Add validation to parameters in cloudwatch-metrics integration policy (…

…#157) * Add validation to ExternalIdSecret and CustomAccountId * rename CustomerAccountId to CustomAccountId * update ExternalId to be in formate ExternalIdSecret@company_id * fix typos in readme * update CustomAccountId description, and fix typos in template * Minor tweaks after conflict resolution' * Changes afer review * Fix after actually testing it --------- Co-authored-by: Zdenek Hrebicek <[email protected]>
coralogix · Jan 22, 2025 · 1add7c9 · 1add7c9
1 parent 6ba6586
commit 1add7c9
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 15 deletions.
diff --git a/coralogix-policies/coralogix-metrics-integration-policy/CHANGELOG.md b/coralogix-policies/coralogix-metrics-integration-policy/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 ## AwsMetrics
 
+### 22.1.2025 - Breaking changes to be able to tie role to specific company
+
+- Add validation to `ExternalIdSecret`, must be a valid pattern of `[\w+=,.:\/-]*`
+- Add validation to `CustomerAccountId`, must be a valid pattern of `[0-9]*`
+  - This does not mean that the role would not work for another `CustomerAccountId`, but you should
+    be aware of, that it may stop working for non matching `CustomerAccountId` in the near future.
+- rename `ExternalId` to `ExternalIdSecret`
+- rename `CustomAccountId` to `CustomAWSAccountId`
+- rename `AWSAccount` to `CoralogixRegion`
+
 ### 12.12.2024 New permissions, that would allow integration to get data from Amazon ElastiCache API
 
 - Added permissions to the policy:

diff --git a/coralogix-policies/coralogix-metrics-integration-policy/README.md b/coralogix-policies/coralogix-metrics-integration-policy/README.md
@@ -6,13 +6,14 @@ The module will create a role to be used with AwsMetrics integration
 
 | Parameter | Description | Default Value | Required |
 |-----------|-------------|---------------|----------|
-| AWSAccount | The Alias for the Coralogix region, possible options are [US1, US2, EU1, EU2, AP1, AP2, AP3, dev, staging, custom] | EU1 | :heavy_check_mark: |
-| RoleName | The name of the rule that template will create in your AWS account | n\a | :heavy_check_mark: |
-| CustomAccountId | In case you want to use a custom coralogix account, enter the aws account id that you want to use.| n\a  | |
-| ExternalId | "sts:ExternalId" this id is used for increased security | n\a | :heavy_check_mark: |
+| CoralogixRegion | The Alias for the Coralogix region, possible options are [US1, US2, EU1, EU2, AP1, AP2, AP3, dev, staging, custom] | EU1 | :heavy_check_mark: |
+| RoleName | The name of the role that template will create in your AWS account | n\a | :heavy_check_mark: |
+| CustomAWSAccountId | In case you want to use a custom coralogix account, enter the aws account id that you want to use. | n\a | |
+| CoralogixCompanyId | Your coralogix account company ID, will be used for security validation. | n\a | :heavy_check_mark: |
+| ExternalId | "sts:ExternalId" this id is used for increased security, the value of the ExternalId will be `ExternalIdSecret@CoralogixCompanyId`. | n\a | :heavy_check_mark: |
 
 Run the following command to deploy the integration:
 
 ```sh
-aws cloudformation deploy --capabilities CAPABILITY_IAM  CAPABILITY_NAMED_IAM --template-file template.yaml --stack-name <the name of the stack that will be deploy in aws> --parameter-overrides AWSAccount=<coralogix account region> RoleName=<RoleName> ExternalId=<ExternalId>
+aws cloudformation deploy --capabilities CAPABILITY_IAM  CAPABILITY_NAMED_IAM --template-file template.yaml --stack-name <the name of the stack that will be deploy in aws> --parameter-overrides CoralogixRegion=<coralogix account region> RoleName=<name of the role> ExternalIdSecret=<external id secret part> CoralogixCompanyId=<coralogix company id>
 ```
diff --git a/coralogix-policies/coralogix-metrics-integration-policy/template.yaml b/coralogix-policies/coralogix-metrics-integration-policy/template.yaml
@@ -1,10 +1,11 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: The module will create a role with an inline policy to allow Coralogix to collect metrics from several resource types.
 Parameters:
-  ExternalId:
-    Description: "ExternalId for sts:AssumeRole"
+  ExternalIdSecret:
+    Description: "ExternalIdSecret for sts:AssumeRole"
     Type: "String"
-  AWSAccount:
+    AllowedPattern: "[\\w+=,.:\\/-]*"
+  CoralogixRegion:
     Type: String
     Default: EU1
     Description: The AWS account that you want to deploy the integration in.
@@ -22,10 +23,15 @@ Parameters:
   RoleName:
     Type: String
     Description: The name of the role that will be created.
-  CustomAccountId:
+  CustomAWSAccountId:
     Type: String
     Description: Custom AWS account ID that you want to deploy the integration in (overrides aws account id from CoralogixEnvironment variable).
     Default: ""
+    AllowedPattern: "[0-9]*"
+  CoralogixCompanyId:
+    Type: String
+    Description: Your coralogix account company ID, will be used for security validation.
+    AllowedPattern: "[0-9]*"
 
 Mappings:
   CoralogixEnvironment:
@@ -60,7 +66,7 @@ Mappings:
       ID: 000000000000
       RoleSuffix: custom
 Conditions:
-  IsCustomAccountId: !Not [!Equals [!Ref CustomAccountId, ""]]
+  IsCustomAWSAccountId: !Not [!Equals [!Ref CustomAWSAccountId, ""]]
 Resources:
   CoralogixAwsMetricsRole:
     Type: AWS::IAM::Role
@@ -75,15 +81,23 @@ Resources:
               AWS: !Sub
                 - "arn:aws:iam::${aws_account_id}:role/coralogix-ingestion-${role_suffix}"
                 - aws_account_id: !If
-                    - IsCustomAccountId
-                    - !Ref CustomAccountId
-                    - !FindInMap [CoralogixEnvironment, !Ref AWSAccount, "ID"]
-                  role_suffix: !FindInMap [CoralogixEnvironment, !Ref AWSAccount, "RoleSuffix"]
+                    - IsCustomAWSAccountId
+                    - !Ref CustomAWSAccountId
+                    - !FindInMap [CoralogixEnvironment, !Ref CoralogixRegion, "ID"]
+                  role_suffix:
+                    !FindInMap [
+                      CoralogixEnvironment,
+                      !Ref CoralogixRegion,
+                      "RoleSuffix",
+                    ]
             Action:
               - sts:AssumeRole
             Condition:
               StringEquals:
-                sts:ExternalId: !Ref ExternalId
+                sts:ExternalId: !Sub
+                  - "${ExternalIdSecret}@${company_id}"
+                  - ExternalIdSecret: !Ref ExternalIdSecret
+                    company_id: !Ref CoralogixCompanyId
       Policies:
         - PolicyName: CoralogixMetricsPolicy
           PolicyDocument: