Skip to content

Commit 3727bde

Browse files
author
iru
authored
docs: 2022.09 maintenance; troubleshooting, sysdig_secure_url and org permissions (#71)
* doc: explicit SYSDIG_SECURE_URL on sydig provider * doc: troubleshoot invalid credentials * doc: notes for further testing * doc: permissions review
1 parent 0932aa6 commit 3727bde

File tree

10 files changed

+95
-19
lines changed

10 files changed

+95
-19
lines changed

README.md

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ More info in [`./examples/organizational`](https://github.com/sysdiglabs/terrafo
7272

7373
If no [examples](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples) fit your use-case, be free to call desired modules directly.
7474

75-
In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly
75+
In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly.
7676

7777
```terraform
7878
terraform {
@@ -89,7 +89,8 @@ provider "aws" {
8989
}
9090
9191
provider "sysdig" {
92-
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
92+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
93+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
9394
}
9495
9596
module "cloud_bench" {
@@ -145,11 +146,20 @@ It may take some time, but you should see logs detecting the new image in the EC
145146

146147
## Troubleshooting
147148

148-
### Q: Getting error "Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values.
149+
### Q-General: Getting error "Error: cannot verify credentials" on "sysdig_secure_trusted_cloud_identity" data
150+
A: This happens when Sysdig credentials are not working correctly.
151+
S: Check sysdig provider block is correctly configured with the `sysdig_secure_url` and `sysdig_secure_api_token` variables
152+
with the correct values. Check [Sysdig SaaS per-region URLs if required](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges)
153+
154+
### Q-General: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results
155+
A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
156+
157+
158+
### Q-AWS: Getting error "Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values.
149159
A: Your ECS task_size values aren't valid for Fargate. Specifically, your mem_limit value is too big for the cpu_limit you specified
150160
S: Check [supported task cpu and memory values](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)
151161

152-
### Q: Getting error "404 Invalid parameter: TopicArn" when trying to reuse an existing cloudtrail-sns
162+
### Q-AWS: Getting error "404 Invalid parameter: TopicArn" when trying to reuse an existing cloudtrail-sns
153163

154164
```text
155165
│ Error: error creating SNS Topic Subscription: InvalidParameter: Invalid parameter: TopicArn
@@ -164,7 +174,7 @@ S: Check [supported task cpu and memory values](https://docs.aws.amazon.com/Amaz
164174
A: In order to subscribe to a SNS Topic, SQS queue must be in the same region
165175
<br/>S: Change `aws provider` `region` variable to match same region for all resources
166176

167-
### Q: Getting error "400 availabilityZoneId is invalid" when creating the ECS subnet
177+
### Q-AWS: Getting error "400 availabilityZoneId is invalid" when creating the ECS subnet
168178
```text
169179
│ Error: error creating subnet: InvalidParameterValue: Value (apne1-az3) for parameter availabilityZoneId is invalid. Subnets can currently only be created in the following availability zones: apne1-az1, apne1-az2, apne1-az4.
170180
│ status code: 400, request id: 6e32d757-2e61-4220-8106-22ccf814e1fe
@@ -178,11 +188,7 @@ A: For the ECS workload deployment a VPC is being created under the hood. Some A
178188
<br/>S: Specify the desired VPC region availability zones for the vpc module, using the `ecs_vpc_region_azs` variable to explicit its desired value and workaround the error until AWS gives support for your region.
179189

180190

181-
### Q: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results
182-
A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
183-
184-
185-
### Q: I get 400 api error AuthorizationHeaderMalformed on the Sysdig workload ECS Task
191+
### Q-AWS: I get 400 api error AuthorizationHeaderMalformed on the Sysdig workload ECS Task
186192

187193
```text
188194
error while receiving the messages: error retrieving from S3 bucket=crit-start-trail: operation error S3: GetObject,
@@ -195,12 +201,12 @@ This error happens when the ECS `TaskRole` has no permissions to assume this rol
195201
<br/>S: Give permissions to `sts:AssumeRole` to the role used.
196202

197203

198-
### Q: How to iterate cloud-connector modification testing
204+
### Q-Dev-Contrib: How to iterate cloud-connector modification testing
199205

200206
A: Build a custom docker image of cloud-connector `docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile` and upload it to any registry (like dockerhub).
201207
Modify the [var.image](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector/variables.tf) variable to point to your image and deploy
202208

203-
### Q: How can I iterate ECS modification testing
209+
### Q-Dev-Contrib: How can I iterate ECS modification testing
204210

