Add organizational support for cloud-bench (#24)

nkraemer-sysdig · web-flow · commit 5b7cf5e8028b · 2021-10-20T08:31:30.000+02:00
* feat(benchmarks):  support org with stacksets
* chore(docs): update org readme and diagram
diff --git a/examples-internal/single-account-benchmark/main.tf b/examples-internal/single-account-benchmark/main.tf
@@ -8,14 +8,10 @@ provider "sysdig" {
   sysdig_secure_insecure_tls = length(regexall("https://.*?\\.sysdig(cloud)?.com/?", var.sysdig_secure_endpoint)) == 1 ? false : true
 }
 
-
-data "aws_caller_identity" "me" {}
-
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
 
-  account_id = data.aws_caller_identity.me.account_id
-  tags       = var.tags
-  regions    = var.benchmark_regions
-  name       = "${var.name}-cloudbench"
+  name              = "${var.name}-cloudbench"
+  tags              = var.tags
+  benchmark_regions = var.benchmark_regions
 }
diff --git a/examples-internal/single-account-benchmark/versions.tf b/examples-internal/single-account-benchmark/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.15.0"
   required_providers {
     aws = {
-      version = ">= 3.50.0"
+      version = ">= 3.62.0"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -2,8 +2,6 @@
 
 Deploy Sysdig Secure for Cloud sharing the Trail within an organization.
 
-_Note: CSPM/Compliance through cloud-bench module is not supported yet_
-
 * In the **management account**
   * An Organizational Cloutrail will be deployed  (with required S3,SNS)
   * An additional role `SysdigSecureForCloudRole` will be created
@@ -20,6 +18,7 @@ Minimum requirements:
 
 1. Have an existing AWS account as the organization management account
     * Organizational CloudTrail service must be enabled
+    * [Organizational CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) service must be enabled
 2. AWS profile credentials configuration of the `management` account of the organization
     * This account credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
@@ -69,19 +68,20 @@ Notice that:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | >= 3.50.0 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | >= 3.62.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
 | <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
@@ -105,6 +105,7 @@ Notice that:
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_sysdig_secure_for_cloud_member_account_id"></a> [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
+| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
diff --git a/examples/organizational/diagram-org.png b/examples/organizational/diagram-org.png
diff --git a/examples/organizational/diagram-org.py b/examples/organizational/diagram-org.py
@@ -4,7 +4,7 @@
 from diagrams.aws.devtools import Codebuild
 from diagrams.aws.general import General
 from diagrams.aws.integration import SNS, SQS
-from diagrams.aws.management import Cloudtrail, Cloudwatch
+from diagrams.aws.management import Cloudtrail, Cloudwatch, CloudformationStack
 from diagrams.aws.security import IAM, IAMRole
 from diagrams.aws.storage import S3
 from diagrams.custom import Custom
@@ -23,6 +23,7 @@
 color_event="firebrick"
 color_scanning = "dark-green"
 color_permission="red"
+color_creates="darkblue"
 color_non_important="gray"
 color_sysdig="lightblue"
 
@@ -32,34 +33,44 @@
 
     with Cluster("AWS organization"):
 
-
         with Cluster("management account"):
 
-            cloudtrail              = Cloudtrail("cloudtrail", shape="plaintext")
-
+            with Cluster("Events"):
+                cloudtrail              = Cloudtrail("cloudtrail", shape="plaintext")
+                cloudtrail_s3           = S3("cloudtrail-s3-events")
+                sns                     = SNS("cloudtrail-sns-events", comment="i'm a graph")
 
             management_credentials  = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
-            secure_for_cloud_role   = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on `OrganizationAccountAccessRole`)", **role_attr)
-            cloudtrail_s3           = S3("cloudtrail-s3-events")
-            sns                     = SNS("cloudtrail-sns-events", comment="i'm a graph")
+            secure_for_cloud_role   = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on \n`OrganizationAccountAccessRole`)", **role_attr)
+            cft_stack_set           = CloudformationStack("cloudformation-stackset")
 
             cloudtrail >> Edge(color=color_event, style="dashed") >> cloudtrail_s3 >> Edge(color=color_event, style="dashed") >> sns
+            # cloudtrail_s3 >> Edge(style="invis") >> cft_stack_set
 
         with Cluster("member accounts (main targets)", graph_attr={"bgcolor":"lightblue"}):
             member_accounts = General("account-1..n")
-            org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
+            org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
             ecr = ECR("container-registry\n *within any account")
 
