   CloudFormation organizational template for provisioning
-  the necessary resources for the `cloud-logs` component and the read-only role required to interact with the target organizational environment.
+  the necessary resources for the `cloud-logs`
+  component and the read-only role required to itneract with
+  the target organizational environment.
 
 Metadata:
   AWS::CloudFormation::Interface:
@@ -14,9 +16,6 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
-          - CreateTopic
-          - TopicARN
-          - Endpoint
 
     ParameterLabels:
       CSPMRoleName:
@@ -29,44 +28,23 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
-      CreateTopic:
-        default: "Create SNS Topic"
-      TopicARN:
-        default: "SNS Topic ARN"
-      Endpoint:
-        default: "Sysdig Secure endpoint"
 
 Parameters:
   CSPMRoleName:
     Type: String
     Description: The name of the read-only IAM Role that Sysdig will use to interact with the target environment
   CloudLogsRoleName:
     Type: String
-    Description: The name of the IAM Role that will enable access to the CloudTrail logs.
+    Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
   ExternalID:
     Type: String
     Description: Random string generated unique to a customer.
   TrustedIdentity:
     Type: String
-    Description: The name of Sysdig's trusted identity.
+    Description: The name of Sysdig trusted identity.
   BucketARN:
     Type: String
-    Description: The ARN of your S3 bucket associated with your CloudTrail trail.
-  CreateTopic:
-    Type: String
-    AllowedValues:
-      - "true"
-      - "false"
-    Default: "false"
-    Description: "Whether to create a new SNS Topic for CloudTrail notifications."
-  TopicARN:
-    Type: String
-    Default: ""
-    Description: "The ARN of an existing SNS Topic. If CreateTopic is true, this will be used as the name of the new topic."
-  Endpoint:
-    Type: String
-    Default: ""
-    Description: "Sysdig Secure endpoint to receive CloudTrail notifications."
+    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
 
 Resources:
   CloudLogsRole:
@@ -84,7 +62,6 @@ Resources:
             Condition:
               StringEquals:
                 "sts:ExternalId": !Ref ExternalID
-
   CloudLogsRolePolicies:
     Type: "AWS::IAM::Policy"
     Properties:
@@ -107,8 +84,7 @@ Resources:
               - !Sub '${BucketARN}'
               - !Sub '${BucketARN}/*'
       Roles:
-        - !Ref CloudLogsRole
-
+        - Ref: "CloudLogsRole"
   CloudAgentlessRole:
     Type: "AWS::IAM::Role"
     Properties:
@@ -125,44 +101,3 @@ Resources:
                 sts:ExternalId: !Ref ExternalID
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/SecurityAudit
-
-  CloudTrailNotificationsTopic:
-    Condition: CreateSNSTopic
-    Type: "AWS::SNS::Topic"
-    Properties:
-      TopicName: !Select [ 5, !Split [ ":", !Ref TopicARN ] ]
-
-  CloudTrailNotificationsSubscription:
-    Type: "AWS::SNS::Subscription"
-    Properties:
-      TopicArn: !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
-      Protocol: "https"
-      Endpoint: !Ref Endpoint
-
-  CloudTrailNotificationsPolicy:
-    Condition: CreateSNSTopic
-    Type: "AWS::SNS::TopicPolicy"
-    Properties:
-      Topics:
-        - !Ref CloudTrailNotificationsTopic
-      PolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Sid: "AllowCloudTrailPublish"
-            Effect: "Allow"
-            Principal:
-              Service: "cloudtrail.amazonaws.com"
-            Action: "SNS:Publish"
-            Resource: !Ref CloudTrailNotificationsTopic
-
-Conditions:
-  CreateSNSTopic: !Equals [!Ref CreateTopic, "true"]
-
-Outputs:
-  RoleARN:
-    Description: "The ARN of the IAM Role created for CloudTrail logs."
-    Value: !GetAtt CloudLogsRole.Arn
-
-  TopicARN:
-    Description: "The ARN of the SNS Topic created for CloudTrail notifications."
-    Value: !If [CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN]

templates_cspm_cloudlogs/FullInstall.yaml

@@ -12,9 +12,6 @@ Metadata:
           - ExternalID
           - TrustedIdentity
           - BucketARN
-          - CreateTopic
-          - TopicARN
-          - Endpoint
 
