feat: Enable Cloud Connector ECS autoscaling based on RAM (#157)

Author: tembleking

examples/single-account-ecs/README.md

@@ -113,6 +113,9 @@ $ terraform apply
 | <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. If defaulted a new VPC will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
 | <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
+| <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not | `bool` | `false` | no |
+| <a name="input_max_replicas"></a> [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `10` | no |
+| <a name="input_min_replicas"></a> [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 

examples/single-account-ecs/main.tf

@@ -66,4 +66,8 @@ module "cloud_connector" {
 
   tags       = var.tags
   depends_on = [local.cloudtrail_sns_arn, module.ssm]
+
+  enable_autoscaling = var.enable_autoscaling
+  min_replicas       = var.min_replicas
+  max_replicas       = var.max_replicas
 }

examples/single-account-ecs/variables.tf

@@ -136,3 +136,25 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+#
+# Autoscaling configurations
+#
+variable "enable_autoscaling" {
+  type        = bool
+  description = "Whether to enable autoscaling or not"
+  default     = false
+}
+
+
+variable "min_replicas" {
+  type        = number
+  default     = 1
+  description = "If autoscaling is enabled, this is the minimum number of replicas to run"
+}
+
+variable "max_replicas" {
+  type        = number
+  default     = 10
+  description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+}

modules/services/cloud-connector-ecs/README.md

@@ -28,8 +28,11 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 
 | Name | Type |
 |------|------|
+| [aws_appautoscaling_policy.ecs_ram_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_target.ecs_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_stream.stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream) | resource |
+| [aws_cloudwatch_metric_alarm.ecs_ram_usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_ecs_service.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
 | [aws_ecs_task_definition.task_definition](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_iam_role.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -76,10 +79,13 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_ecs_task_cpu"></a> [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |
 | <a name="input_ecs_task_memory"></a> [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no |
+| <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Enable autoscaling for the ECS service | `bool` | `false` | no |
 | <a name="input_existing_cloudtrail_config"></a> [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created<br/><br>If there's an existing cloudtrail, input mandatory attributes, and one of the 1 or 2 labeled optionals.<br><ul><br>  <li>cloudtrail\_sns\_arn: Optional 1. ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_arn: Optional 2. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_url: Optional 2. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<br/>sqs:ReceiveMessage and sqs:DeleteMessage permissions have to be provided to the compute role</li><br></ul> | <pre>object({<br>    cloudtrail_sns_arn        = optional(string)<br>    cloudtrail_s3_sns_sqs_arn = optional(string)<br>    cloudtrail_s3_sns_sqs_url = optional(string)<br>  })</pre> | <pre>{<br>  "cloudtrail_s3_sns_sqs_arn": null,<br>  "cloudtrail_s3_sns_sqs_url": null,<br>  "cloudtrail_sns_arn": "create"<br>}</pre> | no |
 | <a name="input_extra_env_vars"></a> [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no |
 | <a name="input_image"></a> [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether `organizational_config` should be used to handle organizational setup | `bool` | `false` | no |
+| <a name="input_max_replicas"></a> [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `10` | no |
+| <a name="input_min_replicas"></a> [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudconnector"` | no |
 | <a name="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given<br><ul><br>  <li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><br>  <li>`connector_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role</li><br>  <li>`organizational_role_per_account` is the name of the organizational role deployed by AWS in each account of the organization. used for image-scanning only</li><br></ul> | <pre>object({<br>    sysdig_secure_for_cloud_role_arn = string<br>    organizational_role_per_account  = string<br>    connector_ecs_task_role_name     = string<br>  })</pre> | <pre>{<br>  "connector_ecs_task_role_name": null,<br>  "organizational_role_per_account": null,<br>  "sysdig_secure_for_cloud_role_arn": null<br>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

