fix: Remove deploy_threat_detection so it cannot be set (#82)

* fix: remove deploy_threat_detection so it cannot be set

* fix: remove length from paramter since it always deploy

* fix: remove index

* chore: remove deleted var from readme files

Author: hayk99

examples/organizational/README.md

@@ -23,7 +23,7 @@ Minimum requirements:
 2. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) for the `management` account of the organization
     * This provider credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
-      
+
 3. Organizational Multi-Account Setup
     * An specific role is required, to enable Sysdig to impersonate and be able to provide
       * For the scanning feature, the ability to pull ECR hosted images when they're allocated in a different account
@@ -56,16 +56,16 @@ Permission requirement for this example comes as follows
       - used by Sysdig to subscribe to cloudtrail events
       - used by Sysdig to be able to jump to several member accounts to pull ECR hosted images through the `OrganizationAccountAccessRole` role
       - assumming previous role will also enable the access of cloudtrail s3 buckets when they are in a different region than were the terraform module is deployed
-      
+
     - `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
-    
+
 - **member accounts**
     - terraform aws provider: 'member' aliased
       - this provider can be configured as desired, we just provide a default option
     - by default, we suggest using an assumeRole to the [AWS created default role `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
       - if this role does not exist provide input var `organizational_member_default_admin_role` with the role
     - `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
-    
+
 - **sysdig workload member account**
   - if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
     - used by Sysdig to assumeRole on management account `SysdigSecureForCloudRole` and other organizations `OrganizationAccountAccessRole`

examples/single-account-k8s/README.md

@@ -120,7 +120,6 @@ $ terraform apply
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
-| <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to deploy cloud\_connector | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 

examples/single-account-k8s/cloud-connector.tf

@@ -6,7 +6,6 @@ locals {
 # requirements
 #-------------------------------------
 module "cloud_connector_sqs" {
-  count  = var.deploy_threat_detection ? 1 : 0
   source = "../../modules/infrastructure/sqs-sns-subscription"
 
   name          = var.name
@@ -30,8 +29,6 @@ module "codebuild" {
 # cloud_connector
 #-------------------------------------
 resource "helm_release" "cloud_connector" {
-  count = var.deploy_threat_detection ? 1 : 0
-
   name       = "cloud-connector"
   repository = "https://charts.sysdig.com"
   chart      = "cloud-connector"
@@ -74,7 +71,7 @@ resource "helm_release" "cloud_connector" {
       ingestors = [
         {
           cloudtrail-sns-sqs = {
-            queueURL = module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url
+            queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url
           }
         }
       ]

examples/single-account-k8s/credentials.tf

@@ -2,11 +2,10 @@ module "iam_user" {
   source = "../../modules/infrastructure/permissions/iam-user"
   name   = var.name
 
-  deploy_threat_detection = var.deploy_threat_detection
-  deploy_image_scanning   = local.deploy_image_scanning
+  deploy_image_scanning = local.deploy_image_scanning
 
   ssm_secure_api_token_arn       = module.ssm.secure_api_token_secret_arn
   cloudtrail_s3_bucket_arn       = length(module.cloudtrail) > 0 ? module.cloudtrail[0].s3_bucket_arn : "*"
-  cloudtrail_subscribed_sqs_arn  = length(module.cloud_connector_sqs) > 0 ? module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_arn : "*"
+  cloudtrail_subscribed_sqs_arn  = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_arn
   scanning_codebuild_project_arn = length(module.codebuild) > 0 ? module.codebuild[0].project_arn : "*"
 }

examples/single-account-k8s/variables.tf

@@ -38,16 +38,6 @@ variable "tags" {
   }
 }
 
-#
-# threat-detection configuration
-#
-
-variable "deploy_threat_detection" {
-  type        = bool
-  description = "true/false whether to deploy cloud_connector"
-  default     = true
-}
-
 #
 # scanning configuration
 #

modules/infrastructure/permissions/iam-user/README.md

@@ -1,7 +1,7 @@
 # Permissions :: Single-Account user credentials
 
 Creates an IAM user and adds permissions for required modules.
-<br/>Will use the `deploy_threat_detection` and `deploy_image_scanning` flags to pin down specific feature-permissions.
+<br/>Will use the `deploy_image_scanning` flag to pin down specific feature-permissions.
 
 
 ## Access Key Rotation
@@ -69,7 +69,6 @@ Note: Contact us if this authentication system does not match your requirement.
 | <a name="input_cloudtrail_s3_bucket_arn"></a> [cloudtrail\_s3\_bucket\_arn](#input\_cloudtrail\_s3\_bucket\_arn) | ARN of cloudtrail s3 bucket | `string` | `"*"` | no |
 | <a name="input_cloudtrail_subscribed_sqs_arn"></a> [cloudtrail\_subscribed\_sqs\_arn](#input\_cloudtrail\_subscribed\_sqs\_arn) | ARN of the cloudtrail subscribed sqs's | `string` | `"*"` | no |
 | <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
-| <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_scanning_codebuild_project_arn"></a> [scanning\_codebuild\_project\_arn](#input\_scanning\_codebuild\_project\_arn) | ARN of codebuild to launch the image scanning process | `string` | `"*"` | no |
 | <a name="input_ssm_secure_api_token_arn"></a> [ssm\_secure\_api\_token\_arn](#input\_ssm\_secure\_api\_token\_arn) | ARN of the security credentials for the secure\_api\_token | `string` | `"*"` | no |

modules/infrastructure/permissions/iam-user/main.tf

@@ -25,7 +25,6 @@ module "credentials_general" {
 
 
 module "credentials_cloud_connector" {
-  count  = var.deploy_threat_detection ? 1 : 0
   source = "../cloud-connector"
   name   = var.name
 

modules/infrastructure/permissions/iam-user/variables.tf

@@ -2,12 +2,6 @@
 # optionals - with defaults
 #---------------------------------
 
-variable "deploy_threat_detection" {
-  type        = bool
-  description = "true/false whether to provision cloud_connector permissions"
-  default     = true
-}
-
 variable "deploy_image_scanning" {
   type        = bool
   description = "true/false whether to provision cloud_scanning permissions"

modules/infrastructure/permissions/org-role-eks/README.md

@@ -53,7 +53,6 @@ No modules.
 | <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | Cloudtrail S3 bucket ARN | `string` | n/a | yes |
 | <a name="input_user_arn"></a> [user\_arn](#input\_user\_arn) | ARN of the IAM user to which roles will be added | `string` | n/a | yes |
 | <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
-| <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_role_per_account"></a> [organizational\_role\_per\_account](#input\_organizational\_role\_per\_account) | Name of the organizational role deployed by AWS in each account of the organization | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

modules/infrastructure/permissions/org-role-eks/main.tf

@@ -22,13 +22,12 @@ data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_trusted" {
 # ------------------------------
 
 resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_s3" {
-  count  = var.deploy_threat_detection ? 1 : 0
   name   = "${var.name}-AllowCloudtrailS3Policy"
   role   = aws_iam_role.secure_for_cloud_role.id
-  policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_s3[0].json
+  policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_s3.json
 }
+
 data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_s3" {
-  count = var.deploy_threat_detection ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
@@ -52,6 +51,7 @@ resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_assume_role" {
   role   = aws_iam_role.secure_for_cloud_role.id
   policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_assume_role[0].json
 }
+
 data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_assume_role" {
   count = var.deploy_image_scanning ? 1 : 0
   statement {