chore: resouce-group+tags usage awareness (#70)

* fix: create resource-group based on 'product' key tag
* chore: remove rg outside examples
* doc: raise awarenes on default 'product' tag for resource-group creation
* doc: raise awareness on resource-groups
* ci: avoid collision


* doc: clarify rg is only on examples

Author: iru

README.md

@@ -106,9 +106,10 @@ $ terraform plan
 $ terraform apply
 ```
 
-Notice that:
-* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
-* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
+### Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 
 <br/><br/>
 

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md

@@ -26,6 +26,12 @@ This three-actor setup (S3-SNS-SQS) can be manually provisioned, or handled thro
 Client is responsible for provisioning the ARN of this SQS, which will be required as an input parameter.<br/>
 
 
+## Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+
 ## Usage
 
 For quick testing, use this snippet on your terraform files.
@@ -75,10 +81,6 @@ $ terraform plan
 $ terraform apply
 ```
 
-Notice that:
-* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
-* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/variables.tf

@@ -33,7 +33,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

examples-internal/utils-eks/variables.tf

@@ -21,7 +21,7 @@ variable "region" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

examples/organizational/README.md

@@ -38,6 +38,11 @@ Minimum requirements:
     sysdig_secure_api_token=<SECURE_API_TOKEN>
     ```
 
+## Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
 ## Usage
 
 For quick testing, use this snippet on your terraform files
@@ -87,10 +92,6 @@ $ terraform plan
 $ terraform apply
 ```
 
-Notice that:
-* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
-* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
-
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

examples/organizational/main.tf

@@ -9,6 +9,14 @@ module "resource_group" {
   tags   = var.tags
 }
 
+module "resource_group_secure_for_cloud_member" {
+  providers = {
+    aws = aws.member
+  }
+  source = "../../modules/infrastructure/resource-group"
+  name   = var.name
+  tags   = var.tags
+}
 
 #-------------------------------------
 # secure-for-cloud member account workload

examples/organizational/permissions.tf

@@ -1,12 +1,3 @@
-module "resource_group_secure_for_cloud_member" {
-  providers = {
-    aws = aws.member
-  }
-  source = "../../modules/infrastructure/resource-group"
-  name   = var.name
-  tags   = var.tags
-}
-
 module "secure_for_cloud_role" {
   source = "../../modules/infrastructure/permissions/org-role-ecs"
   providers = {

examples/organizational/variables.tf

@@ -142,7 +142,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

examples/single-account-k8s/README.md

@@ -21,6 +21,12 @@ Minimum requirements:
    sysdig_secure_api_token=<SECURE_API_TOKEN>
    ```
 
+## Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+
 ## Usage
 
 For quick testing, use this snippet on your terraform files
@@ -63,10 +69,6 @@ $ terraform plan
 $ terraform apply
 ```
 
-Notice that:
-
-* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
-* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

examples/single-account-k8s/variables.tf

@@ -32,7 +32,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

examples/single-account/README.md

@@ -15,6 +15,12 @@ Minimum requirements:
     sysdig_secure_api_token=<SECURE_API_TOKEN>
     ```
 
+## Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+
 ## Usage
 
 For quick testing, use this snippet on your terraform files
@@ -50,10 +56,6 @@ $ terraform plan
 $ terraform apply
 ```
 
-Notice that:
-* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
-* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 

examples/single-account/variables.tf

@@ -115,7 +115,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

examples/trigger-events/README.md

@@ -10,6 +10,12 @@ Minimum requirements:
 1. Deploy Cloud Connector Stack on AWS.
 2. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 
+## Notice
+
+* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
+* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+
+
 ## Usage
 
 For quick testing, use this snippet on your terraform files
@@ -31,10 +37,6 @@ $ terraform plan
 $ terraform apply
 ```
 
