From 9791f506cb52283cc17c57de81a8364b90af280c Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 6 Feb 2025 16:23:16 +0100 Subject: [PATCH 1/5] Fixing CFT for Managament Account for Workload Scanning --- modules/vm_workload_scanning.cft.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index cc4a49d..fe2cf68 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -73,11 +73,15 @@ Conditions: - Fn::Equals: - Ref: LambdaScanningEnabled - 'true' + IsLambdaEnabled: + Fn::And: + - Fn::Equals: + - Ref: LambdaScanningEnabled + - 'true' Resources: ScanningRole: Type: AWS::IAM::Role - Condition: IsNotOrganizational Properties: RoleName: !Sub sysdig-vm-workload-scanning-${NameSuffix} AssumeRolePolicyDocument: @@ -94,7 +98,6 @@ Resources: Ref: ExternalID ECRPolicy: Type: AWS::IAM::Policy - Condition: IsNotOrganizational Properties: PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-ecr Roles: @@ -112,7 +115,7 @@ Resources: Resource: '*' LambdaPolicy: Type: AWS::IAM::Policy - Condition: IsNotOrganizationalAndLambdaEnabled + Condition: IsLambdaEnabled Properties: PolicyName: !Sub sysdig-vm-workload-scanning-${NameSuffix}-lambda Roles: From c879270ff4a91952fdd69fbf979451991c5df923 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 6 Feb 2025 17:41:45 +0100 Subject: [PATCH 2/5] Unused condition --- modules/vm_workload_scanning.cft.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index fe2cf68..17c8abd 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -65,14 +65,6 @@ Conditions: Fn::Equals: - Ref: IsOrganizational - 'false' - IsNotOrganizationalAndLambdaEnabled: - Fn::And: - - Fn::Equals: - - Ref: IsOrganizational - - 'false' - - Fn::Equals: - - Ref: LambdaScanningEnabled - - 'true' IsLambdaEnabled: Fn::And: - Fn::Equals: From 3ee7bf8cb9364a99f9fd2994e38698d65002c187 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 6 Feb 2025 17:43:34 +0100 Subject: [PATCH 3/5] Unused condition --- modules/vm_workload_scanning.cft.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index 17c8abd..60bad4a 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -66,10 +66,9 @@ Conditions: - Ref: IsOrganizational - 'false' IsLambdaEnabled: - Fn::And: - - Fn::Equals: - - Ref: LambdaScanningEnabled - - 'true' + - Fn::Equals: + - Ref: LambdaScanningEnabled + - 'true' Resources: ScanningRole: From 9555d7dda0150e06bf3c96da150ab1bfe1fd9144 Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 6 Feb 2025 17:45:02 +0100 Subject: [PATCH 4/5] Unused condition --- modules/vm_workload_scanning.cft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index 60bad4a..350fc6d 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -66,7 +66,7 @@ Conditions: - Ref: IsOrganizational - 'false' IsLambdaEnabled: - - Fn::Equals: + Fn::Equals: - Ref: LambdaScanningEnabled - 'true' From 3243d8e50f3b5c627a4939853793d61f30d421af Mon Sep 17 00:00:00 2001 From: Miguel Pais Date: Thu, 6 Feb 2025 17:46:16 +0100 Subject: [PATCH 5/5] Is not organizational not used --- modules/vm_workload_scanning.cft.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/vm_workload_scanning.cft.yaml b/modules/vm_workload_scanning.cft.yaml index 350fc6d..53e57e2 100644 --- a/modules/vm_workload_scanning.cft.yaml +++ b/modules/vm_workload_scanning.cft.yaml @@ -61,10 +61,6 @@ Conditions: Fn::Equals: - Ref: IsOrganizational - 'true' - IsNotOrganizational: - Fn::Equals: - - Ref: IsOrganizational - - 'false' IsLambdaEnabled: Fn::Equals: - Ref: LambdaScanningEnabled