feat(bench): Automatically create benchmark task (#17)

* cloud-bench: Automatically create benchmark task
* cleanup var file
* use aws regions datasource
* chore(doc): fix pre-commit

Co-authored-by: iru <irune.prado@sysdig.com>

Author: nkraemer-sysdig

examples-internal/single-account-benchmark/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 0.5.18"
+      version = ">= 0.5.19"
     }
   }
 }

examples/organizational/README.md

@@ -63,7 +63,7 @@ Notice that:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.17 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
 
 ## Providers
 

examples/organizational/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 0.5.17"
+      version = ">= 0.5.19"
     }
   }
 }

examples/single-account/README.md

@@ -47,7 +47,7 @@ Notice that:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.17 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
 
 ## Providers
 

examples/single-account/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 0.5.17"
+      version = ">= 0.5.19"
     }
   }
 }

modules/services/cloud-bench/README.md

@@ -1,6 +1,10 @@
 # Cloud Bench deploy in AWS Module
 
-Deploys the required IAM Role and IAM Policies to allow Sysdig to run AWS Benchmarks on your behalf.
+Deploys
+
+- the required IAM Role and IAM Policies to allow Sysdig to run AWS Benchmarks on your behalf
+- An `aws_foundations_bench-1.3.0` benchmak task schedule on  `0 6 * * *`
+
 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -29,16 +33,19 @@ No modules.
 |------|------|
 | [aws_iam_role.cloudbench_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cloudbench_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [sysdig_secure_benchmark_task.benchmark_task](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_benchmark_task) | resource |
 | [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
 | [aws_iam_policy.security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [sysdig_secure_trusted_cloud_identity.trusted_sysdig_role](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
+| [aws_regions.regions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | the account\_id in which to provision the cloud-bench IAM role | `string` | n/a | yes |
+| <a name="input_regions"></a> [regions](#input\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
 ## Outputs

modules/services/cloud-bench/main.tf

@@ -7,10 +7,27 @@ resource "sysdig_secure_cloud_account" "cloud_account" {
   role_enabled   = "true"
 }
 
-data "sysdig_secure_trusted_cloud_identity" "trusted_sysdig_role" {
+data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
   cloud_provider = "aws"
 }
 
+data "aws_regions" "regions" {
+  all_regions = true
+}
+
+locals {
+  regions = length(var.regions) == 0 ? data.aws_regions.regions.all_regions : var.regions
+}
+
+resource "sysdig_secure_benchmark_task" "benchmark_task" {
+  name     = "Sysdig Secure for Cloud (AWS) - ${var.account_id}"
+  schedule = "0 6 * * *"
+  schema   = "aws_foundations_bench-1.3.0"
+  scope    = "aws.accountId = \"${var.account_id}\" and aws.region in (\"${join("\", \"", local.regions)}}\")"
+
+  # Creation of a task requires that the Cloud Account already exists in the backend, and has `role_enabled = true`
+  depends_on = [sysdig_secure_cloud_account.cloud_account]
+}
 
 #
 # aws role provisioning
@@ -28,7 +45,7 @@ data "aws_iam_policy_document" "trust_relationship" {
     actions = ["sts:AssumeRole"]
     principals {
       type        = "AWS"
-      identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_sysdig_role.identity]
+      identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
     }
     condition {
       test     = "StringEquals"

modules/services/cloud-bench/variables.tf

@@ -7,9 +7,16 @@ variable "account_id" {
 # optionals - with default
 #---------------------------------
 
+variable "regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}
+
 variable "tags" {
   type        = map(string)
   description = "sysdig secure-for-cloud tags"
+
   default = {
     "product" = "sysdig-secure-for-cloud"
   }