-Notice that:
-* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
-* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 

modules/infrastructure/cloudtrail/variables.tf

@@ -64,7 +64,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf

@@ -1,11 +1,3 @@
-module "resource_group" {
-  source = "../resource-group"
-  name   = var.name
-  tags   = var.tags
-}
-
-
-
 # --------------------------------------------
 # cloudtrail_s3 bucket sns event notification
 # --------------------------------------------

modules/infrastructure/cloudtrail_s3-sns-sqs/variables.tf

@@ -26,7 +26,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/codebuild/variables.tf

@@ -20,7 +20,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/ecs-vpc/variables.tf

@@ -23,7 +23,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/permissions/org-role-ecs/variables.tf

@@ -26,7 +26,7 @@ variable "organizational_role_per_account" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/permissions/org-role-eks/variables.tf

@@ -39,7 +39,7 @@ variable "organizational_role_per_account" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/resource-group/main.tf

@@ -3,7 +3,6 @@ resource "aws_resourcegroups_group" "sysdig_secure_for_cloud" {
   name = var.name
   tags = var.tags
 
-  # FIXME. convert tags to JSON resource_query
   resource_query {
     query = <<JSON
 {
@@ -13,7 +12,7 @@ resource "aws_resourcegroups_group" "sysdig_secure_for_cloud" {
   "TagFilters": [
     {
       "Key": "product",
-      "Values": ["sysdig-secure-for-cloud"]
+      "Values": ["${var.tags["product"]}"]
     }
   ]
 }

modules/infrastructure/resource-group/variables.tf

@@ -11,7 +11,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/sqs-sns-subscription/variables.tf

@@ -10,7 +10,7 @@ variable "sns_topic_arn" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/infrastructure/ssm/variables.tf

@@ -12,7 +12,7 @@ variable "sysdig_secure_api_token" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

modules/services/cloud-bench/variables.tf

@@ -26,17 +26,17 @@ variable "benchmark_regions" {
   default     = []
 }
 
+variable "provision_in_management_account" {
+  type        = bool
+  default     = true
+  description = "Whether to deploy the stack in the management account"
+}
+
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
 
   default = {
     "product" = "sysdig-secure-for-cloud"
   }
 }
-
-variable "provision_in_management_account" {
-  type        = bool
-  default     = true
-  description = "Whether to deploy the stack in the management account"
-}

modules/services/cloud-connector/ecs-service.tf

@@ -23,7 +23,7 @@ resource "aws_ecs_task_definition" "task_definition" {
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
   execution_role_arn       = aws_iam_role.execution.arn # ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume
-  task_role_arn            = local.ecs_task_role_arn    # ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS resource-group.
+  task_role_arn            = local.ecs_task_role_arn    # ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services.
   cpu                      = var.ecs_task_cpu
   memory                   = var.ecs_task_memory
 

modules/services/cloud-connector/variables.tf

@@ -159,7 +159,7 @@ variable "name" {
 
 variable "tags" {
   type        = map(string)
-  description = "sysdig secure-for-cloud tags"
+  description = "sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning"
   default = {
     "product" = "sysdig-secure-for-cloud"
   }

test/fixtures/organizational-k8s/main.tf

@@ -40,6 +40,7 @@ module "cloudtrail_s3_sns_sqs" {
   source                              = "../../../modules/infrastructure/cloudtrail_s3-sns-sqs"
   cloudtrail_s3_name                  = var.cloudtrail_s3_name
   s3_event_notification_filter_prefix = var.s3_event_notification_filter_prefix
+  name                                = "${var.name}-orgk8s"
 }
 
 
@@ -51,6 +52,7 @@ module "org_user" {
   deploy_image_scanning         = false
   cloudtrail_s3_bucket_arn      = module.cloudtrail_s3_sns_sqs.cloudtrail_s3_arn
   cloudtrail_subscribed_sqs_arn = module.cloudtrail_s3_sns_sqs.cloudtrail_subscribed_sqs_arn
+  name                          = "${var.name}-orgk8s"
 }