chore: org ecs doc small changes (#59)

* chore: small rename
* chore: refact use-cases

Author: iru

examples-internal/use-cases-reuse-resources/org-existing-cloudtrail-ecs-vpc-subnet.md

@@ -5,21 +5,23 @@
 **Client Setup**
 
 - [X] organizational setup
-  - [X] organizational cloudtrail
-  - [X] centralized S3 bucket with cloudtrail-events
-  - [X] member account usage - all required resources (cloudtrail/s3/sns/sqs for sysdig workload) in same account (managed or specific) (?)
-  - [ ] member account usage - all required resources are in scattered
+  - [X] organizational cloudtrail that reports to SNS and persists events in a managed-account stored S3 bucket
+  - [X] member account usage - all required and pre-existing resources exist in the same account
+    - cloudtrail/sns/s3 in the management account
+    - and pre-existing objects in the same account where Sysdig Secure for Cloud workload is to be deployed
+  - [ ] member account usage - all required resources are in scattered organizational member accounts
 - [X] pre-existing resources
+  - [X] organizational cloudtrail, reporting to an SNS topic and delivering events to the S3 bucket
+  - [X] ecs cluster/vpc/subnet we want to use to deploy Sysdig for Cloud workload
   - [ ] k8s cluster we want to use to deploy Sysdig for Cloud workload
-  - [X] pre-existing ECS Cluster/VPC/Subnet we want to use to deploy Sysdig for Cloud workload
 
 **Sysdig Secure For Cloud Features**
 
-- [X] Threat Detection
+- [X] threat Detection
   - [X] all accounts of the organization (management account included)
-- [ ] Image Scanning (?)
-  - [ ] ECR pushed images
-  - [ ] ECS running images
+- [ ] image Scanning (?)
+  - [ ] ecr pushed images
+  - [ ] ecs running images
 - [ ] CSPM/Compliance (?)
 - [ ] CIEM (?)
 
@@ -37,13 +39,13 @@ Please contact us if something requires to be adjusted.
 
 ### Step by Step Example Guide
 
-
 <!--
 manual testing pre-requirements
 
 0.1 Cloudtrail must exist. To be deployed on a separated terraform state
 
 ```
+# AWS_PROFILE must point to organizatinal management account
 provider "aws" {
 	region = "eu-west-3"
 }
@@ -63,42 +65,49 @@ module "utils_cloudtrail" {
 0.2. ECS/VPC/Subnet must exist. To be deployed on a separated terraform state
 
 ```
+# AWS_PROFILE must point to org member account where workload is to be deployed
 provider "aws" {
 region = "eu-west-3"
 }
 
-module "utils_ecs-vpc-secgroup" {
+module "utils_ecs-vpc" {
   source = "../../modules/infrastructure/ecs-vpc"
 }
 ```
 -->
 
-0. Configure `AWS_PROFILE` with an organizational Administration credentials
+1. Configure `AWS_PROFILE` with an organizational Administration credentials
 
-1. Choose an Organizational **Member account for Sysdig Workload** to be deployed. This accountID will be provided in the `sysdig_secure_for_cloud_member_account_id` parameter
+2. Choose an Organizational **Member account for Sysdig Workload** to be deployed.
+   - This accountID will be provided in the `SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID` parameter
+   - Use-case workload-related pre-existing resources (ecs,vpc,subnets) must live within this member account
 
-2. Use `organizational` example with following parameters
+3. Use `organizational` example snippet with following parameters
 
    - General
-     - `AWS_REGION` Same region is to be used for all the following resources, both on the organizational managed account and sysdig workload member account
+     - `AWS_REGION` Same region is to be used for both organizational managed account and Sysdig workload member account resources.
+     - `SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID` where Sysdig Workoad is to be deployed under the pre-existing ECS
 
    - Existing Organizational Cloudtrail Setup
-     - `cloudtrail_sns_arn`
-     - `cloudtrail_s3_arn`
+     - `CLOUDTRAIL_SNS_ARN`
+     - `CLOUDTRAIL_S3_ARN`
      - You MUST grant manual permissions to the organizational cloudtrail, for the AWS member-account management role `OrganizationAccountAccessRole` to be able to perform `SNS:Subscribe`.
-       <br/>This will be required for the CloudConnector SQS Topic subscription.
+       - This will be required for the CloudConnector SQS Topic subscription.
+       - Use [`./modules/infrastructure/cloudtrail/sns_permissions.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/infrastructure/cloudtrail/sns_permissions.tf#L22) as guideline
+
 
    - Existing ECS Cluster Workload  Setup
-     - `ecs_cluster_name` ex.: "sfc"
+     - `ECS_CLUSTER_NAME` ex.: "sfc"
 
    - Existing Networking Setup
-     - `ecs_vpc_id` ex.: "vpc-0e91bfef6693f296b"
-     - `ecs_vpc_subnets_private_ids` Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b"
+     - `ECS_VPC_ID` ex.: "vpc-0e91bfef6693f296b"
+     - `ECS_VPC_SUBNET_PRIVATE_ID_X` Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b"
 
 
 ### Terraform Manifest Snippet
 
