feat(refact): rc 0.1.0 (#14)

* feat: root module/example refactor
* chore(naming): misc/general block on variables
* chore(test-bench): example for agentless on single-account
* chore(cleanup): benchmark
* chore: Add scanning to single-account diagram
* chore(internal): removed README from benchmark example
* chore(doc): diagram refact
* chore(cleanup): diagrams,main,README's
* chore(bench): version bump for bugfix
* chore(doc): remove separator
* chore(doc): add cloud_scanning - cloudwatch relation

Co-authored-by: Fede Barcelona <fede.barcelona@sysdig.com>
Co-authored-by: Hayk Kocharyan <hayk.kocharyan@sysdig.com>
Co-authored-by: Ruben Eguiluz <ruben.eguiluz@sysdig.com>
Co-authored-by: Nestor Salceda <nestor.salceda@sysdig.com>
Co-authored-by: Hayk Kocharyan <hayk@MacBook-Pro-de-Hayk-Work.local>

Author: 6 people

README.md

@@ -11,7 +11,6 @@ There are three major components:
 
 For other Cloud providers check: [GCP](https://github.com/sysdiglabs/terraform-google-cloudvision), [Azure](https://github.com/sysdiglabs/terraform-azurerm-cloudvision)
 
----
 
 ## Usage
 
@@ -32,19 +31,24 @@ More info in [`./examples/organizational`](https://github.com/sysdiglabs/terrafo
 
 ### · Self-Baked
 
-If no [examples](https://github.com/sysdiglabs/terraform-aws-cloudvision/tree/master/examples) fit your use-case, be free to self-configure your own `cloudvision` module.
+If no [examples](https://github.com/sysdiglabs/terraform-aws-cloudvision/tree/master/examples) fit your use-case, be free to call desired modules directly.
+
+In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly
 
 ```terraform
-module "cloudvision_aws" {
-  source = "sysdiglabs/cloudvision/aws"
+provider "aws" {
+  region = var.region
+}
 
-  # required to pin cloudvision stack on single-account single-provider
-  providers = {
-    aws.cloudvision = aws
-  }
+provider "sysdig" {
   sysdig_secure_api_token  = "00000000-1111-2222-3333-444444444444"
 }
 
+module "cloud_bench" {
+  source      = "sysdiglabs/cloudvision/aws//modules/cloud-bench"
+  account_id  = "AWS-ACCOUNT-ID" # can also be fetched from `aws_caller_identity.me`
+}
+
 ```
 See [inputs summary](#inputs) or main [module `variables.tf`](https://github.com/sysdiglabs/terraform-aws-cloudvision/tree/master/variables.tf) file for more optional configuration.
 
@@ -59,7 +63,6 @@ Notice that:
 * This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 * All created resources will be created within the tags `product:sysdig-cloudvision`, within the resource-group `sysdig-cloudvision`
 
----
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -113,7 +116,7 @@ Notice that:
 | <a name="output_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#output\_cloudtrail\_s3\_arn) | sydig-cloudvision cloudtrail s3 arn, required for organizational use case, in order to give proper permissions to cloudconnector role to assume |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
----
+
 ## Troubleshooting
 
 - Q: How to **validate cloudvision cloud-connector (thread-detection) provisioning** is working as expected?<br/>
@@ -147,9 +150,6 @@ Notice that:
     source_profile=<AWS_MASTER_ACCOUNT_PROFILE>
     ```
 
-
----
-
 ## Authors
 
 Module is maintained and supported by [Sysdig](https://sysdig.com).

examples/organizational/README.md

@@ -1,4 +1,4 @@
-# Sysdig Secure for Cloud in AWS: Shared Organizational Trail
+# Sysdig Secure for Cloud in AWS :: Shared Organizational Trail
 
 Deploy Sysdig Secure for Cloud sharing the Trail within an organization.
 * In the **master account**
@@ -55,8 +55,6 @@ Notice that:
 * This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 * All created resources will be created within the tags `product:sysdig-cloudvision`, within the resource-group `sysdig-cloudvision`
 
----
-
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -65,6 +63,7 @@ Notice that:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.17 |
 
