feat: Remove s3 config (#86)

penguinjournals · web-flow · commit 6b71ed1ce28d · 2022-05-05T13:25:21.000+02:00
* feat: remove config load from s3 for ecs

* feat: remove s3 configuration in favor of environment variable

* docs: diagrams upgraded to reflect no s3 configuration
diff --git a/examples/organizational/diagram-org.png b/examples/organizational/diagram-org.png
diff --git a/examples/organizational/diagram-org.py b/examples/organizational/diagram-org.py
@@ -66,7 +66,6 @@
             org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. \nmember accounts)", **role_attr)
 
             sqs         = SQS("cloudtrail-sqs")
-            s3_config   = S3("cloud-connector-config")
             cloudwatch  = Cloudwatch("cloudwatch\nlogs and alarms")
             codebuild   = Codebuild("codebuild project")
 
@@ -79,7 +78,6 @@
                 cloud_connector = ElasticContainerServiceService("cloud-connector")
 
             sqs << Edge(color=color_event) << cloud_connector
-            cloud_connector - Edge(color=color_non_important) - s3_config
             cloud_connector >> Edge(color=color_non_important) >> cloudwatch
             cloud_connector  >>  Edge(color=color_non_important) >> cloudwatch
             cloud_connector >> codebuild
diff --git a/examples/single-account-apprunner/diagram-single.png b/examples/single-account-apprunner/diagram-single.png
diff --git a/examples/single-account-apprunner/diagram-single.py b/examples/single-account-apprunner/diagram-single.py
@@ -55,7 +55,6 @@
 
             cloudtrail_s3       = S3("cloudtrail-s3-events")
             sns                 = SNS("cloudtrail-sns-events", comment="i'm a graph")
-            s3_config = S3("cloud-connector-config")
             cloudwatch = Cloudwatch("cloudwatch\n(logs and alarms)")
 
 
@@ -67,7 +66,6 @@
 
             sqs = SQS("cloudtrail-sqs")
             sqs << Edge(color=color_event) << cloud_connector
-            cloud_connector - Edge(color=color_non_important) - s3_config
             cloud_connector >> Edge(color=color_non_important) >>  cloudwatch
 
             # scanning
diff --git a/examples/single-account-ecs/diagram-single.png b/examples/single-account-ecs/diagram-single.png
diff --git a/examples/single-account-ecs/diagram-single.py b/examples/single-account-ecs/diagram-single.py
@@ -56,7 +56,6 @@
 
             cloudtrail_s3       = S3("cloudtrail-s3-events")
             sns                 = SNS("cloudtrail-sns-events", comment="i'm a graph")
-            s3_config = S3("cloud-connector-config")
             cloudwatch = Cloudwatch("cloudwatch\n(logs and alarms)")
 
 
@@ -68,7 +67,6 @@
 
             sqs = SQS("cloudtrail-sqs")
             sqs << Edge(color=color_event) << cloud_connector
-            cloud_connector - Edge(color=color_non_important) - s3_config
             cloud_connector >> Edge(color=color_non_important) >>  cloudwatch
 
             # scanning
diff --git a/examples/single-account-k8s/diagram.png b/examples/single-account-k8s/diagram.png
diff --git a/examples/single-account-k8s/diagram.py b/examples/single-account-k8s/diagram.py
@@ -51,7 +51,6 @@
 
             cloudtrail           = Cloudtrail("cloudtrail\n* ingest events from all\norg member accounts+managed", shape="plaintext")
             cloudtrail_s3       = S3("cloudtrail-s3-events")
-            s3_config           = S3("cloud-connector-config")
             sns                 = SNS("sns")
 
             sqs = SQS("cloudtrail-sqs")
@@ -76,7 +75,6 @@
 
         sqs << Edge(color=color_event) << cloud_connector
         cloud_connector >> Edge(color=color_sysdig, style="dashed") >> sqs
-        cloud_connector - Edge(color=color_non_important) - s3_config
 