+            with Cluster("CFT StackSet Instance"):
+                cft_stack = CloudformationStack("cloudformation-stack")
+                cloud_bench_role = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
+                cft_stack >> Edge(color=color_creates) >> cloud_bench_role
 
         with Cluster("member account (secure for cloud)", graph_attr={"bgcolor":"seashell2"}):
 
-            org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
+            org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
 
             sqs         = SQS("cloudtrail-sqs")
             s3_config   = S3("cloud-connector-config")
             cloudwatch  = Cloudwatch("cloudwatch\nlogs and alarms")
             codebuild   = Codebuild("codebuild project")
 
+            with Cluster("CFT StackSet Instance"):
+                cft_stack_2 = CloudformationStack("cloudformation-stack")
+                cloud_bench_role_2 = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
+                cft_stack_2 >> Edge(color=color_creates) >> cloud_bench_role_2
+
             with Cluster("ecs-cluster"):
                 cloud_connector = ElasticContainerServiceService("cloud-connector")
                 cloud_scanning = ElasticContainerServiceService("cloud-scanning")
@@ -81,6 +92,8 @@
 #        (cloudtrail_s3 << Edge(color=color_event) <<
 
 
+        cft_stack_set >> Edge(color=color_creates) >> cft_stack
+        cft_stack_set >> Edge(color=color_creates) >> cft_stack_2
 
     with Cluster("AWS account (sysdig)"):
         sds = Custom("Sysdig Secure", "../../resources/diag-sysdig-icon.png")
@@ -89,6 +102,14 @@
     cloud_connector >> Edge(color=color_sysdig) >> sds
     codebuild >> Edge(color=color_sysdig) >>  sds
 
+    sds >> Edge(color=color_permission) >> cloud_bench_role
+    sds >> Edge(color=color_permission) >> cloud_bench_role_2
+
+    # Invisible edges to help with layout
+    s3_config >> Edge(style="invis") >> member_accounts
+    sns >> Edge(style="invis") >> org_member_role_2
+
+
 #    secure_for_cloud_role >> Edge(color=color_permission, fontcolor=color_permission, xlable="assumeRole") >>  org_member_role_1
 
 
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
@@ -96,27 +96,6 @@ module "cloud_connector" {
   depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
 }
 
-
-#
-# cloud-bench
-# WIP
-#
-
-#data "aws_caller_identity" "me" {}
-#module "cloud_bench" {
-#  providers = {
-#    aws = aws.member
-#  }
-#  source = "../../modules/services/cloud-bench"
-#
-#  account_id = var.organizational_config.sysdig_secure_for_cloud_member_account_id
-#  tags       = var.tags
-#}
-
-
-
-
-
 #
 # cloud-scanning
 #
@@ -161,3 +140,17 @@ module "cloud_scanning" {
   tags       = var.tags
   depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
 }
+
+#-------------------------------------
+# cloud-bench
+#-------------------------------------
+
+module "cloud_bench" {
+  source = "../../modules/services/cloud-bench"
+
+  name              = "${var.name}-cloudbench"
+  tags              = var.tags
+  is_organizational = true
+  region            = var.region
+  benchmark_regions = var.benchmark_regions
+}
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
@@ -41,6 +41,16 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
 }
 
+#
+# benchmark configuration
+#
+
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}
+
 #
 # general
 #
@@ -51,7 +61,6 @@ variable "region" {
   description = "Default region for resource creation in both organization master and secure-for-cloud member account"
 }
 
-
 variable "name" {
   type        = string
   description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
diff --git a/examples/organizational/versions.tf b/examples/organizational/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.15.0"
   required_providers {
     aws = {
-      version = ">= 3.50.0"
+      version = ">= 3.62.0"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
diff --git a/examples/single-account/README.md b/examples/single-account/README.md
@@ -47,14 +47,12 @@ Notice that:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.50.0 |
+No providers.
 