 ```terraform
+
 provider "aws" {
   region = "<AWS_REGION>"
 }
@@ -108,16 +117,16 @@ module "sysdig-s4c" {
   source = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
   name   = "sysdig-s4c"
 
-  sysdig_secure_for_cloud_member_account_id="<AWS_ACCOUNT_ID>"
+  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
 
-  sysdig_secure_api_token   = "<SYSDIG_API_TOKEN>"
+  sysdig_secure_for_cloud_member_account_id="<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>"
 
-  cloudtrail_sns_arn        = "<CLOUDRAIL_SNS_TOPIC_ARN>"
-  cloudtrail_s3_arn         = "<CLOUDRAIL_S3_BUCKET_ARN>"
+  cloudtrail_sns_arn  = "<CLOUDTRAIL_SNS_ARN>"
+  cloudtrail_s3_arn   = "<CLOUDTRAIL_S3_ARN>"
 
-  ecs_cluster_name          = "<ECS_CLUSTER_NAME>"
-  ecs_vpc_id                = "<VPC_ID>"
-  ecs_vpc_subnets_private   = ["<SUBNET_ID_1>","<SUBNET_ID_2>"]
+  ecs_cluster_name              = "<ECS_CLUSTER_NAME>"
+  ecs_vpc_id                    = "<ECS_VPC_ID>"
+  ecs_vpc_subnets_private_ids   = ["<ECS_VPC_SUBNET_PRIVATE_ID_1>","<ECS_VPC_SUBNET_PRIVATE_ID_2>"]
 
