Feat/enable bench example single k8s (#46)

* feat: enable benchmark on single-account-k8s
* docs: clarify CIEM
* fix: honour name on cloudrun

Author: iru

.github/workflows/ci-integration-tests.yaml

@@ -15,58 +15,58 @@ on:
 concurrency: terraform
 
 jobs:
-  integration_test_ecs:
+#  integration_test_ecs:
 #    concurrency: terraform-account
-
-    name: Test-Kitchen-ECS
-    runs-on: ubuntu-latest
-    env:
-      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
-      TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: 2.7
-          bundler-cache: true
-
-      - name: Run single-account test
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-        run: bundle exec kitchen test "single-account-aws"
-
-      - name: Destroy single-account resources
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-        if: ${{ failure() }}
-        run: bundle exec kitchen destroy "single-account-aws"
-
-      - name: Run organizational test
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
-        run: bundle exec kitchen test "organizational-aws"
-
-      - name: Destroy organizational resources
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
-        if: ${{ failure() }}
-        run: bundle exec kitchen destroy "organizational-aws"
+#
+#    name: Test-Kitchen-ECS
+#    runs-on: ubuntu-latest
+#    env:
+#      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
+#      TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
+#
+#    steps:
+#      - name: Checkout
+#        uses: actions/checkout@v2
+#
+#      - uses: ruby/setup-ruby@v1
+#        with:
+#          ruby-version: 2.7
+#          bundler-cache: true
+#
+#      - name: Run single-account test
+#        env:
+#          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
+#          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
+#          AWS_REGION: ${{ secrets.AWS_REGION }}
+#        run: bundle exec kitchen test "single-account-aws"
+#
+#      - name: Destroy single-account resources
+#        env:
+#          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
+#          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
+#          AWS_REGION: ${{ secrets.AWS_REGION }}
+#        if: ${{ failure() }}
+#        run: bundle exec kitchen destroy "single-account-aws"
+#
+#      - name: Run organizational test
+#        env:
+#          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
+#          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
+#          AWS_REGION: ${{ secrets.AWS_REGION }}
+#          TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
+#        run: bundle exec kitchen test "organizational-aws"
+#
+#      - name: Destroy organizational resources
+#        env:
+#          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
+#          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
+#          AWS_REGION: ${{ secrets.AWS_REGION }}
+#          TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
+#        if: ${{ failure() }}
+#        run: bundle exec kitchen destroy "organizational-aws"
 
   integration_test-eks:
-#    concurrency: terraform-account
+    concurrency: terraform-account
     continue-on-error: true
 
     name: Test-Kitchen-EKS

README.md

@@ -1,15 +1,17 @@
 # Sysdig Secure for Cloud in AWS
 
 Terraform module that deploys the [**Sysdig Secure for Cloud** stack in **AWS**](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-aws).
-<br/>It provides unified threat detection, compliance, forensics and analysis.
+<br/>
+
+Provides unified threat-detection, compliance, forensics and analysis through these major components:
 
-There are three major components:
+* **[CSPM/Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/benchmarks/)**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through `cloud-bench` module. <br/>
 
-* **CSPM/Compliance**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through [cloud-bench module](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench).<br/>
+* **[CIEM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)**: Permissions and Entitlements management. Requires BOTH modules  `cloud-connector` and `cloud-bench`. <br/>
 
-* **Cloud Threat Detection**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector).<br/>
+* **[Cloud Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/insights/)**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through `cloud-connector` module. <br/>
 
-* **Cloud Scanning**: Automatically scans all container images pushed to the registry or as soon a new task which involves a container is spawned in your account. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector).<br/>
+* **[Cloud Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**: Automatically scans all container images pushed to the registry or as soon a new task which involves a container is spawned in your account. Managed through `cloud-connector`. <br/>
 
 For other Cloud providers check: [GCP](https://github.com/sysdiglabs/terraform-google-secure-for-cloud), [Azure](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud)
 
@@ -73,45 +75,55 @@ Notice that:
 * This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 * All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
 
+<br/><br/>
+
+## Forcing Events
+
+**Threat Detection**
+
+Choose one of the rules contained in the `AWS Best Practices` policy and execute it in your AWS account.
 
