Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@nkraemer-sysdig
nkraemer-sysdig committed Oct 16, 2021
1 parent 38a5c00 commit f756fae
Show file tree
Hide file tree
Showing 12 changed files with 307 additions and 230 deletions.
10 changes: 3 additions & 7 deletions examples-internal/single-account-benchmark/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,10 @@ provider "sysdig" {
sysdig_secure_insecure_tls = length(regexall("https://.*?\\.sysdig(cloud)?.com/?", var.sysdig_secure_endpoint)) == 1 ? false : true
}


data "aws_caller_identity" "me" {}

module "cloud_bench" {
source = "../../modules/services/cloud-bench"

account_id = data.aws_caller_identity.me.account_id
tags = var.tags
regions = var.benchmark_regions
name = "${var.name}-cloudbench"
name = "${var.name}-cloudbench"
tags = var.tags
benchmark_regions = var.benchmark_regions
}
2 changes: 1 addition & 1 deletion examples-internal/single-account-benchmark/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_version = ">= 0.15.0"
required_providers {
aws = {
version = ">= 3.50.0"
version = ">= 3.62.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
Expand Down
251 changes: 122 additions & 129 deletions examples/organizational/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,149 +15,142 @@ provider "sysdig" {
sysdig_secure_api_token = var.sysdig_secure_api_token
sysdig_secure_insecure_tls = length(regexall("https://.*?\\.sysdig(cloud)?.com/?", var.sysdig_secure_endpoint)) == 1 ? false : true
}

#-------------------------------------
# resources deployed always in management account
# with default provider
#-------------------------------------

module "resource_group" {
source = "../../modules/infrastructure/resource-group"
name = var.name
tags = var.tags
}

module "cloudtrail" {
source = "../../modules/infrastructure/cloudtrail"
name = var.name

is_organizational = true
organizational_config = {
sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
}

is_multi_region_trail = var.cloudtrail_is_multi_region_trail
cloudtrail_kms_enable = var.cloudtrail_kms_enable

tags = var.tags
}


#-------------------------------------
# secure-for-cloud member account workload
#-------------------------------------

module "ecs_fargate_cluster" {
providers = {
aws = aws.member
}
source = "../../modules/infrastructure/ecs-fargate-cluster"
name = var.name
tags = var.tags
}


module "ssm" {
providers = {
aws = aws.member
}
source = "../../modules/infrastructure/ssm"
name = var.name
sysdig_secure_api_token = var.sysdig_secure_api_token
}


#
# cloud-connector
##-------------------------------------
## resources deployed always in management account
## with default provider
##-------------------------------------
#
module "cloud_connector" {
providers = {
aws = aws.member
}
source = "../../modules/services/cloud-connector"
name = "${var.name}-cloudconnector"

sysdig_secure_endpoint = var.sysdig_secure_endpoint
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name

is_organizational = true
organizational_config = {
sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
connector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
}

sns_topic_arn = module.cloudtrail.sns_topic_arn

ecs_cluster = module.ecs_fargate_cluster.id
vpc_id = module.ecs_fargate_cluster.vpc_id
vpc_subnets = module.ecs_fargate_cluster.vpc_subnets

tags = var.tags
depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
}


#module "resource_group" {
# source = "../../modules/infrastructure/resource-group"
# name = var.name
# tags = var.tags
#}
#
# cloud-bench
# WIP
#module "cloudtrail" {
# source = "../../modules/infrastructure/cloudtrail"
# name = var.name
#

#data "aws_caller_identity" "me" {}
#module "cloud_bench" {
# is_organizational = true
# organizational_config = {
# sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
# }
#
# is_multi_region_trail = var.cloudtrail_is_multi_region_trail
# cloudtrail_kms_enable = var.cloudtrail_kms_enable
#
# tags = var.tags
#}
#
#
##-------------------------------------
## secure-for-cloud member account workload
##-------------------------------------
#
#module "ecs_fargate_cluster" {
# providers = {
# aws = aws.member
# }
# source = "../../modules/services/cloud-bench"
# source = "../../modules/infrastructure/ecs-fargate-cluster"
# name = var.name
# tags = var.tags
#}
#
#
#module "ssm" {
# providers = {
# aws = aws.member
# }
# source = "../../modules/infrastructure/ssm"
# name = var.name
# sysdig_secure_api_token = var.sysdig_secure_api_token
#}
#
#
##
## cloud-connector
##
#module "cloud_connector" {
# providers = {
# aws = aws.member
# }
# source = "../../modules/services/cloud-connector"
# name = "${var.name}-cloudconnector"
#
# sysdig_secure_endpoint = var.sysdig_secure_endpoint
# secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
#
# is_organizational = true
# organizational_config = {
# sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
# connector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
# }
#
# sns_topic_arn = module.cloudtrail.sns_topic_arn
#
# ecs_cluster = module.ecs_fargate_cluster.id
# vpc_id = module.ecs_fargate_cluster.vpc_id
# vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
#
# account_id = var.organizational_config.sysdig_secure_for_cloud_member_account_id
# tags = var.tags
# depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
#}





