sysdiglabs · tembleking · Nov 17, 2021 · Nov 17, 2021 · Nov 17, 2021 · Nov 17, 2021
@@ -90,7 +90,6 @@ Notice that:
 |------|--------|---------|
 | <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
-| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
@@ -119,6 +118,7 @@ Notice that:
 | <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | ARN of a pre-existing cloudtrail\_sns s3 bucket. If it does not exist, it will be inferred from create cloudtrail | `string` | `"create"` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
+| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for managed-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |

@@ -53,36 +53,6 @@ module "ssm" {
 #
 # cloud-connector
 #
-module "cloud_connector" {
-  providers = {
-    aws = aws.member
-  }
-  source = "../../modules/services/cloud-connector"
-  name   = "${var.name}-cloudconnector"
-
-  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
-  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-
-  is_organizational = true
-  organizational_config = {
-    sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
-    connector_ecs_task_role_name     = aws_iam_role.connector_ecs_task.name
-  }
-
-  sns_topic_arn = local.cloudtrail_sns_arn
-
-  ecs_cluster = module.ecs_fargate_cluster.id
-  vpc_id      = module.ecs_fargate_cluster.vpc_id
-  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
-
-  tags       = var.tags
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
-}
-
-#
-# cloud-scanning
-#
-## FIXME? if this is a non-shared resource, move its usage to scanning service?
 module "codebuild" {
   providers = {
     aws = aws.member
@@ -93,13 +63,12 @@ module "codebuild" {
   depends_on                   = [module.ssm]
 }
 
-module "cloud_scanning" {
+module "cloud_connector" {
   providers = {
     aws = aws.member
   }
-
-  source = "../../modules/services/cloud-scanning"
-  name   = "${var.name}-cloudscanning"
+  source = "../../modules/services/cloud-connector"
+  name   = "${var.name}-cloudconnector"
 
   sysdig_secure_endpoint       = var.sysdig_secure_endpoint
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
@@ -111,7 +80,7 @@ module "cloud_scanning" {
   organizational_config = {
     sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
     organizational_role_per_account  = var.organizational_member_default_admin_role
-    scanning_ecs_task_role_name      = aws_iam_role.connector_ecs_task.name
+    connector_ecs_task_role_name     = aws_iam_role.connector_ecs_task.name
   }
 
   sns_topic_arn = local.cloudtrail_sns_arn
@@ -121,7 +90,7 @@ module "cloud_scanning" {
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
   tags       = var.tags
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
 }
 
 #-------------------------------------
@@ -130,6 +99,7 @@ module "cloud_scanning" {
 
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
+  count  = var.deploy_bench ? 1 : 0
 
   name              = "${var.name}-cloudbench"
   tags              = var.tags

@@ -68,6 +68,13 @@ variable "benchmark_regions" {
   default     = []
 }
 
+variable "deploy_bench" {
+  type        = bool
+  description = "Whether to deploy or not the cloud benchmarking"
+  default     = true
+}
+
+
 #
 # general
 #

@@ -82,7 +82,6 @@ Notice that:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloud_connector_sqs"></a> [cloud\_connector\_sqs](#module\_cloud\_connector\_sqs) | ../../modules/infrastructure/sqs-sns-subscription |  |
-| <a name="module_cloud_scanning_sqs"></a> [cloud\_scanning\_sqs](#module\_cloud\_scanning\_sqs) | ../../modules/infrastructure/sqs-sns-subscription |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/infrastructure/permissions/iam-user |  |
@@ -94,7 +93,6 @@ Notice that:
 | Name | Type |
 |------|------|
 | [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.cloud_scanning](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs

@@ -10,6 +10,16 @@ module "cloud_connector_sqs" {
   tags          = var.tags
 }
 
+module "codebuild" {
+  count  = var.deploy_image_scanning ? 1 : 0
+  source = "../../modules/infrastructure/codebuild"
+
+  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+
+  tags = var.tags
+  # note. this is required to avoid race conditions
+  depends_on = [module.ssm]
+}
 
 #-------------------------------------
 # cloud_connector
@@ -50,12 +60,28 @@ resource "helm_release" "cloud_connector" {
   }
 
   values = [
-    <<CONFIG
-ingestors:
-  - cloudtrail-sns-sqs:
-      queueURL: ${module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url}
-CONFIG
-  ]
+    yamlencode({
+      ingestors = [
+        {
+          cloudtrail-sns-sqs = {
+            queueURL = module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url
+          }
+        }
+      ]
+      scanners = var.deploy_image_scanning ? [
+        {
+          aws-ecr = {
+            codeBuildProject         = module.codebuild[0].project_name
+            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+          }
 
+          aws-ecs = {
+            codeBuildProject         = module.codebuild[0].project_name
+            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+          }
+        }
+      ] : []
+    })
+  ]
   depends_on = [module.iam_user]
 }
@@ -63,7 +63,6 @@ No providers.
 |------|--------|---------|
 | <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
-| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
@@ -83,6 +82,7 @@ No resources.
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
+| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

@@ -1,56 +1,27 @@
 #-------------------------------------
 # general resources
 #-------------------------------------
-
 module "resource_group" {
   source = "../../modules/infrastructure/resource-group"
   name   = var.name
   tags   = var.tags
 }
 
-
 module "ecs_fargate_cluster" {
   source = "../../modules/infrastructure/ecs-fargate-cluster"
   name   = var.name
   tags   = var.tags
 }
 
-
 module "ssm" {
   source                  = "../../modules/infrastructure/ssm"
   name                    = var.name
   sysdig_secure_api_token = var.sysdig_secure_api_token
 }
 
-
 #-------------------------------------
 # cloud-connector
 #-------------------------------------
-
-module "cloud_connector" {
-  source = "../../modules/services/cloud-connector"
-  name   = "${var.name}-cloudconnector"
-
-  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
-  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-  is_organizational            = false
-
-  sns_topic_arn = local.cloudtrail_sns_arn
-
-  ecs_cluster = module.ecs_fargate_cluster.id
-  vpc_id      = module.ecs_fargate_cluster.vpc_id
-  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
-
-  tags       = var.tags
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
-}
-
-
-
-#-------------------------------------
-# cloud-scanning
-#-------------------------------------
-
 module "codebuild" {
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
@@ -61,13 +32,13 @@ module "codebuild" {
   depends_on = [module.ssm]
 }
 
-
-module "cloud_scanning" {
-  source = "../../modules/services/cloud-scanning"
-  name   = "${var.name}-cloudscanning"
+module "cloud_connector" {
+  source = "../../modules/services/cloud-connector"
+  name   = "${var.name}-cloudconnector"
 
   sysdig_secure_endpoint       = var.sysdig_secure_endpoint
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+  is_organizational            = false
 
   build_project_arn  = module.codebuild.project_arn
   build_project_name = module.codebuild.project_name
@@ -78,9 +49,9 @@ module "cloud_scanning" {
   vpc_id      = module.ecs_fargate_cluster.vpc_id
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
-  tags = var.tags
-  # note. this is required to avoid race conditions
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+  tags       = var.tags
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
+
 }
 
 #-------------------------------------
@@ -94,6 +65,7 @@ provider "sysdig" {
 
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
+  count  = var.deploy_bench ? 1 : 0
 
   name              = "${var.name}-cloudbench"
   tags              = var.tags

@@ -40,6 +40,12 @@ variable "benchmark_regions" {
   default     = []
 }
 
+variable "deploy_bench" {
+  type        = bool
+  description = "Whether to deploy or not the cloud benchmarking"
+  default     = true
+}
+
 #
 # general
 #