Skip to content

Commit 5b7cf5e

Browse files
Add organizational support for cloud-bench (#24)
* feat(benchmarks): support org with stacksets * chore(docs): update org readme and diagram
1 parent 6e3b16a commit 5b7cf5e

File tree

17 files changed

+202
-98
lines changed

17 files changed

+202
-98
lines changed

examples-internal/single-account-benchmark/main.tf

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,14 +8,10 @@ provider "sysdig" {
88
sysdig_secure_insecure_tls = length(regexall("https://.*?\\.sysdig(cloud)?.com/?", var.sysdig_secure_endpoint)) == 1 ? false : true
99
}
1010

11-
12-
data "aws_caller_identity" "me" {}
13-
1411
module "cloud_bench" {
1512
source = "../../modules/services/cloud-bench"
1613

17-
account_id = data.aws_caller_identity.me.account_id
18-
tags = var.tags
19-
regions = var.benchmark_regions
20-
name = "${var.name}-cloudbench"
14+
name = "${var.name}-cloudbench"
15+
tags = var.tags
16+
benchmark_regions = var.benchmark_regions
2117
}

examples-internal/single-account-benchmark/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ terraform {
22
required_version = ">= 0.15.0"
33
required_providers {
44
aws = {
5-
version = ">= 3.50.0"
5+
version = ">= 3.62.0"
66
}
77
sysdig = {
88
source = "sysdiglabs/sysdig"

examples/organizational/README.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,6 @@
22

33
Deploy Sysdig Secure for Cloud sharing the Trail within an organization.
44

5-
_Note: CSPM/Compliance through cloud-bench module is not supported yet_
6-
75
* In the **management account**
86
* An Organizational Cloutrail will be deployed (with required S3,SNS)
97
* An additional role `SysdigSecureForCloudRole` will be created
@@ -20,6 +18,7 @@ Minimum requirements:
2018

2119
1. Have an existing AWS account as the organization management account
2220
* Organizational CloudTrail service must be enabled
21+
* [Organizational CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) service must be enabled
2322
2. AWS profile credentials configuration of the `management` account of the organization
2423
* This account credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
2524
> You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
@@ -69,19 +68,20 @@ Notice that:
6968
| Name | Version |
7069
|------|---------|
7170
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
72-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
71+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
7372
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
7473

7574
## Providers
7675

7776
| Name | Version |
7877
|------|---------|
79-
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | >= 3.50.0 |
78+
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | >= 3.62.0 |
8079

8180
## Modules
8281

8382
| Name | Source | Version |
8483
|------|--------|---------|
84+
| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | |
8585
| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | |
8686
| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning | |
8787
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | |
@@ -105,6 +105,7 @@ Notice that:
105105
|------|-------------|------|---------|:--------:|
106106
| <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
107107
| <a name="input_sysdig_secure_for_cloud_member_account_id"></a> [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
108+
| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
108109
| <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
109110
| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
110111
| <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
77.1 KB
Loading

examples/organizational/diagram-org.py

Lines changed: 30 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
from diagrams.aws.devtools import Codebuild
55
from diagrams.aws.general import General
66
from diagrams.aws.integration import SNS, SQS
7-
from diagrams.aws.management import Cloudtrail, Cloudwatch
7+
from diagrams.aws.management import Cloudtrail, Cloudwatch, CloudformationStack
88
from diagrams.aws.security import IAM, IAMRole
99
from diagrams.aws.storage import S3
1010
from diagrams.custom import Custom
@@ -23,6 +23,7 @@
2323
color_event="firebrick"
2424
color_scanning = "dark-green"
2525
color_permission="red"
26+
color_creates="darkblue"
2627
color_non_important="gray"
2728
color_sysdig="lightblue"
2829

@@ -32,34 +33,44 @@
3233

3334
with Cluster("AWS organization"):
3435

35-
3636
with Cluster("management account"):
3737

38-
cloudtrail = Cloudtrail("cloudtrail", shape="plaintext")
39-
38+
with Cluster("Events"):
39+
cloudtrail = Cloudtrail("cloudtrail", shape="plaintext")
40+
cloudtrail_s3 = S3("cloudtrail-s3-events")
41+
sns = SNS("cloudtrail-sns-events", comment="i'm a graph")
4042

