chore(doc): diagram review

Author: iru

examples/organizational/diagram-org.png

@@ -1,6 +1,6 @@
 # diagrams as code vía https://diagrams.mingrammer.com
 from diagrams import Cluster, Diagram, Edge, Node
-from diagrams.aws.compute import ElasticContainerServiceService
+from diagrams.aws.compute import ElasticContainerServiceService, ECR
 from diagrams.aws.devtools import Codebuild
 from diagrams.aws.general import General
 from diagrams.aws.integration import SNS, SQS
@@ -14,68 +14,83 @@
 }
 
 role_attr = {
-   "height":"1",
-   "width":"0.8",
+   "imagescale":"false",
+   "height":"1.5",
+   "width":"3",
    "fontsize":"9",
 }
 
-event_color="firebrick"
+color_event="firebrick"
+color_scanning = "dark-green"
+color_permission="red"
+color_non_important="gray"
+color_sysdig="lightblue"
 
-with Diagram("Sysdig Secure for Cloud\n(organizational usecase)", graph_attr=diagram_attr, filename="diagram-org", show=True):
 
-    with Cluster("AWS organization"):
-
-        with Cluster("member accounts (main targets)", graph_attr={"bgcolor":"lightblue"}):
-            member_accounts = [General("account-1"), General("account-2"), General("..."), General("account-n")]
 
-            org_member_role = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
+with Diagram("Sysdig Secure for Cloud\n(organizational)", graph_attr=diagram_attr, filename="diagram-org", show=True, direction="LR"):
 
+    with Cluster("AWS organization"):
 
-        with Cluster("master account"):
 
+        with Cluster("management account"):
 
             cloudtrail              = Cloudtrail("cloudtrail", shape="plaintext")
-            cloudtrail_legend       = ("for clarity purpose events received from 'secure for cloud' member account\n\
-                                    and master account have been removed from diagram, but will be processed too ")
 
-            Node(label=cloudtrail_legend, width="5",shape="plaintext", labelloc="t", fontsize="10")
 
-            master_credentials      = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
-            secure_for_cloud_role   = IAMRole("SysdigSecureForCloudRole", **role_attr)
+            management_credentials  = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
+            secure_for_cloud_role   = IAMRole("SysdigSecureForCloudRole\n\(enabled to assumeRole on `OrganizationAccountAccessRole`)", **role_attr)
             cloudtrail_s3           = S3("cloudtrail-s3-events")
             sns                     = SNS("cloudtrail-sns-events", comment="i'm a graph")
 
-            cloudtrail >> Edge(color=event_color, style="dashed") >> cloudtrail_s3 >> Edge(color=event_color, style="dashed") >> sns
+            cloudtrail >> Edge(color=color_event, style="dashed") >> cloudtrail_s3 >> Edge(color=color_event, style="dashed") >> sns
 
+        with Cluster("member accounts (main targets)", graph_attr={"bgcolor":"lightblue"}):
+            member_accounts = General("account-1..n")
+            org_member_role_1 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
+            ecr = ECR("container-registry\n *within any account")
 
 
         with Cluster("member account (secure for cloud)", graph_attr={"bgcolor":"seashell2"}):
 
-            org_member_role = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
-
-            with Cluster("ecs-cluster"):
-                cloud_connector = ElasticContainerServiceService("cloud-connector")
-                cloud_scanning = ElasticContainerServiceService("cloud-scanning")
+            org_member_role_2 = IAMRole("OrganizationAccountAccessRole\n(created by AWS for org. member accounts)", **role_attr)
 
             sqs         = SQS("cloudtrail-sqs")
             s3_config   = S3("cloud-connector-config")
             cloudwatch  = Cloudwatch("cloudwatch\nlogs and alarms")
-            codebuild = Codebuild("codebuild project")
+            codebuild   = Codebuild("codebuild project")
 
-            sqs << Edge(color=event_color) << cloud_connector
-            sqs << Edge(color=event_color) << cloud_scanning
-            cloud_connector - s3_config
-            cloud_connector >> cloudwatch
+            with Cluster("ecs-cluster"):
+                cloud_connector = ElasticContainerServiceService("cloud-connector")
+                cloud_scanning = ElasticContainerServiceService("cloud-scanning")
+
+            sqs << Edge(color=color_event) << cloud_connector
+            sqs << Edge(color=color_event) << cloud_scanning
+            cloud_connector - Edge(color=color_non_important) - s3_config
+            cloud_connector >> Edge(color=color_non_important) >> cloudwatch
+            cloud_scanning  >>  Edge(color=color_non_important) >> cloudwatch
             cloud_scanning >> codebuild
+            codebuild >> Edge(color=color_non_important) >>  ecr
+
+
+        member_accounts >> Edge(color=color_event, style="dashed") >>  cloudtrail
+        sns >> Edge(color=color_event, style="dashed") >> sqs
+#        cloudtrail_s3 << Edge(color=color_non_important) << cloud_connector
+#        cloudtrail_s3 << Edge(color=color_non_important) << cloud_scanning
+#        secure_for_cloud_role <<  Edge(color=color_permission, fontcolor=color_permission, xlabel="assumeRole") << cloud_connector
+#        (cloudtrail_s3 << Edge(color=color_event) <<
 