 }
 ```

examples-internal/use-cases-reuse-resources/single-existing-cloudtrail.md

@@ -8,7 +8,8 @@
 - [X] pre-existing resources
   - [X] cloudtrail
   - [ ] k8s cluster we want to use to deploy Sysdig for Cloud workload
-  - [ ] pre-existing ECS Cluster/VPC/Subnet we want to use to deploy Sysdig for Cloud workload
+  - [ ] ecs cluster/vpc/subnet we want to use to deploy Sysdig for Cloud workload
+
 
 **Sysdig Secure For Cloud Features**
 

examples-internal/use-cases-self-baked/org-s3-k8s-filtered-account.md

@@ -5,13 +5,14 @@
 **Current User Setup**
 
 - [X] organizational setup
-  - [ ] organizational cloudtrail
+  - [ ] organizational cloudtrail that reports to SNS and persists events in a managed-account stored S3 bucket
   - [X] centralized S3 bucket with cloudtrail-events
-  - [ ] member account usage - all required resources (s3/sns/sqs, sysdig workload) in same account
+  - [ ] member account usage - all required and pre-existing resources exist in the same account
   - [X] member account usage - all required resources are in scattered
 - [X] pre-existing resources
-    - [X] k8s cluster we want to use to deploy Sysdig for Cloud workload
-    - [ ] pre-existing ECS Cluster/VPC/Subnet we want to use to deploy Sysdig for Cloud workload
+  - [ ] k8s cluster we want to use to deploy Sysdig for Cloud workload
+  - [ ] organizational cloudtrail, reporting to an SNS topic and delivering events to the S3 bucket
+  - [ ] ecs cluster/vpc/subnet we want to use to deploy Sysdig for Cloud workload
 
 
 **Sysdig Secure For Cloud Features**

examples/organizational/README.md

@@ -19,7 +19,7 @@ Minimum requirements:
 1. Have an existing AWS account as the organization management account
     * Organizational CloudTrail service must be enabled
     * [Organizational CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) service must be enabled
-1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) for the `management` account of the organization
+2. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) for the `management` account of the organization
     * This provider credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
     * When an account is created within an organization, AWS will create an `OrganizationAccountAccessRole` [for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
@@ -92,7 +92,7 @@ Notice that:
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
-| <a name="module_ecs_vpc_secgroup"></a> [ecs\_vpc\_secgroup](#module\_ecs\_vpc\_secgroup) | ../../modules/infrastructure/ecs-vpc | n/a |
+| <a name="module_ecs_vpc"></a> [ecs\_vpc](#module\_ecs\_vpc) | ../../modules/infrastructure/ecs-vpc | n/a |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | ../../modules/infrastructure/resource-group | n/a |
 | <a name="module_resource_group_secure_for_cloud_member"></a> [resource\_group\_secure\_for\_cloud\_member](#module\_resource\_group\_secure\_for\_cloud\_member) | ../../modules/infrastructure/resource-group | n/a |
 | <a name="module_secure_for_cloud_role"></a> [secure\_for\_cloud\_role](#module\_secure\_for\_cloud\_role) | ../../modules/infrastructure/permissions/org-role-ecs | n/a |

examples/organizational/ecs.tf

@@ -1,11 +1,11 @@
 locals {
   ecs_deploy                  = var.ecs_cluster_name == "create"
-  ecs_cluster_name            = local.ecs_deploy ? module.ecs_vpc_secgroup[0].ecs_cluster_name : var.ecs_cluster_name
-  ecs_vpc_id                  = local.ecs_deploy ? module.ecs_vpc_secgroup[0].ecs_vpc_id : var.ecs_vpc_id
-  ecs_vpc_subnets_private_ids = local.ecs_deploy ? module.ecs_vpc_secgroup[0].ecs_vpc_subnets_private_ids : var.ecs_vpc_subnets_private_ids
+  ecs_cluster_name            = local.ecs_deploy ? module.ecs_vpc[0].ecs_cluster_name : var.ecs_cluster_name
+  ecs_vpc_id                  = local.ecs_deploy ? module.ecs_vpc[0].ecs_vpc_id : var.ecs_vpc_id
+  ecs_vpc_subnets_private_ids = local.ecs_deploy ? module.ecs_vpc[0].ecs_vpc_subnets_private_ids : var.ecs_vpc_subnets_private_ids
 }
 
-module "ecs_vpc_secgroup" {
+module "ecs_vpc" {
   providers = {
     aws = aws.member
   }

examples/organizational/variables.tf

@@ -77,7 +77,6 @@ variable "benchmark_regions" {
 
 #---------------------------------
 # ecs, security group,  vpc
-# TODO. convert into an object?
 #---------------------------------
 
 variable "ecs_cluster_name" {

examples/single-account/README.md