4143
management_credentials = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
42-
secure_for_cloud_role = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on `OrganizationAccountAccessRole`)", **role_attr)
43-
cloudtrail_s3 = S3("cloudtrail-s3-events")
44-
sns = SNS("cloudtrail-sns-events", comment="i'm a graph")
44+
secure_for_cloud_role = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on \n`OrganizationAccountAccessRole`)", **role_attr)
45+
cft_stack_set = CloudformationStack("cloudformation-stackset")
4546

4647
cloudtrail >> Edge(color=color_event, style="dashed") >> cloudtrail_s3 >> Edge(color=color_event, style="dashed") >> sns
48+
# cloudtrail_s3 >> Edge(style="invis") >> cft_stack_set
4749

4850
with Cluster("member accounts (main targets)", graph_attr={"bgcolor":"lightblue"}):
4951
member_accounts = General("account-1..n")
50-
org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
52+
org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
5153
ecr = ECR("container-registry\n *within any account")
5254

55+
with Cluster("CFT StackSet Instance"):
56+
cft_stack = CloudformationStack("cloudformation-stack")
57+
cloud_bench_role = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
58+
cft_stack >> Edge(color=color_creates) >> cloud_bench_role
5359

5460
with Cluster("member account (secure for cloud)", graph_attr={"bgcolor":"seashell2"}):
5561

56-
org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
62+
org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
5763

5864
sqs = SQS("cloudtrail-sqs")
5965
s3_config = S3("cloud-connector-config")
6066
cloudwatch = Cloudwatch("cloudwatch\nlogs and alarms")
6167
codebuild = Codebuild("codebuild project")
6268

69+
with Cluster("CFT StackSet Instance"):
70+
cft_stack_2 = CloudformationStack("cloudformation-stack")
71+
cloud_bench_role_2 = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
72+
cft_stack_2 >> Edge(color=color_creates) >> cloud_bench_role_2
73+
6374
with Cluster("ecs-cluster"):
6475
cloud_connector = ElasticContainerServiceService("cloud-connector")
6576
cloud_scanning = ElasticContainerServiceService("cloud-scanning")
@@ -81,6 +92,8 @@
8192
# (cloudtrail_s3 << Edge(color=color_event) <<
8293

8394

95+
cft_stack_set >> Edge(color=color_creates) >> cft_stack
96+
cft_stack_set >> Edge(color=color_creates) >> cft_stack_2
8497

8598
with Cluster("AWS account (sysdig)"):
8699
sds = Custom("Sysdig Secure", "../../resources/diag-sysdig-icon.png")
@@ -89,6 +102,14 @@
89102
cloud_connector >> Edge(color=color_sysdig) >> sds
90103
codebuild >> Edge(color=color_sysdig) >> sds
91104

105+
sds >> Edge(color=color_permission) >> cloud_bench_role
106+
sds >> Edge(color=color_permission) >> cloud_bench_role_2
107+
108+
# Invisible edges to help with layout
109+
s3_config >> Edge(style="invis") >> member_accounts
110+
sns >> Edge(style="invis") >> org_member_role_2
111+
112+
92113
# secure_for_cloud_role >> Edge(color=color_permission, fontcolor=color_permission, xlable="assumeRole") >> org_member_role_1
93114

94115

examples/organizational/main.tf

Lines changed: 14 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -96,27 +96,6 @@ module "cloud_connector" {
9696
depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
9797
}
9898

99-
100-
#
101-
# cloud-bench
102-
# WIP
103-
#
104-
105-
#data "aws_caller_identity" "me" {}
106-
#module "cloud_bench" {
107-
# providers = {
108-
# aws = aws.member
109-
# }
110-
# source = "../../modules/services/cloud-bench"
111-
#
112-
# account_id = var.organizational_config.sysdig_secure_for_cloud_member_account_id
113-
# tags = var.tags
114-
#}
115-
116-
117-
118-
119-
12099
#
121100
# cloud-scanning
122101
#
@@ -161,3 +140,17 @@ module "cloud_scanning" {
161140
tags = var.tags
162141
depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
163142
}
143+
144+
#-------------------------------------
145+
# cloud-bench
146+
#-------------------------------------
147+
148+
module "cloud_bench" {
149+
source = "../../modules/services/cloud-bench"
150+
151+
name = "${var.name}-cloudbench"
152+
tags = var.tags
153+
is_organizational = true
154+
region = var.region
155+
benchmark_regions = var.benchmark_regions
156+
}

examples/organizational/variables.tf

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,16 @@ variable "cloudtrail_kms_enable" {
4141
description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
4242
}
4343