+ex.: 'Delete Bucket Public Access Block' can be easily tested going to an
+`S3 bucket > Permissions > Block public access (bucket settings) > edit >
+uncheck 'Block all public access'`
+
+Remember that in case you add new rules to the policy you need to give it time to propagate the changes.
+
+In the `cloud-connector` logs you should see similar logs to these
+> A public access block for a bucket has been deleted (requesting  user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS  region=eu-central-1, bucket=***
+
+If that's not working as expected, some other questions can be checked
+- are events consumed in the sqs queue, or are they pending?
+- are events being sent to sns topic?
+
+**Image Scanning**
+
+Upload any image to the ECR repository of AWS.
+<br/>You should see a log in the ECS-cloud-scanner task + CodeBuild project being launched successfully
 
 <br/><br/>
 ## Troubleshooting
 
-- Q: How to **validate secure-for-cloud cloud-connector (thread-detection) provisioning** is working as expected?<br/>
-  A: Check each pipeline resource is working as expected (from high to low lvl)
-    - select a rule to break manually, from the 'Sysdig AWS Best Practices' policies. for example, 'Delete Bucket Public Access Block'. can you see the event?
-    - are there any errors in the ECS task logs? can also check cloudwatch logs
-      for previous example we should see the event
-      ```
-      {"level":"info","component":"console-notifier","time":"2021-07-26T12:45:25Z","message":"A pulic access block for a bucket has been deleted (requesting  user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS  region=eu-central-1, bucket=sysdig-secure-for-cloud-nnnnnn-config)"}
-      ```
-    - are events consumed in the sqs queue, or are they pending?
-    - are events being sent to sns topic?
-
-
-- Q: How to iterate **cloud-connector modification testing**
-  <br/>A: Build a custom docker image of cloud-connector `docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile` and upload it to any registry (like dockerhub).
-  Modify the [var.image](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector/variables.tf) variable to point to your image and deploy
-
-
-- Q: How can I iterate **ECS testing**
-  <br/>A: After applying your modifications (vía terraform for example) restart the service
-    ```
-    $ aws ecs update-service --force-new-deployment --cluster sysdig-secure-for-cloud-ecscluster --service sysdig-secure-for-cloud-cloudconnector --profile <AWS_PROFILE>
-    ```
-  For the AWS_PROFILE, set your `~/.aws/config` to impersonate
-    ```
-    [profile secure-for-cloud]
-    region=eu-central-1
-    role_arn=arn:aws:iam::<AWS_MANAGEMENT_ORGANIZATION_ACCOUNT>:role/OrganizationAccountAccessRole
-    source_profile=<AWS_MANAGEMENT_ACCOUNT_PROFILE>
-    ```
-
-- Q: How to test **cloud-scanner** image-scanning?<br/>
-  A: Upload any image to the ECR repository of AWS. You should see a log in the ECS-cloud-scanner task + CodeBuild project being launched successfully
-  <br/>
-
+### Q: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results
+A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
+
+### Q: How to iterate cloud-connector modification testing
+A: Build a custom docker image of cloud-connector `docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile` and upload it to any registry (like dockerhub).
+Modify the [var.image](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector/variables.tf) variable to point to your image and deploy
+
+
+### Q: How can I iterate ECS modification testing
+A: After applying your modifications (vía terraform for example) restart the service
+  ```
+  $ aws ecs update-service --force-new-deployment --cluster sysdig-secure-for-cloud-ecscluster --service sysdig-secure-for-cloud-cloudconnector --profile <AWS_PROFILE>
+  ```
+For the AWS_PROFILE, set your `~/.aws/config` to impersonate
+  ```
+  [profile secure-for-cloud]
+  region=eu-central-1
+  role_arn=arn:aws:iam::<AWS_MANAGEMENT_ORGANIZATION_ACCOUNT>:role/OrganizationAccountAccessRole
+  source_profile=<AWS_MANAGEMENT_ACCOUNT_PROFILE>
+  ```
 