 
-        member_accounts >> Edge(color=event_color, style="dashed") >>  cloudtrail
-        sns >> Edge(color=event_color, style="dashed") >> sqs
-#        cloudtrail_s3 << Edge(color=event_color) << cloud_connector
-        (cloudtrail_s3 << Edge(color=event_color) << secure_for_cloud_role) -  Edge(xlabel="assumeRole", color=event_color) - cloud_connector
 
     with Cluster("AWS account (sysdig)"):
         sds = Custom("Sysdig Secure", "../../resources/diag-sysdig-icon.png")
 
-    cloud_connector >> sds
-    codebuild >> sds
+
+    cloud_connector >> Edge(color=color_sysdig) >> sds
+    codebuild >> Edge(color=color_sysdig) >>  sds
+
+#    secure_for_cloud_role >> Edge(color=color_permission, fontcolor=color_permission, xlable="assumeRole") >>  org_member_role_1
+
+
+#    cloudtrail_legend  = ("to simplify,\l- events received from 'secure for cloud' member account  and management account have been removed from diagram, but will be processed too")
+#    Node(label=cloudtrail_legend, shape="plaintext", labelloc="t", width="10", fontsize="10" )

examples/organizational/diagram-org.py

@@ -6,7 +6,7 @@
 from diagrams.aws.storage import S3, SimpleStorageServiceS3Bucket
 from diagrams.aws.integration import SNS
 from diagrams.aws.integration import SQS
-from diagrams.aws.compute import ECS, ElasticContainerServiceService
+from diagrams.aws.compute import ECS, ElasticContainerServiceService, ECR
 from diagrams.aws.security import IAMRole,IAM
 from diagrams.aws.management import Cloudwatch
 from diagrams.aws.devtools import Codebuild
@@ -23,16 +23,22 @@
 #   "fontsize":"10",
 }
 
-event_color="firebrick"
 
-with Diagram("Sysdig Secure for Cloud{}(single-account usecase)".format("\n"), graph_attr=diagram_attr, filename="diagram-single", show=True):
+color_event="firebrick"
+color_scanning = "dark-green"
+color_permission="red"
+color_non_important="gray"
+color_sysdig="lightblue"
+
+with Diagram("Sysdig Secure for Cloud{}(single-account)".format("\n"), graph_attr=diagram_attr, filename="diagram-single", show=True):
 
     with Cluster("AWS account (target)"):
 
         master_credentials = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
 
         with Cluster("other resources", graph_attr={"bgcolor":"lightblue"}):
-            account_resources = [General("resource-1"),General("..."),General("resource-n")]
+            account_resources = [General("resource-1..n")]
+            ecr = ECR("container-registry")
 
         with Cluster("sysdig-secure-for-cloud resources"):
 
@@ -44,7 +50,7 @@
             cloudtrail_s3       = S3("cloudtrail-s3-events")
             sns                 = SNS("cloudtrail-sns-events", comment="i'm a graph")
 
-            cloudtrail >> Edge(color=event_color, style="dashed") >> cloudtrail_s3 >> Edge(color=event_color, style="dashed") >> sns
+            cloudtrail >> Edge(color=color_event, style="dashed") >> cloudtrail_s3 >> Edge(color=color_event, style="dashed") >> sns
 
             with Cluster("ecs-cluster"):
                 cloud_connector = ElasticContainerServiceService("cloud-connector")
@@ -55,21 +61,22 @@
             cloudwatch = Cloudwatch("cloudwatch\n(logs and alarms)")
             codebuild = Codebuild("Build-project")
 
-            sqs << Edge(color=event_color) << cloud_connector
-            sqs << Edge(color=event_color) << cloud_scanning
-            cloud_connector - s3_config
-            cloud_connector >> cloudwatch
-            cloud_scanning >> cloudwatch
+            sqs << Edge(color=color_event) << cloud_connector
+            sqs << Edge(color=color_event) << cloud_scanning
+            cloud_connector - Edge(color=color_non_important) - s3_config
+            cloud_connector >> Edge(color=color_non_important) >>  cloudwatch
+            cloud_scanning >> Edge(color=color_non_important) >> cloudwatch
             cloud_scanning >> codebuild
+            codebuild >> Edge(color=color_non_important) >>  ecr
 
 
             # bench-role
             cloud_bench_role = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
 
-        account_resources >> Edge(color=event_color, style="dashed") >>  cloudtrail
-        sns >> Edge(color=event_color, style="dashed") >> sqs
-        (cloudtrail_s3 << Edge(color=event_color)) -  cloud_connector
-        (cloudtrail_s3 << Edge(color=event_color)) - cloud_scanning
+        account_resources >> Edge(color=color_event, style="dashed") >>  cloudtrail
+        sns >> Edge(color=color_event, style="dashed") >> sqs
+        (cloudtrail_s3 << Edge(color=color_non_important)) -  cloud_connector
+        (cloudtrail_s3 << Edge(color=color_non_important)) - cloud_scanning
 
     with Cluster("AWS account (sysdig)"):
         sds_account = General("cloud-bench")
@@ -78,6 +85,6 @@
         sds - Edge(label="aws_foundations_bench\n schedule on 0 6 * * *") >>  sds_account
 
 
-    cloud_connector >> sds
-    cloud_scanning >> sds
-    sds_account >> Edge(color="darkgreen", xlabel="assumeRole") >> cloud_bench_role
+    cloud_connector >> Edge(color=color_sysdig) >> sds
+    codebuild >> Edge(color=color_sysdig) >>  sds
+    sds_account >> Edge(color=color_permission, fontcolor=color_permission, xlabel="assumeRole") >> cloud_bench_role