feat: enable ecr/ecs scanning optionals (#61)

Author: iru

.pre-commit-config.yaml

@@ -11,6 +11,7 @@ repos:
   # create a custom terraform validate for the examples, as launching the validation in the root dir won't work and give
   # "Error: Provider configuration not present" error
   # https://github.com/hashicorp/terraform/issues/21416
+  # https://discuss.hashicorp.com/t/how-to-run-terraform-validate-on-a-module-that-is-supplied-the-providers-via-an-alias/34664/2
   - repo: local
     hooks:
         - id: terraform_validate

.pre-commit-terraform-validate-examples.sh

@@ -3,11 +3,14 @@
 # ensure errexit + failfast
 set -o errexit
 
+# cleanup
+bash ./resources/terraform-clean.sh
+
 for dir in examples*/*
 do
   echo validating example [$dir]
   cd $dir
-  terraform init --upgrade
+  terraform init
   terraform validate
   cd ../..
 done

CONTRIBUTE.md

@@ -39,10 +39,10 @@
 - [ ] **input/output** variables have been modified?
   - [ ] terraform-docs has been updated accordingly
   - [ ] if these inputs are mandatory, they've been changed on
-    - [ ] examples
-    - [ ] testing use-cases
-    - [ ] snippets on README's
-    - [ ] snippets on Secure Platform onboarding
+    - [ ] examples, examples-internal and use-cases are updated accordingly
+    - [ ] tests are updated accordingly
+    - [ ] snippets on README's are updated accordingly
+    - [ ] snippets on Secure Platform onboarding are updated accordingly
 - [ ] had any problems developing this PR? add it to the readme **troubleshooting** list! may come handy to someone
 