#
# cloud-scanning
##
## cloud-scanning
##
### FIXME? if this is a non-shared resource, move its usage to scanning service?
#module "codebuild" {
# providers = {
# aws = aws.member
# }
# source = "../../modules/infrastructure/codebuild"
# name = var.name
# secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
# depends_on = [module.ssm]
#}
#
## FIXME? if this is a non-shared resource, move its usage to scanning service?
module "codebuild" {
providers = {
aws = aws.member
}
source = "../../modules/infrastructure/codebuild"
name = var.name
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
depends_on = [module.ssm]
}

module "cloud_scanning" {
providers = {
aws = aws.member
}

source = "../../modules/services/cloud-scanning"
name = "${var.name}-cloudscanning"
#module "cloud_scanning" {
# providers = {
# aws = aws.member
# }
#
# source = "../../modules/services/cloud-scanning"
# name = "${var.name}-cloudscanning"
#
# sysdig_secure_endpoint = var.sysdig_secure_endpoint
# secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
#
# build_project_arn = module.codebuild.project_arn
# build_project_name = module.codebuild.project_name
#
# is_organizational = true
# organizational_config = {
# sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
# organizational_role_per_account = "OrganizationAccountAccessRole"
# scanning_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
# }
#
# sns_topic_arn = module.cloudtrail.sns_topic_arn
#
# ecs_cluster = module.ecs_fargate_cluster.id
# vpc_id = module.ecs_fargate_cluster.vpc_id
# vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
#
# tags = var.tags
# depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
#}

sysdig_secure_endpoint = var.sysdig_secure_endpoint
secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
#-------------------------------------
# cloud-bench
#-------------------------------------

build_project_arn = module.codebuild.project_arn
build_project_name = module.codebuild.project_name
module "cloud_bench" {
source = "../../modules/services/cloud-bench"

name = "${var.name}-cloudbench"
tags = var.tags
is_organizational = true
organizational_config = {
sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
organizational_role_per_account = "OrganizationAccountAccessRole"
scanning_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
}

sns_topic_arn = module.cloudtrail.sns_topic_arn

ecs_cluster = module.ecs_fargate_cluster.id
vpc_id = module.ecs_fargate_cluster.vpc_id
vpc_subnets = module.ecs_fargate_cluster.vpc_subnets

tags = var.tags
depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
region = var.region
benchmark_regions = var.benchmark_regions
}
98 changes: 49 additions & 49 deletions examples/organizational/utils.tf
View file
Original file line number Diff line number Diff line change
@@ -1,49 +1,49 @@
module "resource_group_secure_for_cloud_member" {
providers = {
aws = aws.member
}
source = "../../modules/infrastructure/resource-group"
name = var.name
tags = var.tags
}


module "secure_for_cloud_role" {
source = "../../modules/infrastructure/permissions/org-management-role"
providers = {
aws.member = aws.member
}
name = var.name

cloudtrail_s3_arn = module.cloudtrail.s3_bucket_arn
cloudconnector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name

tags = var.tags
depends_on = [aws_iam_role.connector_ecs_task]
}


# -----------------------------------------------------------------
# secure_for_cloud_role <-> ecs_role trust relationship
# note:
# - definition of a ROOT lvl secure_for_cloud_connector_ecs_tas_role to avoid cyclic dependencies
# - duplicated in ../../modules/services/cloud-connector/ecs-service-security.tf
# -----------------------------------------------------------------
resource "aws_iam_role" "connector_ecs_task" {
provider = aws.member
name = "${var.name}-${var.connector_ecs_task_role_name}"
assume_role_policy = data.aws_iam_policy_document.task_assume_role.json
path = "/"
tags = var.tags
}
data "aws_iam_policy_document" "task_assume_role" {
provider = aws.member
statement {
effect = "Allow"
principals {
identifiers = ["ecs-tasks.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
#module "resource_group_secure_for_cloud_member" {
# providers = {
# aws = aws.member
# }
# source = "../../modules/infrastructure/resource-group"
# name = var.name
# tags = var.tags
#}
#
#
#module "secure_for_cloud_role" {
# source = "../../modules/infrastructure/permissions/org-management-role"
# providers = {
# aws.member = aws.member
# }
# name = var.name
#
# cloudtrail_s3_arn = module.cloudtrail.s3_bucket_arn
# cloudconnector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
#
# tags = var.tags
# depends_on = [aws_iam_role.connector_ecs_task]
#}
#
#
## -----------------------------------------------------------------
## secure_for_cloud_role <-> ecs_role trust relationship
## note:
## - definition of a ROOT lvl secure_for_cloud_connector_ecs_tas_role to avoid cyclic dependencies
## - duplicated in ../../modules/services/cloud-connector/ecs-service-security.tf
## -----------------------------------------------------------------
#resource "aws_iam_role" "connector_ecs_task" {
# provider = aws.member
# name = "${var.name}-${var.connector_ecs_task_role_name}"
# assume_role_policy = data.aws_iam_policy_document.task_assume_role.json
# path = "/"
# tags = var.tags
#}
#data "aws_iam_policy_document" "task_assume_role" {
# provider = aws.member
# statement {
# effect = "Allow"
# principals {
# identifiers = ["ecs-tasks.amazonaws.com"]
# type = "Service"
# }
# actions = ["sts:AssumeRole"]
# }
#}
Loading

0 comments on commit f756fae

Please sign in to comment.