 ## Modules
 
@@ -71,9 +69,7 @@ Notice that:
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+No resources.
 
 ## Inputs
 
diff --git a/examples/single-account/main.tf b/examples/single-account/main.tf
@@ -100,8 +100,6 @@ module "cloud_scanning" {
 #-------------------------------------
 # cloud-bench
 #-------------------------------------
-data "aws_caller_identity" "me" {}
-
 provider "sysdig" {
   sysdig_secure_url          = var.sysdig_secure_endpoint
   sysdig_secure_api_token    = var.sysdig_secure_api_token
@@ -110,9 +108,8 @@ provider "sysdig" {
 
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
-  name   = "${var.name}-cloudbench"
 
-  account_id = data.aws_caller_identity.me.account_id
-  tags       = var.tags
-  regions    = var.benchmark_regions
+  name              = "${var.name}-cloudbench"
+  tags              = var.tags
+  benchmark_regions = var.benchmark_regions
 }
diff --git a/examples/single-account/variables.tf b/examples/single-account/variables.tf
@@ -25,6 +25,15 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
 }
 
+#
+# benchmark configuration
+#
+
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}
 
 #
 # general
@@ -54,9 +63,3 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
-
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
diff --git a/examples/single-account/versions.tf b/examples/single-account/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.15.0"
   required_providers {
     aws = {
-      version = ">= 3.50.0"
+      version = ">= 3.62.0"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
diff --git a/modules/services/cloud-bench/README.md b/modules/services/cloud-bench/README.md
@@ -13,14 +13,14 @@ Deploys
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.50.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.62.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 0.5.21 |
 
 ## Modules
@@ -31,21 +31,26 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
 | [aws_iam_role.cloudbench_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cloudbench_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [sysdig_secure_benchmark_task.benchmark_task](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_benchmark_task) | resource |
 | [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
+| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | the account\_id in which to provision the cloud-bench IAM role | `string` | n/a | yes |
+| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
+| <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"sfc-cloudbench"` | no |
-| <a name="input_regions"></a> [regions](#input\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
+| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
 ## Outputs
diff --git a/modules/services/cloud-bench/main.tf b/modules/services/cloud-bench/main.tf
diff --git a/modules/services/cloud-bench/variables.tf b/modules/services/cloud-bench/variables.tf
diff --git a/modules/services/cloud-bench/versions.tf b/modules/services/cloud-bench/versions.tf
diff --git a/test/fixtures/organizational/main.tf b/test/fixtures/organizational/main.tf

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_version = ">= 0.15.0"`
`3`	`3`	`required_providers {`
`4`	`4`	`aws = {`
`5`		`- version = ">= 3.50.0"`
	`5`	`+ version = ">= 3.62.0"`
`6`	`6`	`}`
`7`	`7`	`sysdig = {`
`8`	`8`	`source = "sysdiglabs/sysdig"`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,16 @@ variable "cloudtrail_kms_enable" {`
`41`	`41`	`description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"`
`42`	`42`	`}`
`43`	`43`
	`44`	`+#`
	`45`	`+# benchmark configuration`
	`46`	`+#`
	`47`	`+`
	`48`	`+variable "benchmark_regions" {`
	`49`	`+ type = list(string)`
	`50`	`+ description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."`
	`51`	`+ default = []`
	`52`	`+}`
	`53`	`+`
`44`	`54`	`#`
`45`	`55`	`# general`
`46`	`56`	`#`
`@@ -51,7 +61,6 @@ variable "region" {`
`51`	`61`	`description = "Default region for resource creation in both organization master and secure-for-cloud member account"`
`52`	`62`	`}`
`53`	`63`
`54`		`-`
`55`	`64`	`variable "name" {`
`56`	`65`	`type = string`
`57`	`66`	`description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"`