Skip to content

Commit e92ebd9

Browse files
authored
refactor: Merge scanning and connector (#44)
* refactor: Merge scanning and connector * fix: Remove testing provider * refactor(k8s): Merge cloud-scanning with cloud-connector
1 parent 05922eb commit e92ebd9

File tree

14 files changed

+219
-185
lines changed

14 files changed

+219
-185
lines changed

examples/organizational/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,6 @@ Notice that:
9090
|------|--------|---------|
9191
| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | |
9292
| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | |
93-
| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning | |
9493
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | |
9594
| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | |
9695
| <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster | |
@@ -119,6 +118,7 @@ Notice that:
119118
| <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | ARN of a pre-existing cloudtrail\_sns s3 bucket. If it does not exist, it will be inferred from create cloudtrail | `string` | `"create"` | no |
120119
| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
121120
| <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
121+
| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
122122
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
123123
| <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for managed-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
124124
| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |

examples/organizational/main.tf

Lines changed: 6 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -53,36 +53,6 @@ module "ssm" {
5353
#
5454
# cloud-connector
5555
#
56-
module "cloud_connector" {
57-
providers = {
58-
aws = aws.member
59-
}
60-
source = "../../modules/services/cloud-connector"
61-
name = "${var.name}-cloudconnector"
62-
63-
sysdig_secure_endpoint = var.sysdig_secure_endpoint
64-
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
65-
66-
is_organizational = true
67-
organizational_config = {
68-
sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
69-
connector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
70-
}
71-
72-
sns_topic_arn = local.cloudtrail_sns_arn
73-
74-
ecs_cluster = module.ecs_fargate_cluster.id
75-
vpc_id = module.ecs_fargate_cluster.vpc_id
76-
vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
77-
78-
tags = var.tags
79-
depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
80-
}
81-
82-
#
83-
# cloud-scanning
84-
#
85-
## FIXME? if this is a non-shared resource, move its usage to scanning service?
8656
module "codebuild" {
8757
providers = {
8858
aws = aws.member
@@ -93,13 +63,12 @@ module "codebuild" {
9363
depends_on = [module.ssm]
9464
}
9565

96-
module "cloud_scanning" {
66+
module "cloud_connector" {
9767
providers = {
9868
aws = aws.member
9969
}
100-
101-
source = "../../modules/services/cloud-scanning"
102-
name = "${var.name}-cloudscanning"
70+
source = "../../modules/services/cloud-connector"
71+
name = "${var.name}-cloudconnector"
10372

10473
sysdig_secure_endpoint = var.sysdig_secure_endpoint
10574
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
@@ -111,7 +80,7 @@ module "cloud_scanning" {
11180
organizational_config = {
11281
sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
11382
organizational_role_per_account = var.organizational_member_default_admin_role
114-
scanning_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
83+
connector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
11584
}
11685

11786
sns_topic_arn = local.cloudtrail_sns_arn
@@ -121,7 +90,7 @@ module "cloud_scanning" {
12190
vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
12291

12392
tags = var.tags
124-
depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
93+
depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
12594
}
12695

12796
#-------------------------------------
@@ -130,6 +99,7 @@ module "cloud_scanning" {
13099

131100
module "cloud_bench" {
132101
source = "../../modules/services/cloud-bench"
102+
count = var.deploy_bench ? 1 : 0
133103

134104
name = "${var.name}-cloudbench"
135105
tags = var.tags

examples/organizational/variables.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,13 @@ variable "benchmark_regions" {
6868
default = []
6969
}
7070

71+
variable "deploy_bench" {
72+
type = bool
73+
description = "Whether to deploy or not the cloud benchmarking"
74+
default = true
75+
}
76+
77+
7178
#
7279
# general
7380
#

examples/single-account-k8s/README.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,6 @@ Notice that:
8282
| Name | Source | Version |
8383
|------|--------|---------|
8484
| <a name="module_cloud_connector_sqs"></a> [cloud\_connector\_sqs](#module\_cloud\_connector\_sqs) | ../../modules/infrastructure/sqs-sns-subscription | |
85-
| <a name="module_cloud_scanning_sqs"></a> [cloud\_scanning\_sqs](#module\_cloud\_scanning\_sqs) | ../../modules/infrastructure/sqs-sns-subscription | |
8685
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | |
8786
| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | |
8887
| <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/infrastructure/permissions/iam-user | |
@@ -94,7 +93,6 @@ Notice that:
9493
| Name | Type |
9594
|------|------|
9695
| [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
97-
| [helm_release.cloud_scanning](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
9896
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
9997

10098
## Inputs

examples/single-account-k8s/cloud-connector.tf

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,16 @@ module "cloud_connector_sqs" {
1010
tags = var.tags
1111
}
1212