44+
#
45+
# benchmark configuration
46+
#
47+
48+
variable "benchmark_regions" {
49+
type = list(string)
50+
description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
51+
default = []
52+
}
53+
4454
#
4555
# general
4656
#
@@ -51,7 +61,6 @@ variable "region" {
5161
description = "Default region for resource creation in both organization master and secure-for-cloud member account"
5262
}
5363

54-
5564
variable "name" {
5665
type = string
5766
description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"

examples/organizational/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ terraform {
22
required_version = ">= 0.15.0"
33
required_providers {
44
aws = {
5-
version = ">= 3.50.0"
5+
version = ">= 3.62.0"
66
}
77
sysdig = {
88
source = "sysdiglabs/sysdig"

examples/single-account/README.md

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,14 +47,12 @@ Notice that:
4747
| Name | Version |
4848
|------|---------|
4949
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
50-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
50+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
5151
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
5252

5353
## Providers
5454

55-
| Name | Version |
56-
|------|---------|
57-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.50.0 |
55+
No providers.
5856

5957
## Modules
6058

@@ -71,9 +69,7 @@ Notice that:
7169

7270
## Resources
7371

74-
| Name | Type |
75-
|------|------|
76-
| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
72+
No resources.
7773

7874
## Inputs
7975

examples/single-account/main.tf

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -100,8 +100,6 @@ module "cloud_scanning" {
100100
#-------------------------------------
101101
# cloud-bench
102102
#-------------------------------------
103-
data "aws_caller_identity" "me" {}
104-
105103
provider "sysdig" {
106104
sysdig_secure_url = var.sysdig_secure_endpoint
107105
sysdig_secure_api_token = var.sysdig_secure_api_token
@@ -110,9 +108,8 @@ provider "sysdig" {
110108

111109
module "cloud_bench" {
112110
source = "../../modules/services/cloud-bench"
113-
name = "${var.name}-cloudbench"
114111

115-
account_id = data.aws_caller_identity.me.account_id
116-
tags = var.tags
117-
regions = var.benchmark_regions
112+
name = "${var.name}-cloudbench"
113+
tags = var.tags
114+
benchmark_regions = var.benchmark_regions
118115
}

examples/single-account/variables.tf

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,15 @@ variable "cloudtrail_kms_enable" {
2525
description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
2626
}
2727

28+
#
29+
# benchmark configuration
30+
#
31+
32+
variable "benchmark_regions" {
33+
type = list(string)
34+
description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
35+
default = []
36+
}
2837

2938
#
3039
# general
@@ -54,9 +63,3 @@ variable "tags" {
5463
"product" = "sysdig-secure-for-cloud"
5564
}
5665
}
57-
58-
variable "benchmark_regions" {
59-
type = list(string)
60-
description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
61-
default = []
62-
}

examples/single-account/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ terraform {
22
required_version = ">= 0.15.0"
33
required_providers {
44
aws = {
5-
version = ">= 3.50.0"
5+
version = ">= 3.62.0"
66
}
77
sysdig = {
88
source = "sysdiglabs/sysdig"

modules/services/cloud-bench/README.md

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,14 +13,14 @@ Deploys
1313
| Name | Version |
1414
|------|---------|
1515
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
16-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
16+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
1717
| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
1818

1919
## Providers
2020

2121
| Name | Version |
2222
|------|---------|
23-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.50.0 |
23+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.62.0 |
2424
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 0.5.21 |
2525

2626
## Modules
@@ -31,21 +31,26 @@ No modules.
3131

3232
| Name | Type |
3333
|------|------|
34+
| [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
35+
| [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
3436
| [aws_iam_role.cloudbench_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
3537
| [aws_iam_role_policy_attachment.cloudbench_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
3638
| [sysdig_secure_benchmark_task.benchmark_task](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_benchmark_task) | resource |
3739
| [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
40+
| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
3841
| [aws_iam_policy.security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
3942
| [aws_iam_policy_document.trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
43+
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
4044
| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
4145

4246
## Inputs
4347

4448
| Name | Description | Type | Default | Required |
4549
|------|-------------|------|---------|:--------:|
46-
| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | the account\_id in which to provision the cloud-bench IAM role | `string` | n/a | yes |
50+
| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
51+
| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
4752
| <a name="input_name"></a> [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"sfc-cloudbench"` | no |
48-
| <a name="input_regions"></a> [regions](#input\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
53+
| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
4954
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
5055

5156
## Outputs

0 commit comments

Comments
 (0)