 <br/><br/>
 ## Authors

examples/organizational/README.md

@@ -118,7 +118,7 @@ Notice that:
 | <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | ARN of a pre-existing cloudtrail\_sns s3 bucket. If it does not exist, it will be inferred from create cloudtrail | `string` | `"create"` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
-| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for managed-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |

examples/organizational/main.tf

@@ -99,11 +99,12 @@ module "cloud_connector" {
 
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
-  count  = var.deploy_bench ? 1 : 0
+  count  = var.deploy_benchmark ? 1 : 0
 
   name              = "${var.name}-cloudbench"
-  tags              = var.tags
   is_organizational = true
   region            = data.aws_region.current.name
   benchmark_regions = var.benchmark_regions
+
+  tags = var.tags
 }

examples/organizational/variables.tf

@@ -62,18 +62,17 @@ variable "cloudtrail_kms_enable" {
 # benchmark configuration
 #
 
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
-
-variable "deploy_bench" {
+variable "deploy_benchmark" {
   type        = bool
   description = "Whether to deploy or not the cloud benchmarking"
   default     = true
 }
 
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}
 
 #
 # general

examples/single-account-k8s/README.md

@@ -2,10 +2,8 @@
 
 Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.
 
-- Sysdig **Helm** charts will be used to deploy threat-detection and scanning modules
-  - [Cloud-Connector Chart](https://charts.sysdig.com/charts/cloud-connector/)
-  - [Cloud-Scanning Chart](https://charts.sysdig.com/charts/cloud-scanning/)
-  - Because these charts require specific AWS credentials to be passed by parameter, a new user + access key will be created within account. See [`credentials.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-k8s/credentials.tf)
+- Sysdig **Helm** [cloud-connector chart](https://charts.sysdig.com/charts/cloud-connector/) will be used to deploy threat-detection and scanning features
+  <br/>Because these charts require specific AWS credentials to be passed by parameter, a new user + access key will be created within account. See [`credentials.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-k8s/credentials.tf)
 - Used architecture is similar to [single-account](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account) but changing ECS <---> with an existing EKS
 
 All the required resources and workloads will be run under the same AWS account.
@@ -81,6 +79,7 @@ Notice that:
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_cloud_connector_sqs"></a> [cloud\_connector\_sqs](#module\_cloud\_connector\_sqs) | ../../modules/infrastructure/sqs-sns-subscription |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
@@ -100,9 +99,11 @@ Notice that:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
+| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
+| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to deploy cloud\_scanning | `bool` | `true` | no |
 | <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to deploy cloud\_connector | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |

examples/single-account-k8s/benchmark.tf

@@ -0,0 +1,15 @@
+provider "sysdig" {
+  sysdig_secure_url          = var.sysdig_secure_endpoint
+  sysdig_secure_api_token    = var.sysdig_secure_api_token
+  sysdig_secure_insecure_tls = length(regexall("https://.*?\\.sysdig(cloud)?.com/?", var.sysdig_secure_endpoint)) == 1 ? false : true
+}
+
+module "cloud_bench" {
+  source = "../../modules/services/cloud-bench"
+  count  = var.deploy_benchmark ? 1 : 0
+
+  name              = "${var.name}-cloudbench"
+  benchmark_regions = var.benchmark_regions
+
+  tags = var.tags
+}

examples/single-account-k8s/cloud-connector.tf

@@ -5,7 +5,7 @@ module "cloud_connector_sqs" {
   count  = var.deploy_threat_detection ? 1 : 0
   source = "../../modules/infrastructure/sqs-sns-subscription"
 
-  name          = "${var.name}-cloud_connector"
+  name          = var.name
   sns_topic_arn = local.cloudtrail_sns_arn
   tags          = var.tags
 }
@@ -14,6 +14,7 @@ module "codebuild" {
   count  = var.deploy_image_scanning ? 1 : 0
   source = "../../modules/infrastructure/codebuild"
 
+  name                         = var.name
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
   tags = var.tags