13+
module "codebuild" {
14+
count = var.deploy_image_scanning ? 1 : 0
15+
source = "../../modules/infrastructure/codebuild"
16+
17+
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
18+
19+
tags = var.tags
20+
# note. this is required to avoid race conditions
21+
depends_on = [module.ssm]
22+
}
1323

1424
#-------------------------------------
1525
# cloud_connector
@@ -50,12 +60,28 @@ resource "helm_release" "cloud_connector" {
5060
}
5161

5262
values = [
53-
<<CONFIG
54-
ingestors:
55-
- cloudtrail-sns-sqs:
56-
queueURL: ${module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url}
57-
CONFIG
58-
]
63+
yamlencode({
64+
ingestors = [
65+
{
66+
cloudtrail-sns-sqs = {
67+
queueURL = module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url
68+
}
69+
}
70+
]
71+
scanners = var.deploy_image_scanning ? [
72+
{
73+
aws-ecr = {
74+
codeBuildProject = module.codebuild[0].project_name
75+
secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
76+
}
5977

78+
aws-ecs = {
79+
codeBuildProject = module.codebuild[0].project_name
80+
secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
81+
}
82+
}
83+
] : []
84+
})
85+
]
6086
depends_on = [module.iam_user]
6187
}

examples/single-account-k8s/cloud-scanning.tf

Lines changed: 0 additions & 79 deletions
This file was deleted.

examples/single-account/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,6 @@ No providers.
6363
|------|--------|---------|
6464
| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | |
6565
| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | |
66-
| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning | |
6766
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | |
6867
| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | |
6968
| <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster | |
@@ -83,6 +82,7 @@ No resources.
8382
| <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
8483
| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
8584
| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
85+
| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
8686
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
8787
| <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
8888
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

examples/single-account/main.tf

Lines changed: 8 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1,56 +1,27 @@
11
#-------------------------------------
22
# general resources
33
#-------------------------------------
4-
54
module "resource_group" {
65
source = "../../modules/infrastructure/resource-group"
76
name = var.name
87
tags = var.tags
98
}
109

11-
1210
module "ecs_fargate_cluster" {
1311
source = "../../modules/infrastructure/ecs-fargate-cluster"
1412
name = var.name
1513
tags = var.tags
1614
}
1715

18-
1916
module "ssm" {
2017
source = "../../modules/infrastructure/ssm"
2118
name = var.name
2219
sysdig_secure_api_token = var.sysdig_secure_api_token
2320
}
2421

25-
2622
#-------------------------------------
2723
# cloud-connector
2824
#-------------------------------------
29-
30-
module "cloud_connector" {
31-
source = "../../modules/services/cloud-connector"
32-
name = "${var.name}-cloudconnector"
33-
34-
sysdig_secure_endpoint = var.sysdig_secure_endpoint
35-
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
36-
is_organizational = false
37-
38-
sns_topic_arn = local.cloudtrail_sns_arn
39-
40-
ecs_cluster = module.ecs_fargate_cluster.id
41-
vpc_id = module.ecs_fargate_cluster.vpc_id
42-
vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
43-
44-
tags = var.tags
45-
depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
46-
}
47-
48-
49-
50-
#-------------------------------------
51-
# cloud-scanning
52-
#-------------------------------------
53-
5425
module "codebuild" {
5526
source = "../../modules/infrastructure/codebuild"
5627
name = "${var.name}-codebuild"
@@ -61,13 +32,13 @@ module "codebuild" {
6132
depends_on = [module.ssm]
6233
}
6334

64-
65-
module "cloud_scanning" {
66-
source = "../../modules/services/cloud-scanning"
67-
name = "${var.name}-cloudscanning"
35+
module "cloud_connector" {
36+
source = "../../modules/services/cloud-connector"
37+
name = "${var.name}-cloudconnector"
6838

6939
sysdig_secure_endpoint = var.sysdig_secure_endpoint
7040
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
41+
is_organizational = false
7142

7243
build_project_arn = module.codebuild.project_arn
7344
build_project_name = module.codebuild.project_name
@@ -78,9 +49,9 @@ module "cloud_scanning" {
7849
vpc_id = module.ecs_fargate_cluster.vpc_id
7950
vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
8051

81-
tags = var.tags
82-
# note. this is required to avoid race conditions
83-
depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
52+
tags = var.tags
53+
depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
54+
8455
}
8556

8657
#-------------------------------------
@@ -94,6 +65,7 @@ provider "sysdig" {
9465

9566
module "cloud_bench" {
9667
source = "../../modules/services/cloud-bench"
68+
count = var.deploy_bench ? 1 : 0
9769

9870
name = "${var.name}-cloudbench"
9971
tags = var.tags

examples/single-account/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,12 @@ variable "benchmark_regions" {
4040
default = []
4141
}
4242

43+
variable "deploy_bench" {
44+
type = bool
45+
description = "Whether to deploy or not the cloud benchmarking"
46+
default = true
47+
}
48+
4349
#
4450
# general
4551
#

0 commit comments

Comments
 (0)