 
@@ -60,12 +60,7 @@ We're using **pre-commit** |  https://pre-commit.com
   ```
 
 - If pre-commit fails on Github but not on your local, try cleaning-up `terraform` files with
-```bash
--- resources/terraform-clean.sh
-$ find . -name ".terraform" -exec rm -fr {} \;
-$ find . -name "terraform.tfstate*" -exec rm -fr {} \;
-$ find . -name ".terraform.lock.hcl*" -exec rm -fr {} \;
-```
+`./resources/terraform-clean.sh` script
 
 
 ## 2. Check::Integration tests

examples/organizational/README.md

@@ -119,6 +119,8 @@ Notice that:
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permisision to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block | `string` | `"create"` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. For both options, ECS location will/must be within the `sysdig_secure_for_cloud_member_account_id` parameter accountID | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. Defaulted to be created when `ecs_cluster_name is not provided.` | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |

examples/organizational/main.tf

@@ -37,10 +37,12 @@ module "ssm" {
 }
 
 
-#
+#-------------------------------------
 # cloud-connector
-#
+#-------------------------------------
 module "codebuild" {
+  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
+
   providers = {
     aws = aws.member
   }
@@ -60,8 +62,8 @@ module "cloud_connector" {
   sysdig_secure_endpoint       = var.sysdig_secure_endpoint
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  build_project_arn  = module.codebuild.project_arn
-  build_project_name = module.codebuild.project_name
+  deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
 
   is_organizational = true
   organizational_config = {
@@ -70,6 +72,9 @@ module "cloud_connector" {
     connector_ecs_task_role_name     = aws_iam_role.connector_ecs_task.name
   }
 
+  build_project_arn  = length(module.codebuild) == 1 ? module.codebuild[0].project_arn : "na"
+  build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
+
   sns_topic_arn = local.cloudtrail_sns_arn
 
   ecs_cluster_name            = local.ecs_cluster_name

examples/organizational/variables.tf

@@ -58,6 +58,23 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether cloudtrail delivered events to S3 should persist encrypted"
 }
 
+#
+# scanning configuration
+#
+
+variable "deploy_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the image scanning on ECR pushed images"
+  default     = true
+}
+
+variable "deploy_image_scanning_ecs" {
+  type        = bool
+  description = "true/false whether to deploy the image scanning on ECS running images"
+  default     = true
+}
+
+
 #
 # benchmark configuration
 #

examples/single-account-k8s/README.md

@@ -104,7 +104,8 @@ Notice that:
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
-| <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to deploy cloud\_scanning | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
 | <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to deploy cloud\_connector | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |

examples/single-account-k8s/cloud-connector.tf

@@ -1,3 +1,7 @@
+locals {
+  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
+}
+
 #-------------------------------------
 # requirements
 #-------------------------------------
@@ -11,7 +15,7 @@ module "cloud_connector_sqs" {
 }
 
 module "codebuild" {
-  count  = var.deploy_image_scanning ? 1 : 0
+  count  = local.deploy_image_scanning ? 1 : 0
   source = "../../modules/infrastructure/codebuild"
 
   name                         = var.name
@@ -69,18 +73,19 @@ resource "helm_release" "cloud_connector" {
           }
         }
       ]
-      scanners = var.deploy_image_scanning ? [
-        {
+      scanners = local.deploy_image_scanning ? [
+        merge(var.deploy_image_scanning_ecr ? {
           aws-ecr = {
             codeBuildProject         = module.codebuild[0].project_name
             secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
           }
-
-          aws-ecs = {
-            codeBuildProject         = module.codebuild[0].project_name
-            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
-          }
-        }
+          } : {},
+          var.deploy_image_scanning_ecs ? {
+            aws-ecs = {
+              codeBuildProject         = module.codebuild[0].project_name
+              secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+            }
+        } : {})
       ] : []
     })
   ]

examples/single-account-k8s/credentials.tf

@@ -3,5 +3,5 @@ module "iam_user" {
   name                     = var.name
   ssm_secure_api_token_arn = module.ssm.secure_api_token_secret_arn
   deploy_threat_detection  = var.deploy_threat_detection
-  deploy_image_scanning    = var.deploy_image_scanning
+  deploy_image_scanning    = local.deploy_image_scanning
 }

examples/single-account-k8s/variables.tf

@@ -8,35 +8,6 @@ variable "sysdig_secure_api_token" {
 # optionals - with defaults
 #---------------------------------
 
-variable "deploy_threat_detection" {
-  type        = bool
-  description = "true/false whether to deploy cloud_connector"
-  default     = true
-}
-
-variable "deploy_image_scanning" {
-  type        = bool
-  description = "true/false whether to deploy cloud_scanning"
-  default     = true
-}
-
-
-#
-# benchmark configuration
-#
-variable "deploy_benchmark" {
-  type        = bool
-  description = "Whether to deploy or not the cloud benchmarking"
-  default     = true
-}
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
-
-
-
 #
 # cloudtrail configuration
 #
@@ -78,3 +49,44 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+#
+# threat-detection configuration
+#
+
+variable "deploy_threat_detection" {
+  type        = bool
+  description = "true/false whether to deploy cloud_connector"
+  default     = true
+}
+
+#
+# scanning configuration
+#
+
+variable "deploy_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the image scanning on ECR pushed images"
+  default     = true
+}
+
+variable "deploy_image_scanning_ecs" {
+  type        = bool
+  description = "true/false whether to deploy the image scanning on ECS running images"
+  default     = true
+}
+
+
+#
+# benchmark configuration
+#
+variable "deploy_benchmark" {
+  type        = bool
+  description = "Whether to deploy or not the cloud benchmarking"
+  default     = true
+}
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
+  default     = []
+}

examples/single-account/README.md

@@ -83,6 +83,8 @@ No resources.
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |

examples/single-account/main.tf

@@ -18,6 +18,8 @@ module "ssm" {
 # cloud-connector
 #-------------------------------------
 module "codebuild" {
+  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
+
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
@@ -33,10 +35,14 @@ module "cloud_connector" {
 
   sysdig_secure_endpoint       = var.sysdig_secure_endpoint
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-  is_organizational            = false
 
-  build_project_arn  = module.codebuild.project_arn
-  build_project_name = module.codebuild.project_name
+  deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
+
+  is_organizational = false
+
+  build_project_arn  = length(module.codebuild) == 1 ? module.codebuild[0].project_arn : "na"
+  build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
 
   sns_topic_arn = local.cloudtrail_sns_arn
 
@@ -47,5 +53,4 @@ module "cloud_connector" {
 
   tags       = var.tags
   depends_on = [local.cloudtrail_sns_arn, module.ssm]
-
 }

examples/single-account/variables.tf

@@ -32,9 +32,9 @@ variable "cloudtrail_kms_enable" {
 }
 
 
-#---------------------------------
+#
 # ecs, security group,  vpc
-#---------------------------------
+#
 
 variable "ecs_cluster_name" {
   type        = string
@@ -54,14 +54,29 @@ variable "ecs_vpc_subnets_private_ids" {
   description = "List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs_cluster_name' is not provided."
 }
 
-
 variable "ecs_vpc_region_azs" {
   type        = list(string)
   description = "List of Availability Zones for ECS VPC creation. e.g.: [\"apne1-az1\", \"apne1-az2\"]. If defaulted, two of the default 'aws_availability_zones' datasource will be taken"
   default     = []
 }
 
 
+#
+# scanning configuration
+#
+
+variable "deploy_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the image scanning on ECR pushed images"
+  default     = true
+}
+
+variable "deploy_image_scanning_ecs" {
+  type        = bool
+  description = "true/false whether to deploy the image scanning on ECS running images"
+  default     = true
+}
+
 
 #
 # benchmark configuration
@@ -83,6 +98,7 @@ variable "benchmark_regions" {
 #
 # general
 #
+
 variable "name" {
   type        = string
   description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"

modules/services/cloud-connector/README.md

@@ -71,6 +71,8 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | ARN of a cloudtrail-sns topic | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_retention"></a> [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudConnector | `number` | `5` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no |
+| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
 | <a name="input_extra_env_vars"></a> [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no |
 | <a name="input_image"></a> [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |

modules/services/cloud-connector/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  deploy_image_scanning = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr
+}