         sns >> Edge(color=color_event, style="dashed") >> sqs
         (cloudtrail_s3 << Edge(color=color_non_important)) -  cloud_connector
diff --git a/modules/services/cloud-connector-apprunner/apprunner.tf b/modules/services/cloud-connector-apprunner/apprunner.tf
@@ -6,7 +6,7 @@ resource "aws_apprunner_service" "cloudconnector" {
       image_configuration {
         port = "5000"
         runtime_environment_variables = {
-          CONFIG_PATH                 = "s3://${local.s3_bucket_config_id}/cloud-connector.yaml"
+          CONFIG                      = base64encode(local.default_config)
           SECURE_API_TOKEN            = var.sysdig_secure_api_token
           SECURE_URL                  = var.sysdig_secure_url
           VERIFY_SSL                  = local.verify_ssl
diff --git a/modules/services/cloud-connector-apprunner/cloudconnector-config.tf b/modules/services/cloud-connector-apprunner/cloudconnector-config.tf
@@ -1,26 +1,7 @@
-locals {
-  s3_bucket_config_id = aws_s3_bucket.s3_config_bucket.id
-}
-
-resource "aws_s3_object" "config" {
-  bucket = local.s3_bucket_config_id
-  key    = "cloud-connector.yaml"
-
-  content = local.default_config
-  tags    = var.tags
-}
-
 locals {
   default_config = yamlencode(merge({
     logging = "info"
-    rules = [
-      {
-        s3 = {
-          bucket = local.s3_bucket_config_id
-          path   = "rules"
-        }
-      }
-    ]
+    rules   = []
     ingestors = [
       {
         cloudtrail-sns-sqs = merge(
diff --git a/modules/services/cloud-connector-apprunner/s3.tf b/modules/services/cloud-connector-apprunner/s3.tf
diff --git a/modules/services/cloud-connector-ecs/README.md b/modules/services/cloud-connector-ecs/README.md
@@ -44,7 +44,6 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | [aws_s3_bucket_acl.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_public_access_block.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_versioning.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
-| [aws_s3_object.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
 | [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ecs_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_cluster) | data source |
diff --git a/modules/services/cloud-connector-ecs/cloudconnector-config.tf b/modules/services/cloud-connector-ecs/cloudconnector-config.tf
@@ -1,26 +1,7 @@
-locals {
-  s3_bucket_config_id = aws_s3_bucket.s3_config_bucket.id
-}
-
-resource "aws_s3_object" "config" {
-  bucket = local.s3_bucket_config_id
-  key    = "cloud-connector.yaml"
-
-  content = local.default_config
-  tags    = var.tags
-}
-
 locals {
   default_config = yamlencode(merge({
     logging = "info"
-    rules = [
-      {
-        s3 = {
-          bucket = local.s3_bucket_config_id
-          path   = "rules"
-        }
-      }
-    ]
+    rules   = []
     ingestors = [
       {
         cloudtrail-sns-sqs = merge(
diff --git a/modules/services/cloud-connector-ecs/ecs-service.tf b/modules/services/cloud-connector-ecs/ecs-service.tf
@@ -72,8 +72,8 @@ locals {
       value = "terraform_aws_ecs_${local.suffix_org}"
     },
     {
-      name  = "CONFIG_PATH"
-      value = "s3://${local.s3_bucket_config_id}/cloud-connector.yaml"
+      name  = "CONFIG"
+      value = base64encode(local.default_config)
     },
     {
       name  = "SECURE_URL",
diff --git a/use-cases/single-existing-cloudtrail.md b/use-cases/single-existing-cloudtrail.md
@@ -86,7 +86,7 @@ provider "aws" {
 }
 
 module "sysdig-s4c" {
-  source = "sysdiglabs/secure-for-cloud/aws//examples/single-account"
+  source = "sysdiglabs/secure-for-cloud/aws//examples/single-account-ecs"
   name   = "sysdig-s4c"
 
   cloudtrail_sns_arn  = "<CLOUDRAIL_SNS_TOPIC_ARN>"
