You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-12Lines changed: 18 additions & 12 deletions
Original file line number
Diff line number
Diff line change
@@ -72,7 +72,7 @@ More info in [`./examples/organizational`](https://github.com/sysdiglabs/terrafo
72
72
73
73
If no [examples](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples) fit your use-case, be free to call desired modules directly.
74
74
75
-
In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly
75
+
In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly.
@@ -145,11 +146,20 @@ It may take some time, but you should see logs detecting the new image in the EC
145
146
146
147
## Troubleshooting
147
148
148
-
### Q: Getting error "Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values.
149
+
### Q-General: Getting error "Error: cannot verify credentials" on "sysdig_secure_trusted_cloud_identity" data
150
+
A: This happens when Sysdig credentials are not working correctly.
151
+
S: Check sysdig provider block is correctly configured with the `sysdig_secure_url` and `sysdig_secure_api_token` variables
152
+
with the correct values. Check [Sysdig SaaS per-region URLs if required](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges)
153
+
154
+
### Q-General: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results
155
+
A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
156
+
157
+
158
+
### Q-AWS: Getting error "Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values.
149
159
A: Your ECS task_size values aren't valid for Fargate. Specifically, your mem_limit value is too big for the cpu_limit you specified
150
160
S: Check [supported task cpu and memory values](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)
151
161
152
-
### Q: Getting error "404 Invalid parameter: TopicArn" when trying to reuse an existing cloudtrail-sns
162
+
### Q-AWS: Getting error "404 Invalid parameter: TopicArn" when trying to reuse an existing cloudtrail-sns
@@ -164,7 +174,7 @@ S: Check [supported task cpu and memory values](https://docs.aws.amazon.com/Amaz
164
174
A: In order to subscribe to a SNS Topic, SQS queue must be in the same region
165
175
<br/>S: Change `aws provider``region` variable to match same region for all resources
166
176
167
-
### Q: Getting error "400 availabilityZoneId is invalid" when creating the ECS subnet
177
+
### Q-AWS: Getting error "400 availabilityZoneId is invalid" when creating the ECS subnet
168
178
```text
169
179
│ Error: error creating subnet: InvalidParameterValue: Value (apne1-az3) for parameter availabilityZoneId is invalid. Subnets can currently only be created in the following availability zones: apne1-az1, apne1-az2, apne1-az4.
170
180
│ status code: 400, request id: 6e32d757-2e61-4220-8106-22ccf814e1fe
@@ -178,11 +188,7 @@ A: For the ECS workload deployment a VPC is being created under the hood. Some A
178
188
<br/>S: Specify the desired VPC region availability zones for the vpc module, using the `ecs_vpc_region_azs` variable to explicit its desired value and workaround the error until AWS gives support for your region.
179
189
180
190
181
-
### Q: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results
182
-
A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
183
-
184
-
185
-
### Q: I get 400 api error AuthorizationHeaderMalformed on the Sysdig workload ECS Task
191
+
### Q-AWS: I get 400 api error AuthorizationHeaderMalformed on the Sysdig workload ECS Task
186
192
187
193
```text
188
194
error while receiving the messages: error retrieving from S3 bucket=crit-start-trail: operation error S3: GetObject,
@@ -195,12 +201,12 @@ This error happens when the ECS `TaskRole` has no permissions to assume this rol
195
201
<br/>S: Give permissions to `sts:AssumeRole` to the role used.
196
202
197
203
198
-
### Q: How to iterate cloud-connector modification testing
204
+
### Q-Dev-Contrib: How to iterate cloud-connector modification testing
199
205
200
206
A: Build a custom docker image of cloud-connector `docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile` and upload it to any registry (like dockerhub).
201
207
Modify the [var.image](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector/variables.tf) variable to point to your image and deploy
202
208
203
-
### Q: How can I iterate ECS modification testing
209
+
### Q-Dev-Contrib: How can I iterate ECS modification testing
204
210
205
211
A: After applying your modifications (vía terraform for example) restart the service
Copy file name to clipboardExpand all lines: examples/organizational/README.md
+23-1Lines changed: 23 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -38,6 +38,27 @@ Minimum requirements:
38
38
sysdig_secure_api_token=<SECURE_API_TOKEN>
39
39
```
40
40
41
+
42
+
## Permission Summary
43
+
44
+
Permission requirement for this example comes as follows
45
+
46
+
- **management account**
47
+
- terraform aws provider: default
48
+
- `SysdigSecureForCloudRole` will be created
49
+
- used by Sysdig to subscribe to cloudtrail-sns
50
+
- used by Sysdig to be able to jump to several member accounts to pull ECR hosted images through the `OrganizationAccountAccessRole` role
51
+
- `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
52
+
- **member accounts**
53
+
- terraform aws provider: 'member' aliased
54
+
- this provider can be configured as desired, we just provide a default option
55
+
- requires [`OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html) default role created by AWS for managed-account users to be able to admin member accounts
56
+
- if this role does not exist provide input var `organizational_member_default_admin_role` with the role
57
+
- `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
58
+
- **sysdig member account workload**
59
+
- if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
60
+
- used by Sysdig to assumeRole on management account `SysdigSecureForCloudRole` and other organizations `OrganizationAccountAccessRole`
61
+
41
62
## Notice
42
63
43
64
* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
0 commit comments