doc: use-case for no terraform org three-way k8s threat compliance (#122)

Author: iru

.github/workflows/ci-pull-request.yaml

@@ -6,12 +6,12 @@ on:
       - '**.tf'
       - '**.md'
       - '.pre-commit-config.yaml'
+  # only direct-push to master for small tasks such as markdown modifications and such
   push:
     branches:
       - master
     paths:
       - '**.tf'
-      - '**.md'
 env:
   GO_VERSION: "^1.17"
 

README.md

@@ -56,81 +56,15 @@ For other Cloud providers check: [GCP](https://github.com/sysdiglabs/terraform-g
 If you're unsure about what/how to use this module, please fill the [questionnaire](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/use-cases/_questionnaire.md) report as an issue and let us know your context, we will be happy to help and improve our module.
 
   - There are several ways to deploy this in you AWS infrastructure, gathered under **[`/examples`](./examples)**
-    - [Single Account on ECS](#--single-account-on-ecs)
-    - [Single Account on AppRunner](#--single-account-on-apprunner)
-    - [Single-Account with a pre-existing Kubernetes Cluster](#--single-account-with-a-pre-existing-kubernetes-cluster)
-    - [Organizational](#--organizational)
-  - Many module,examples and use-cases provide ways to **re-use existing resources (as optionals)** in your infrastructure (cloudtrail, ecs, vpc, k8s cluster,...)
-  - Find some real self-baked **use-case scenarios** under [`/use-cases`](./use-cases)
+    - [Single Account on ECS](./examples/single-account-ecs/README.md)
+    - [Single Account on AppRunner](./examples/single-account-apprunner/README.md)
+    - [Single-Account with a pre-existing Kubernetes Cluster](./examples/single-account-k8s/README.md)
+    - [Organizational](./examples/organizational/README.md)
+    - Many module,examples and use-cases, we provide ways to **re-use existing resources (as optionals)** in your
+      infrastructure. Check input summary on each example/module.
+    - Find some real self-baked **use-case scenarios** under [`/use-cases`](./use-cases)
 
 
-### - Single-Account on ECS
-
-Sysdig workload will be deployed in the same account where user's resources will be watched.<br/>
-More info in [`./examples/single-account-ecs`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs)
-
-![single-account diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-ecs/diagram-single.png)
-
-### - Single-Account on AppRunner
-
-Sysdig workload will be deployed using AppRunner in the same account where user's resources will be watched.<br/>
-More info in [`./examples/single-account-apprunner`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-apprunner)
-
-![single-account diagram on apprunner](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-apprunner/diagram-single.png)
-
-### - Single-Account with a pre-existing Kubernetes Cluster
-
-If you already own a Kubernetes Cluster on AWS, you can use it to deploy Sysdig Secure for Cloud, instead of default ECS cluster.<br/>
-More info in [`./examples/single-account-k8s`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-k8s)
-
-![single-account with pre-existing kubernetes cluster](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-k8s/diagram.png)
-
-### - Organizational
-
-Secure all the accounts from your organization<br/>
-More info in [`./examples/organizational`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational)
-
-![organizational diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/organizational/diagram-org.png)
-
-### - Self-Baked
-
-If no [examples](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples) fit your use-case, be free to call desired modules directly.
-
-In this use-case we will ONLY deploy cloud-bench, into the target account, calling modules directly.
-
-```terraform
-terraform {
-  required_providers {
-    aws = {}
-    sysdig = {
-      source  = "sysdiglabs/sysdig"
-    }
-  }
-}
-
-provider "aws" {
-  region = "AWS-REGION"
-}
-
-provider "sysdig" {
-  sysdig_secure_url         = "<SYSDIG_SECURE_URL>"
-  sysdig_secure_api_token   = "<SYSDIG_SECURE_API_TOKEN>"
-}
-
-module "cloud_bench" {
-  source      = "sysdiglabs/secure-for-cloud/aws//modules/services/cloud-bench"
-}
-
-```
-See [inputs summary](#inputs) or main [module `variables.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/variables.tf) file for more optional configuration.
-
-To run this example you need have your [aws master-account profile configured in CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) and to execute:
-```terraform
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-
 ## Required Permissions
 
 ### Provisioning Permissions
@@ -234,7 +168,7 @@ and a CodeBuild project being launched successfully
 
 ## Troubleshooting
 
-## Q-General: Need to modify cloud-connector config (to troubleshoot with `debug` loglevel, modify ingestors for testing, ...)
+### Q-General: Need to modify cloud-connector config (to troubleshoot with `debug` loglevel, modify ingestors for testing, ...)
 A: both in ECS and AppRunner workload types, cloud-connector configuration is passed as a base64-encoded string through the env var `CONFIG`
 <br/>S: Get current value, decode it, edit the desired (ex.:`logging: debug` value), encode it again, and spin it again with this new definition.
 <br/>For information on all the modifyable configuration see [Cloud-Connector Chart](https://charts.sysdig.com/charts/cloud-connector/#configuration-detail) reference
@@ -248,7 +182,7 @@ with the correct values. Check [Sysdig SaaS per-region URLs if required](https:/
 A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
 
 
-## Q-General-Networking: What's the requirements for the inbound/outbound connection?
+### Q-General-Networking: What's the requirements for the inbound/outbound connection?
 A: Refer to [Sysdig SASS Region and IP Ranges Documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) to get Sysdig SaaS endpoint and allow both outbound (for compute vulnerability report) and inbound (for scheduled compliance checkups)
 <br/>ECS type deployment will create following [security-group setup](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-connector-ecs/sec-group.tf)
 

examples/organizational/README.md

@@ -145,8 +145,8 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.26.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
 
 ## Modules

examples/single-account-k8s/README.md

@@ -84,7 +84,7 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.6.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.39 |
 

examples/trigger-events/README.md

@@ -49,7 +49,7 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
 
 ## Modules
 

modules/infrastructure/cloudtrail/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
 
 ## Modules
 

modules/infrastructure/cloudtrail_s3-sns-sqs/README.md

@@ -46,7 +46,7 @@ EVENT FILTER/fine-tunning, regarding what we want to send to Sysdig Cloud-Connec
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
 
 ## Modules
 

modules/infrastructure/codebuild/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
 
 ## Modules
 

modules/infrastructure/ecs-vpc/README.md

@@ -13,7 +13,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.25.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.26.0 |
 
 ## Modules
 

modules/infrastructure/eks/README.md

@@ -1,7 +1,17 @@
 ## usage
 
-- populate `.envrc.template` > `.envrc`
+```terraform
+module "eks"{
+  source = "sysdiglabs/secure-for-cloud/aws//modules/infrastructure/eks"
+  default_vpc_subnets = ["<SUBNET_1>", "<SUBNET_2>"]
+  name = "<IDENTIFYING_NAME>"
+}
+
+```
+
 - connect to eks
-    ```
-    aws eks --region $(terraform output -raw k8s_region) update-kubeconfig --name $(terraform output -raw k8s_name)
-    ```
+```
+  aws eks --region <REGION> update-kubeconfig --name <IDENTIFYING_NAME>
+```
+
+- kubectx; select the cluster and enjoy