     ParameterLabels:
       CSPMRoleName:
@@ -27,51 +24,23 @@ Metadata:
         default: "Trusted Identity (Sysdig use only)"
       BucketARN:
         default: "Bucket ARN"
-      CreateTopic:
-        default: "Create SNS Topic"
-      TopicARN:
-        default: "SNS Topic ARN"
-      Endpoint:
-        default: "Sysdig Secure endpoint"
 
 Parameters:
   CSPMRoleName:
     Type: String
     Description: The read-only IAM Role that Sysdig will create
-
   CloudLogsRoleName:
     Type: String
     Description: The name of the IAM Role that will enable access to the Cloudtrail logs.
-
   ExternalID:
     Type: String
     Description: Sysdig ExternalID required for the policy creation
-
   TrustedIdentity:
     Type: String
     Description: The name of Sysdig trusted identity.
-
   BucketARN:
     Type: String
-    Description: The ARN of your S3 bucket associated with your CloudTrail trail.
-
-  CreateTopic:
-    Type: String
-    AllowedValues:
-      - "true"
-      - "false"
-    Default: "false"
-    Description: "Whether to create a new SNS Topic for CloudTrail notifications."
-
-  TopicARN:
-    Type: String
-    Default: ""
-    Description: "The ARN of an existing SNS Topic. If CreateTopic is true, this will be used as the name of the new topic."
-
-  Endpoint:
-    Type: String
-    Default: ""
-    Description: "Sysdig Secure endpoint to receive CloudTrail notifications."
+    Description: The ARN of your s3 bucket associated with your Cloudtrail trail.
 
 Resources:
   CloudAgentlessRole:
@@ -132,8 +101,6 @@ Resources:
             Condition:
               StringEquals:
                 "sts:ExternalId": !Ref ExternalID
-
-  # IAM Policy
   CloudLogsRolePolicies:
     Type: "AWS::IAM::Policy"
     Properties:
@@ -156,45 +123,4 @@ Resources:
               - !Sub '${BucketARN}'
               - !Sub '${BucketARN}/*'
       Roles:
-        - !Ref CloudLogsRole
-
-  CloudTrailNotificationsTopic:
-    Condition: CreateSNSTopic
-    Type: "AWS::SNS::Topic"
-    Properties:
-      TopicName: !Select [ 5, !Split [ ":", !Ref TopicARN ] ]
-
-  CloudTrailNotificationsSubscription:
-    Type: "AWS::SNS::Subscription"
-    Properties:
-      TopicArn: !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
-      Protocol: "https"
-      Endpoint: !Ref Endpoint
-
-  CloudTrailNotificationsPolicy:
-    Condition: CreateSNSTopic
-    Type: "AWS::SNS::TopicPolicy"
-    Properties:
-      Topics:
-        - !Ref CloudTrailNotificationsTopic
-      PolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Sid: "AllowCloudTrailPublish"
-            Effect: "Allow"
-            Principal:
-              Service: "cloudtrail.amazonaws.com"
-            Action: "SNS:Publish"
-            Resource: !Ref CloudTrailNotificationsTopic
-
-Conditions:
-  CreateSNSTopic: !Equals [ !Ref CreateTopic, "true" ]
-
-Outputs:
-  RoleARN:
-    Description: "The ARN of the IAM Role created for CloudTrail logs."
-    Value: !GetAtt CloudLogsRole.Arn
-
-  TopicARN:
-    Description: "The ARN of the SNS Topic created for CloudTrail notifications."
-    Value: !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
+        - Ref: "CloudLogsRole"