@@ -65,7 +65,7 @@ No providers.
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
-| <a name="module_ecs_vpc_secgroup"></a> [ecs\_vpc\_secgroup](#module\_ecs\_vpc\_secgroup) | ../../modules/infrastructure/ecs-vpc | n/a |
+| <a name="module_ecs_vpc"></a> [ecs\_vpc](#module\_ecs\_vpc) | ../../modules/infrastructure/ecs-vpc | n/a |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | ../../modules/infrastructure/resource-group | n/a |
 | <a name="module_ssm"></a> [ssm](#module\_ssm) | ../../modules/infrastructure/ssm | n/a |
 

examples/single-account/ecs.tf

@@ -1,11 +1,11 @@
 locals {
   ecs_deploy                  = var.ecs_cluster_name == "create"
-  ecs_cluster_name            = local.ecs_deploy ? module.ecs_vpc_secgroup[0].ecs_cluster_name : var.ecs_cluster_name
-  ecs_vpc_id                  = local.ecs_deploy ? module.ecs_vpc_secgroup[0].ecs_vpc_id : var.ecs_vpc_id
-  ecs_vpc_subnets_private_ids = local.ecs_deploy ? module.ecs_vpc_secgroup[0].ecs_vpc_subnets_private_ids : var.ecs_vpc_subnets_private_ids
+  ecs_cluster_name            = local.ecs_deploy ? module.ecs_vpc[0].ecs_cluster_name : var.ecs_cluster_name
+  ecs_vpc_id                  = local.ecs_deploy ? module.ecs_vpc[0].ecs_vpc_id : var.ecs_vpc_id
+  ecs_vpc_subnets_private_ids = local.ecs_deploy ? module.ecs_vpc[0].ecs_vpc_subnets_private_ids : var.ecs_vpc_subnets_private_ids
 }
 
-module "ecs_vpc_secgroup" {
+module "ecs_vpc" {
   count = local.ecs_deploy ? 1 : 0
 
   source             = "../../modules/infrastructure/ecs-vpc"

examples/single-account/variables.tf

@@ -34,7 +34,6 @@ variable "cloudtrail_kms_enable" {
 
 #---------------------------------
 # ecs, security group,  vpc
-# TODO. convert into an object?
 #---------------------------------
 
 variable "ecs_cluster_name" {

modules/services/cloud-connector/README.md

@@ -64,13 +64,13 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 |------|-------------|------|---------|:--------:|
 | <a name="input_build_project_arn"></a> [build\_project\_arn](#input\_build\_project\_arn) | Code Build project arn | `string` | n/a | yes |
 | <a name="input_build_project_name"></a> [build\_project\_name](#input\_build\_project\_name) | Code Build project name | `string` | n/a | yes |
+| <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster | `string` | n/a | yes |
+| <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. | `string` | n/a | yes |
+| <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. | `list(string)` | n/a | yes |
 | <a name="input_secure_api_token_secret_name"></a> [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | ARN of a cloudtrail-sns topic | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_retention"></a> [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudConnector | `number` | `5` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no |
-| <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created | `string` | `"create"` | no |
-| <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. If defaulted, one will be created | `string` | `"create"` | no |
-| <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `list(string)` | `[]` | no |
 | <a name="input_extra_env_vars"></a> [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no |
 | <a name="input_image"></a> [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |

modules/services/cloud-connector/variables.tf

@@ -16,25 +16,21 @@ variable "build_project_name" {
 
 #---------------------------------
 # ecs, security group,  vpc
-# TODO. convert into an object?
 #---------------------------------
 
 variable "ecs_cluster_name" {
   type        = string
-  default     = "create"
-  description = "Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created"
+  description = "Name of a pre-existing ECS (elastic container service) cluster"
 }
 
 variable "ecs_vpc_id" {
   type        = string
-  default     = "create"
-  description = "ID of the VPC where the workload is to be deployed. If defaulted, one will be created"
+  description = "ID of the VPC where the workload is to be deployed."
 }
 
 variable "ecs_vpc_subnets_private_ids" {
   type        = list(string)
-  default     = []
-  description = "List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs_cluster_name' is not provided."
+  description = "List of VPC subnets where workload is to be deployed."
 }
 
 #---------------------------------