 ## Providers
 
@@ -76,27 +75,31 @@ Notice that:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudvision"></a> [cloudvision](#module\_cloudvision) | ../../ |  |
+| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
+| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_cloudvision_role"></a> [cloudvision\_role](#module\_cloudvision\_role) | ../../modules/infrastructure/organizational/cloudvision-role |  |
+| <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
 | <a name="module_resource_group_cloudvision_member"></a> [resource\_group\_cloudvision\_member](#module\_resource\_group\_cloudvision\_member) | ../../modules/infrastructure/resource-group |  |
+| <a name="module_resource_group_master"></a> [resource\_group\_master](#module\_resource\_group\_master) | ../../modules/infrastructure/resource-group |  |
+| <a name="module_ssm"></a> [ssm](#module\_ssm) | ../../modules/infrastructure/ssm |  |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_iam_role.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.connector_ecs_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cloudvision_member_account_id"></a> [cloudvision\_member\_account\_id](#input\_cloudvision\_member\_account\_id) | the account\_id **within the organization** to be used as cloudvision account | `string` | n/a | yes |
+| <a name="input_cloudvision_member_account_id"></a> [cloudvision\_member\_account\_id](#input\_cloudvision\_member\_account\_id) | organizational member account where the cloudvision workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | testing/economization purpose. true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | testing/economization purpose. true/false whether s3 should be encrypted | `bool` | `true` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"connector-ECSTaskRole"` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources | `string` | `"sysdig-cloudvision"` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name for the Cloud Vision deployment | `string` | `"sysdig-cloudvision"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and cloudvision member account | `string` | `"eu-central-1"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig cloudvision tags | `map(string)` | <pre>{<br>  "product": "sysdig-cloudvision"<br>}</pre> | no |
@@ -106,8 +109,6 @@ Notice that:
 No outputs.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
----
-
 ## Authors
 
 Module is maintained and supported by [Sysdig](https://sysdig.com).

examples/organizational/diagram-org.png

@@ -5,7 +5,7 @@
 from diagrams.aws.storage import S3, SimpleStorageServiceS3Bucket
 from diagrams.aws.integration import SNS
 from diagrams.aws.integration import SQS
-from diagrams.aws.compute import ECS, ElasticContainerServiceService
+from diagrams.aws.compute import ElasticContainerServiceService
 from diagrams.aws.security import IAMRole,IAM
 from diagrams.aws.management import Cloudwatch
 
@@ -26,7 +26,7 @@
 
     with Cluster("AWS organization"):
 
-        with Cluster("other accounts (member)", graph_attr={"bgcolor":"lightblue"}):
+        with Cluster("member account (main targets)", graph_attr={"bgcolor":"lightblue"}):
             member_accounts = [General("account-1"),General("..."),General("account-n")]
 
             org_member_role = IAMRole("OrganizationAccountAccessRole\ncreated by AWS for org. member accounts", **role_attr)
@@ -40,22 +40,21 @@
                                     and master account have been removed from diagram, but will be processed too ")
             Node(label=cloudtrail_legend, width="5",shape="plaintext", labelloc="t", fontsize="10")
 
-
-            master_credentials = IAM("master-credentials \npermissions: cloudtrail, role creation", fontsize="10")
+            master_credentials = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
             cloudvision_role    = IAMRole("Sysdig-Cloudvision-Role", **role_attr)
             cloudtrail_s3       = S3("cloudtrail-s3-events")
             sns                 = SNS("cloudtrail-sns-events", comment="i'm a graph")
 
             cloudtrail >> Edge(color=event_color, style="dashed") >> cloudtrail_s3 >> Edge(color=event_color, style="dashed") >> sns
 
-        with Cluster("cloudvision account (member)", graph_attr={"bgcolor":"seashell2"}):
+
+
+        with Cluster("member account (cloudvision)", graph_attr={"bgcolor":"seashell2"}):
 
             org_member_role = IAMRole("OrganizationAccountAccessRole\ncreated by AWS for org. member accounts", **role_attr)
 
-            with Cluster("ecs"):
-                ecs = ECS("cloudvision")
+            with Cluster("ecs-cluster"):
                 cloud_connector = ElasticContainerServiceService("cloud-connector")
-                ecs - cloud_connector
 
             sqs = SQS("cloudtrail-sqs")
             s3_config = S3("cloud-connector-config")

examples/organizational/diagram-org.py

@@ -10,27 +10,152 @@ provider "aws" {
   }
 }
 
-module "cloudvision" {
-  source = "../../"
+provider "sysdig" {
+  sysdig_secure_url          = var.sysdig_secure_endpoint
+  sysdig_secure_api_token    = var.sysdig_secure_api_token
+  sysdig_secure_insecure_tls = length(regexall("https://.*?\\.sysdig(cloud)?.com/?", var.sysdig_secure_endpoint)) == 1 ? false : true
+}
+
+#-------------------------------------
+# resources deployed always in master account
+# with default provider
+#-------------------------------------
+
+module "resource_group_master" {
+  source = "../../modules/infrastructure/resource-group"
+  name   = var.name
+  tags   = var.tags
+}
+
+module "cloudtrail" {
+  source = "../../modules/infrastructure/cloudtrail"
+  name   = var.name
+
+  is_organizational = true
+  organizational_config = {
+    cloudvision_member_account_id = var.cloudvision_member_account_id
+  }
+
+  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable = var.cloudtrail_kms_enable
 
