Oftentimes, customers require having the AWS external ID utilized by the CP CSPM SaaS rotated as stipulted by various compliance frameworks. This repo contains an ansible tool to assit custoemers with this need.

Create random External Id on the AWS IAM Role's Trust Policy, update and re-validate CloudGuard CSPM account

ansible.cfg - Ansible project level configuration file

aws_trust_policy.j2 - AWS IAM Role Trust Policy Jinja2 template

inventory.ini - Ansible inventory INI file

update_role.yml - Ansible Playbook

d9_payload.j2 - CSPM/Dome9 CloudAccountCredentialsViewModel HTTP body payload Jinja2 template

https://api-v2-docs.dome9.com/?python#cloudaccounts_updatecloudaccountcredentials

Set AWS environmental variables for your shell session to work with the iam_* Ansible modules.

 export AWS_ACCESS_KEY='<API ACCESS KEY>'
 export AWS_SECRET_KEY='<API SECRET KEY>'

git clone https://github.com/Senas23/cp_cspm_rotate_external_id.git

Either with pip or compiled binaries from your Linux distro

boto
boto3
botocore
python >= 2.6

E.g. on Ubuntu 18

apt install python-boto python-boto3 python3-boto python3-boto3

See Ansible Docs for the module iam_role

https://docs.ansible.com/ansible/2.9/modules/iam_role_module.html

Create Ansible Vault file to store Check Point CloudGuard CSPM/Dome9 API credentials

ansible-vault create vault.yml

Two variables are needed:

d9_api_key - CSPM/Dome9 API Key

d9_api_secret - CSPM/Dome9 API Secret

Go to CSPM Settings and create v2 API Key

https://secure.dome9.com/v2/settings/credentials

Run the Ansible playbook and provide Vault encryption password

ansible-playbook update_role.yml -e '@vault.yml' --ask-vault-pass

Ansible 2.9.24; Python 2.7.17 & 3.6.9; Ubuntu 18.04.5 LTS;