You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If no [examples](https://github.com/sysdiglabs/terraform-aws-cloudvision/tree/master/examples) fit your use-case, be free to call desired modules directly.
34
+
If no [examples](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples) fit your use-case, be free to call desired modules directly.
35
35
36
36
In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly
account_id = "AWS-ACCOUNT-ID" # can also be fetched from `aws_caller_identity.me`
50
50
}
51
51
52
52
```
53
-
See [inputs summary](#inputs) or main [module `variables.tf`](https://github.com/sysdiglabs/terraform-aws-cloudvision/tree/master/variables.tf) file for more optional configuration.
53
+
See [inputs summary](#inputs) or main [module `variables.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/variables.tf) file for more optional configuration.
54
54
55
55
To run this example you need have your [aws master-account profile configured in CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) and to execute:
56
56
```terraform
@@ -61,7 +61,7 @@ $ terraform apply
61
61
62
62
Notice that:
63
63
* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
64
-
* All created resources will be created within the tags `product:sysdig-cloudvision`, within the resource-group `sysdig-cloudvision`
64
+
* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
65
65
66
66
67
67
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
| <aname="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail)| testing/economization purpose. true/false whether cloudtrail will ingest multiregional events |`bool`|`true`| no |
105
105
| <aname="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable)| testing/economization purpose. true/false whether s3 should be encrypted |`bool`|`true`| no |
106
-
| <aname="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)| whether cloudvision should be deployed in an organizational setup |`bool`|`false`| no |
107
-
| <aname="input_name"></a> [name](#input\_name)| Name for the Cloud Vision deployment |`string`|`"sysdig-cloudvision"`| no |
108
-
| <aname="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config)| organizational\_config. following attributes must be given<br><ul><li>`cloudvision_member_account_id` to enable reading permission,</li><li>`cloudvision_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><li>and the `connector_ecs_task_role_name` which has been granted trusted-relationship over the cloudvision\_role</li></ul> | <pre>object({<br> cloudvision_member_account_id = string<br> cloudvision_role_arn = string<br> connector_ecs_task_role_name = string<br> })</pre> | <pre>{<br> "cloudvision_member_account_id": null,<br> "cloudvision_role_arn": null,<br> "connector_ecs_task_role_name": null<br>}</pre> | no |
106
+
| <aname="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational)| whether secure-for-cloud should be deployed in an organizational setup |`bool`|`false`| no |
107
+
| <aname="input_name"></a> [name](#input\_name)| Name for the Cloud Vision deployment |`string`|`"sysdig-secure-for-cloud"`| no |
108
+
| <aname="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config)| organizational\_config. following attributes must be given<br><ul><li>`sysdig_secure_for_cloud_member_account_id` to enable reading permission,</li><li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><li>and the `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure-for-cloud\_role</li></ul> | <pre>object({<br> sysdig_secure_for_cloud_member_account_id = string<br> sysdig_secure_for_cloud_role_arn = string<br> connector_ecs_task_role_name = string<br> })</pre> | <pre>{<br> "sysdig_secure_for_cloud_member_account_id": null,<br> "sysdig_secure_for_cloud_role_arn": null,<br> "connector_ecs_task_role_name": null<br>}</pre> | no |
109
109
| <aname="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint)| Sysdig Secure API endpoint |`string`|`"https://secure.sysdig.com"`| no |
| <aname="output_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#output\_cloudtrail\_s3\_arn)| sydig-cloudvision cloudtrail s3 arn, required for organizational use case, in order to give proper permissions to cloudconnector role to assume |
116
+
| <aname="output_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#output\_cloudtrail\_s3\_arn)| sydig-secure-for-cloud cloudtrail s3 arn, required for organizational use case, in order to give proper permissions to cloudconnector role to assume |
117
117
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
118
118
119
119
120
120
## Troubleshooting
121
121
122
-
- Q: How to **validate cloudvision cloud-connector (thread-detection) provisioning** is working as expected?<br/>
122
+
- Q: How to **validate secure-for-cloud cloud-connector (thread-detection) provisioning** is working as expected?<br/>
123
123
A: Check each pipeline resource is working as expected (from high to low lvl)
124
124
- select a rule to break manually, from the 'Sysdig AWS Best Practices' policies. for example, 'Delete Bucket Public Access Block'. can you see the event?
125
125
- are there any errors in the ECS task logs? can also check cloudwatch logs
126
126
for previous example we should see the event
127
127
```
128
-
{"level":"info","component":"console-notifier","time":"2021-07-26T12:45:25Z","message":"A pulic access block for a bucket has been deleted (requesting user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS region=eu-central-1, bucket=sysdig-cloudvision-nnnnnn-config)"}
128
+
{"level":"info","component":"console-notifier","time":"2021-07-26T12:45:25Z","message":"A pulic access block for a bucket has been deleted (requesting user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS region=eu-central-1, bucket=sysdig-secure-for-cloud-nnnnnn-config)"}
129
129
```
130
130
- are events consumed in the sqs queue, or are they pending?
131
131
- are events being sent to sns topic?
132
132
133
133
134
134
- Q: How to iterate **cloud-connector modification testing**
135
135
<br/>A: Build a custom docker image of cloud-connector `docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile` and upload it to any registry (like dockerhub).
136
-
Modify the [var.image](https://github.com/sysdiglabs/terraform-aws-cloudvision/tree/master/modules/services/cloud-connector/variables.tf) variable to point to your image and deploy
136
+
Modify the [var.image](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector/variables.tf) variable to point to your image and deploy
137
137
138
138
139
139
- Q: How can I iterate **ECS testing**
140
140
<br/>A: After applying your modifications (vía terraform for example) restart the service
0 commit comments