+  tags = var.tags
+}
+
+
+#-------------------------------------
+# resources deployed in master OR member account
+# with cloudvision provider, which can be master or member config
+#-------------------------------------
+
+module "ecs_fargate_cluster" {
   providers = {
-    aws.cloudvision = aws.member
+    aws = aws.member
   }
+  source = "../../modules/infrastructure/ecs-fargate-cluster"
+  name   = var.name
+  tags   = var.tags
+}
 
+
+module "ssm" {
+  providers = {
+    aws = aws.member
+  }
+  source                  = "../../modules/infrastructure/ssm"
   name                    = var.name
-  sysdig_secure_endpoint  = var.sysdig_secure_endpoint
   sysdig_secure_api_token = var.sysdig_secure_api_token
+}
+
+
+
+#
+# cloud-connector
+#
+module "cloud_connector" {
+  providers = {
+    aws = aws.member
+  }
+  source = "../../modules/services/cloud-connector"
+  name   = "${var.name}-cloudconnector"
+
+  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
+  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
   is_organizational = true
   organizational_config = {
-    cloudvision_member_account_id = var.cloudvision_member_account_id
-    connector_ecs_task_role_name  = var.connector_ecs_task_role_name
-    cloudvision_role_arn          = module.cloudvision_role.cloudvision_role_arn
+    cloudvision_role_arn         = module.cloudvision_role.cloudvision_role_arn
+    connector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
   }
 
-  #  testing purpose; economization
-  cloudtrail_is_multi_region_trail = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable            = var.cloudtrail_kms_enable
+  sns_topic_arn = module.cloudtrail.sns_topic_arn
 
-  tags = var.tags
+  ecs_cluster = module.ecs_fargate_cluster.id
+  vpc_id      = module.ecs_fargate_cluster.vpc_id
+  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
+
+  tags       = var.tags
+  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
 }
+
+
+
+#
+# cloud-bench
+# WIP
+#
+
+#data "aws_caller_identity" "me" {}
+#module "cloud_bench" {
+#  providers = {
+#    aws = aws.member
+#  }
+#  source = "../../modules/services/cloud-bench"
+#
+#  account_id = var.organizational_config.cloudvision_member_account_id
+#  tags       = var.tags
+#}
+
+
+
+
+
+#
+# cloud-scanning
+# WIP
+#
+
+
+## FIXME? if this is a non-shared resource, move its usage to scanning service?
+#module "codebuild" {
+#  source                       = "../../modules/infrastructure/codebuild"
+#  name                         = var.name
+#  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+#  depends_on                   = [module.ssm]
+#}
+#
+
+
+#module "cloud_scanning" {
+#  providers = {
+#    aws = aws.member
+#  }
+#
+#  source = "../../modules/services/cloud-scanning"
+#  name   = "${var.name}-cloudscanning"
+#
+#  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
+#  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+#
+#  build_project_arn  = module.codebuild.project_arn
+#  build_project_name = module.codebuild.project_name
+#
+#  sns_topic_arn = module.cloudtrail.sns_topic_arn
+#
+#  ecs_cluster = module.ecs_fargate_cluster.id
+#  vpc_id      = module.ecs_fargate_cluster.vpc_id
+#  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
+#
+#  tags       = var.tags
+#  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+#}

examples/organizational/main.tf

@@ -15,11 +15,11 @@ module "cloudvision_role" {
   }
   name = var.name
 
-  cloudtrail_s3_arn                 = module.cloudvision.cloudtrail_s3_arn
-  cloudconnector_ecs_task_role_name = aws_iam_role.task.name
+  cloudtrail_s3_arn                 = module.cloudtrail.s3_bucket_arn
+  cloudconnector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
 
   tags       = var.tags
-  depends_on = [aws_iam_role.task]
+  depends_on = [aws_iam_role.connector_ecs_task]
 }
 
 
@@ -29,7 +29,7 @@ module "cloudvision_role" {
 # - definition of a ROOT lvl cloudvision_connector_ecs_tas_role to avoid cyclic dependencies
 # - duplicated in ../../modules/services/cloud-connector/ecs-service-security.tf
 # -----------------------------------------------------------------
-resource "aws_iam_role" "task" {
+resource "aws_iam_role" "connector_ecs_task" {
   provider           = aws.member
   name               = "${var.name}-${var.connector_ecs_task_role_name}"
   assume_role_policy = data.aws_iam_policy_document.task_assume_role.json