feat: Enable autoscaling for organizational setups (#158)

tembleking · web-flow · commit e2880671ffdd · 2023-01-24T14:51:04.000+01:00
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -202,7 +202,10 @@ $ terraform apply
 | <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. If defaulted a new VPC will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
 | <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
+| <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not | `bool` | `false` | no |
 | <a name="input_existing_cloudtrail_config"></a> [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created in the **management account**.<br>If provided through Option 1,  resources (cloudtrail,cloudtrail-s3) must exist in the management account.<br>Option 2, is mandatory to be used when the cloudtrail-s3 is in a different account than where SFC worklaod is installed.<br>Option 3, is an alterntive to Option1, to be able to ingest events through cloudtrail-s3-sns subscribed SQS, instead of just cloudtrail-sns<br>Check [use-cases](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/use-cases) for proper permission setup.<br><ul><br>  <li>cloudtrail\_s3\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"</li><br>  <li>cloudtrail\_sns\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block</li><br>  <li>cloudtrail\_s3\_role\_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<</li><br></ul> | <pre>object({<br>    cloudtrail_s3_arn         = optional(string)<br>    cloudtrail_sns_arn        = optional(string)<br>    cloudtrail_s3_role_arn    = optional(string)<br>    cloudtrail_s3_sns_sqs_arn = optional(string)<br>    cloudtrail_s3_sns_sqs_url = optional(string)<br>  })</pre> | <pre>{<br>  "cloudtrail_s3_arn": "create",<br>  "cloudtrail_s3_role_arn": null,<br>  "cloudtrail_s3_sns_sqs_arn": null,<br>  "cloudtrail_s3_sns_sqs_url": null,<br>  "cloudtrail_sns_arn": "create"<br>}</pre> | no |
+| <a name="input_max_replicas"></a> [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `30` | no |
+| <a name="input_min_replicas"></a> [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
@@ -103,6 +103,10 @@ module "cloud_connector" {
   ecs_task_cpu                = var.ecs_task_cpu
   ecs_task_memory             = var.ecs_task_memory
 
+  enable_autoscaling = var.enable_autoscaling
+  max_replicas       = var.max_replicas
+  min_replicas       = var.min_replicas
+
   tags       = var.tags
   depends_on = [local.cloudtrail_sns_arn, module.ssm]
 }
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
@@ -188,3 +188,25 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+#
+# Autoscaling configurations
+#
+variable "enable_autoscaling" {
+  type        = bool
+  description = "Whether to enable autoscaling or not"
+  default     = false
+}
+
+
+variable "min_replicas" {
+  type        = number
+  default     = 1
+  description = "If autoscaling is enabled, this is the minimum number of replicas to run"
+}
+
+variable "max_replicas" {
+  type        = number
+  default     = 30
+  description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+}
diff --git a/test/fixtures/organizational/main.tf b/test/fixtures/organizational/main.tf
@@ -40,4 +40,8 @@ module "cloudvision_aws_organizational" {
   sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
   deploy_image_scanning_ecr                 = true
   deploy_image_scanning_ecs                 = true
+
+  enable_autoscaling = true
+  min_replicas       = 2
+  max_replicas       = 4
 }
diff --git a/test/fixtures/single-account-ecs/backend.tf b/test/fixtures/single-account-ecs/backend.tf

Original file line number	Diff line number	Diff line change
`@@ -40,4 +40,8 @@ module "cloudvision_aws_organizational" {`
`40`	`40`	`sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id`
`41`	`41`	`deploy_image_scanning_ecr = true`
`42`	`42`	`deploy_image_scanning_ecs = true`
	`43`	`+`
	`44`	`+ enable_autoscaling = true`
	`45`	`+ min_replicas = 2`
	`46`	`+ max_replicas = 4`
`43`	`47`	`}`