Feat: Surface region and name in benchmark examples (#28)

* feat(bench): surface region and name in benchmark examples

Author: nkraemer-sysdig

examples-internal/single-account-benchmark/main.tf

@@ -16,4 +16,6 @@ module "cloud_bench" {
 
   account_id = data.aws_caller_identity.me.account_id
   tags       = var.tags
+  regions    = var.benchmark_regions
+  name       = "${var.name}-cloudbench"
 }

examples-internal/single-account-benchmark/variables.tf

@@ -31,3 +31,15 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}
+
+variable "name" {
+  type        = string
+  description = "Name for the Cloud Vision deployment"
+  default     = "sysdig-secure-for-cloud"
+}

examples/single-account/README.md

@@ -80,6 +80,7 @@ Notice that:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
+| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for the Cloud Vision deployment | `string` | `"sysdig-secure-for-cloud"` | no |

examples/single-account/main.tf

@@ -113,4 +113,6 @@ module "cloud_bench" {
 
   account_id = data.aws_caller_identity.me.account_id
   tags       = var.tags
+  regions    = var.benchmark_regions
+  name       = "${var.name}-cloudbench"
 }

examples/single-account/variables.tf

@@ -54,3 +54,9 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}

modules/services/cloud-bench/README.md

@@ -44,8 +44,8 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | the account\_id in which to provision the cloud-bench IAM role | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"SysdigCloudBench"` | no |
 | <a name="input_regions"></a> [regions](#input\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
-| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"SysdigCloudBench"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
 ## Outputs

modules/services/cloud-bench/main.tf

@@ -5,7 +5,7 @@ resource "sysdig_secure_cloud_account" "cloud_account" {
   account_id     = var.account_id
   cloud_provider = "aws"
   role_enabled   = "true"
-  role_name      = var.role_name
+  role_name      = var.name
 }
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
@@ -23,15 +23,19 @@ resource "sysdig_secure_benchmark_task" "benchmark_task" {
   scope    = "aws.accountId = \"${var.account_id}\"${local.regions_scope_clause}"
 
   # Creation of a task requires that the Cloud Account already exists in the backend, and has `role_enabled = true`
-  depends_on = [sysdig_secure_cloud_account.cloud_account]
+  # We only want to create the task once the rust relationship is established, otherwise running the task will fail.
+  depends_on = [
+    sysdig_secure_cloud_account.cloud_account,
+    aws_iam_role_policy_attachment.cloudbench_security_audit, # Depends on cloudbench_role implicitly
+  ]
 }
 
 #
 # aws role provisioning
 #
 
 resource "aws_iam_role" "cloudbench_role" {
-  name               = var.role_name
+  name               = var.name
   assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
   tags               = var.tags
 }
@@ -52,8 +56,6 @@ data "aws_iam_policy_document" "trust_relationship" {
   }
 }
 
-
-
 resource "aws_iam_role_policy_attachment" "cloudbench_security_audit" {
   role       = aws_iam_role.cloudbench_role.id
   policy_arn = data.aws_iam_policy.security_audit.arn

modules/services/cloud-bench/variables.tf

@@ -7,7 +7,7 @@ variable "account_id" {
 # optionals - with default
 #---------------------------------
 
-variable "role_name" {
+variable "name" {
   type        = string
   description = "The name of the IAM Role that will be created."
   default     = "SysdigCloudBench"