205211
A: After applying your modifications (vía terraform for example) restart the service
206212
```

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,8 @@ terraform {
4747
}
4848
4949
provider "sysdig" {
50-
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
50+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
51+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
5152
}
5253
5354
provider "aws" {

examples-internal/use-cases-reuse-resources/org-existing-cloudtrail-ecs-vpc-subnet.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,8 @@ terraform {
117117
}
118118
119119
provider "sysdig" {
120-
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
120+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
121+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
121122
}
122123
123124
provider "aws" {

examples-internal/use-cases-reuse-resources/single-existing-cloudtrail.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,8 @@ terraform {
7777
}
7878
7979
provider "sysdig" {
80-
sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
80+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
81+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
8182
}
8283
8384
provider "aws" {

examples-internal/use-cases-self-baked/single-benchmark.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,8 @@ terraform {
2525
}
2626
2727
provider "sysdig" {
28-
sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
28+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
29+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
2930
}
3031
3132
provider "aws" {

examples/organizational/README.md

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,27 @@ Minimum requirements:
3838
sysdig_secure_api_token=<SECURE_API_TOKEN>
3939
```
4040
41+
42+
## Permission Summary
43+
44+
Permission requirement for this example comes as follows
45+
46+
- **management account**
47+
- terraform aws provider: default
48+
- `SysdigSecureForCloudRole` will be created
49+
- used by Sysdig to subscribe to cloudtrail-sns
50+
- used by Sysdig to be able to jump to several member accounts to pull ECR hosted images through the `OrganizationAccountAccessRole` role
51+
- `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
52+
- **member accounts**
53+
- terraform aws provider: 'member' aliased
54+
- this provider can be configured as desired, we just provide a default option
55+
- requires [`OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html) default role created by AWS for managed-account users to be able to admin member accounts
56+
- if this role does not exist provide input var `organizational_member_default_admin_role` with the role
57+
- `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
58+
- **sysdig member account workload**
59+
- if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
60+
- used by Sysdig to assumeRole on management account `SysdigSecureForCloudRole` and other organizations `OrganizationAccountAccessRole`
61+
4162
## Notice
4263
4364
* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/><br/>
@@ -58,7 +79,8 @@ terraform {
5879
}
5980
6081
provider "sysdig" {
61-
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
82+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
83+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
6284
}
6385
6486
provider "aws" {
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# diagrams as code vía https://diagrams.mingrammer.com
2+
from diagrams import Cluster, Diagram, Edge, Node
3+
from diagrams.aws.security import IAM, IAMRole
4+
from diagrams.aws.management import Cloudtrail
5+
from diagrams.aws.storage import S3
6+
from diagrams.aws.compute import ECR
7+
8+
9+
with Diagram("Sysdig Secure for Cloud\n(organizational permissions)", filename="diagram-permissions", show=True):
10+
11+
12+
with Cluster("member account (sysdig workload)"):
13+
# bench_role = IAMRole(label="Benchmark role")
14+
member_sysdig_role = IAMRole(label="OrganizationAccountAccessRole")
15+
member_sysdig_ecr = ECR("container registry")
16+
member_sysdig_role >> member_sysdig_ecr
17+
18+
ecs_role = IAMRole(label="ECSTaskRole")
19+
# bench_role - Edge(style="invis") - member_sysdig_ecr
20+
21+
22+
with Cluster("member accounts"):
23+
# IAMRole(label="Benchmark role")
24+
25+
member_role = IAMRole(label="OrganizationAccountAccessRole")
26+
member_ecr = ECR("container registry")
27+
member_role >> member_ecr
28+
29+
30+
with Cluster("management account"):
31+
# IAMRole(label="Benchmark role")
32+
sf4c_role = IAMRole(label="SysdigSecureForCloud")
33+
sf4c_role >> Cloudtrail()
34+
sf4c_role >> S3()
35+
36+
37+
ecs_role >> sf4c_role
38+
sf4c_role >> member_role
39+
sf4c_role >> member_sysdig_role

examples/single-account-k8s/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,8 @@ terraform {
4141
}
4242
4343
provider "sysdig" {
44-
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
44+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
45+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
4546
}
4647
4748
provider "aws" {

examples/single-account/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ terraform {
3535
}
3636
3737
provider "sysdig" {
38-
sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
38+
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
39+
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
3940
}
4041
4142
provider "aws" {

modules/infrastructure/cloudtrail/sns_permissions.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ data "aws_iam_policy_document" "cloudtrail_sns" {
2727
principals {
2828
identifiers = ["arn:aws:iam::${var.organizational_config.sysdig_secure_for_cloud_member_account_id}:role/${var.organizational_config.organizational_role_per_account}"]
2929
type = "AWS"
30+
# more open policy but without requiring aws provider role
31+
# identifiers = ["sqs.amazonaws.com"]
32+
# type = "Service"
3033
}
3134
actions = ["sns:Subscribe"]
3235
resources = [aws_sns_topic.cloudtrail.arn]

0 commit comments

Comments
 (0)