modules/services/cloud-connector-ecs/ecs-service-autoscaling.tf

@@ -0,0 +1,70 @@
+resource "aws_appautoscaling_target" "ecs_target" {
+  count = var.enable_autoscaling ? 1 : 0
+
+  max_capacity       = var.max_replicas
+  min_capacity       = var.min_replicas
+  resource_id        = "service/${data.aws_ecs_cluster.this.cluster_name}/${aws_ecs_service.service.name}"
+  scalable_dimension = "ecs:service:DesiredCount"
+  service_namespace  = "ecs"
+}
+
+resource "aws_appautoscaling_policy" "ecs_ram_policy" {
+  count = var.enable_autoscaling ? 1 : 0
+
+  name               = "scale-cloud-connector-ram-usage"
+  policy_type        = "StepScaling"
+  resource_id        = aws_appautoscaling_target.ecs_target[0].resource_id
+  scalable_dimension = aws_appautoscaling_target.ecs_target[0].scalable_dimension
+  service_namespace  = aws_appautoscaling_target.ecs_target[0].service_namespace
+
+  step_scaling_policy_configuration {
+    adjustment_type         = "ChangeInCapacity"
+    cooldown                = 30
+    metric_aggregation_type = "Average"
+
+    # Scale down on Memory usage if it's below 40% usage
+    step_adjustment {
+      metric_interval_upper_bound = -10
+      scaling_adjustment          = -1
+    }
+
+    # Do not scale if Memory usage is between 40% and 60% usage
+    step_adjustment {
+      metric_interval_lower_bound = -10
+      metric_interval_upper_bound = 10
+      scaling_adjustment          = 0
+    }
+
+    # Scale up on Memory usage if it's above 60% usage
+    step_adjustment {
+      metric_interval_lower_bound = 10
+      scaling_adjustment          = 1
+    }
+
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "ecs_ram_usage" {
+  count = var.enable_autoscaling ? 1 : 0
+
+  alarm_name = "Step-Scaling-AlarmHigh-ECS:service/${data.aws_ecs_cluster.this.cluster_name}/${aws_ecs_service.service.name}"
+
+  metric_name = "MemoryUtilization"
+  namespace   = "AWS/EC2"
+  statistic   = "Average"
+
+  period             = "30"
+  evaluation_periods = "2"
+  threshold          = "50"
+
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+
+  dimensions = {
+    Name        = data.aws_ecs_cluster.this.cluster_name,
+    ServiceName = aws_ecs_service.service.name
+  }
+
+  alarm_actions = [aws_appautoscaling_policy.ecs_ram_policy[0].arn]
+
+  alarm_description = "This metric monitors ECS Memory Utilization of Cloud Connector"
+}

modules/services/cloud-connector-ecs/ecs-service.tf

@@ -16,6 +16,10 @@ resource "aws_ecs_service" "service" {
   task_definition       = aws_ecs_task_definition.task_definition.arn
   wait_for_steady_state = true
   tags                  = var.tags
+
+  lifecycle {
+    ignore_changes = [desired_count]
+  }
 }
 
 

modules/services/cloud-connector-ecs/variables.tf

@@ -61,7 +61,6 @@ variable "existing_cloudtrail_config" {
 }
 
 
-
 #---------------------------------
 # optionals - with default
 #---------------------------------
@@ -148,7 +147,6 @@ variable "extra_env_vars" {
 }
 
 
-
 #
 # scanning configuration
 #
@@ -172,7 +170,6 @@ variable "deploy_image_scanning_ecs" {
 }
 
 
-
 #
 # general
 #
@@ -189,3 +186,24 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+#
+# autoscaling
+#
+variable "enable_autoscaling" {
+  type        = bool
+  default     = false
+  description = "Enable autoscaling for the ECS service"
+}
+
+variable "min_replicas" {
+  type        = number
+  default     = 1
+  description = "If autoscaling is enabled, this is the minimum number of replicas to run"
+}
+
+variable "max_replicas" {
+  type        = number
+  default     = 10
+  description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+}

test/fixtures/organizational-k8s/main.tf

@@ -3,6 +3,10 @@ terraform {
     sysdig = {
       source = "sysdiglabs/sysdig"
     }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "<4.51.0"
+    }
   }
 }
 

test/fixtures/organizational-single/main.tf

@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      version               = ">= 4.0.0"
+      version               = ">= 4.0.0, <4.51.0"
       configuration_aliases = [aws.member]
     }
     sysdig = {

test/fixtures/organizational/main.tf

@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      version               = ">= 4.0.0"
+      version               = ">= 4.0.0, <4.51.0"
       configuration_aliases = [aws.member]
     }
     sysdig = {

test/fixtures/single-account-apprunner/main.tf

@@ -4,6 +4,10 @@ terraform {
       source  = "sysdiglabs/sysdig"
       version = ">=0.5.33"
     }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "<4.51.0"
+    }
   }
 }
 

test/fixtures/single-account-ecs/main.tf

@@ -4,6 +4,10 @@ terraform {
       source  = "sysdiglabs/sysdig"
       version = ">=0.5.33"
     }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "<4.51.0"
+    }
   }
 }
 
@@ -22,4 +26,8 @@ module "cloudvision_aws_single_account_ecs" {
 
   deploy_image_scanning_ecr = true
   deploy_image_scanning_ecs = true
+
+  enable_autoscaling = true
+  min_replicas       = 2
+  max_replicas       = 4
 }

test/fixtures/single-account-ecs/outputs.tf

@@ -3,6 +3,10 @@ terraform {
     sysdig = {
       source = "sysdiglabs/sysdig"
     }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "<4.51.0"
+    }
   }
 }