Skip to content

Latest commit

 

History

History
155 lines (112 loc) · 7.37 KB

README.md

File metadata and controls

155 lines (112 loc) · 7.37 KB
Raw

Cloud Vision deployment in AWS

Terraform module that deploys the Sysdig CloudVision stack in AWS.

Currently supported cloudvision components:

  • cloud-connector (organizational account only)
  • cloud-scanner
  • cloud-bench

For other cloud providers check:

Notes

  • all created resources will be created within the tags product:sysdig-cloudvision
  • within the resource-group sysdig-cloudvision

Examples

Organizational Cloudvision

More info in the ./examples/organizational_cloudvision/README.md organizational diagram

Prerequisites

  1. Have an existing AWS account as the organization master account
    • organzational cloudTrail service must be enabled
  2. AWS profile credentials configuration of the master account of the organization
    • this account credentials must be able to manage cloudtrail creation

      You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.

    • credentials will be picked from default aws profile, but can be changed vía provider profile
    • cloudvision organizational member account id, as input variable value 
      org_cloudvision_account_id=<ORGANIZATIONAL_CLOUDVISION_ACCOUNT_ID>
  3. Secure requirements, as input variable value 
    sysdig_secure_api_token=<SECURE_API_TOKEN>

See main module variables.tf file for more optional configuration.

Usage

module "cloudvision_aws" {
  source = "sysdiglabs/cloudvision/aws"

  sysdig_secure_api_token        = "00000000-1111-2222-3333-444444444444"
  org_cloudvision_account_id     = "<ORG_MEMBER_ACCOUNT_FOR_CLOUDVISION>"
  org_cloudvision_account_region = "<REGION_CLOUDVISION_RESOURCES; eg: eu-central-1>"
}

Requirements

Name Version
terraform >= 0.14.0
aws >= 3.50.0

Providers

Name Version
aws >= 3.50.0

Modules

Name Source Version
cloudtrail_organizational ./modules/cloudtrail_organizational
services ./modules/services

Resources

Name Type
aws_iam_role.cloudvision_role resource
aws_iam_role_policy.cloudtrail_s3 resource
aws_resourcegroups_group.sysdig_cloudvision resource
aws_iam_policy_document.cloud_vision_role_trusted data source
aws_iam_policy_document.cloudtrail_s3 data source

Inputs

Name Description Type Default Required
org_cloudvision_account_id the account id within the organization to be used as cloudvision account string n/a yes
org_cloudvision_account_region default cloudvision member account region for services provisioning string n/a yes
sysdig_secure_api_token Sysdig Secure API token string n/a yes
cloudtrail_org_is_multi_region_trail testing/economization purpose. true/false whether cloudtrail will ingest multiregional events bool true no
cloudtrail_org_kms_enable testing/economization purpose. true/false whether s3 should be encrypted bool true no
sysdig_secure_endpoint Sysdig Secure API endpoint string "https://secure.sysdig.com" no
tags sysdig cloudvision tags map(string) 
{
  "product": "sysdig-cloudvision"
}
 no

Outputs

No outputs.

Troubleshooting

  • Q: How to validate cloudvision cloud-connect (thread-detection) provisioning is working as expected?
    A: Check each pipeline resource is working as expected (from high to low lvl)

    • select a rule to break manually, from the 'Sysdig AWS Best Practices' policies. for example, 'Delete Bucket Public Access Block'. can you see the event?
    • are there any errors in the ECS task logs? can also check cloudwatch logs for previous example we should see the event 
      {"level":"info","component":"console-notifier","time":"2021-07-26T12:45:25Z","message":"A pulic access block for a bucket has been deleted (requesting  user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS  region=eu-central-1, bucket=sysdig-cloudvision-nnnnnn-config)"}
    • are events consumed in the sqs queue, or are they pending?
    • are events being sent to sns topic?

  • Q: How to iterate cloud-connect modification testing
    A: Build a custom docker image of cloud-connect docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile and upload it to any registry (like dockerhub). Modify the var.image variable to point to your image and deploy

  • Q: How can I iterate ECS testing
    A: After applying your modifications (vía terraform for example) restart the service

    $ aws ecs update-service --force-new-deployment --cluster sysdig-cloudvision-ecscluster --service sysdig-cloudvision-cloudconnector --profile <AWS_PROFILE>

    For the AWS_PROFILE, set your ~/.aws/config to impersonate

    [profile cloudvision]
region=eu-central-1
role_arn=arn:aws:iam::<AWS_MASTER_ORGANIZATION_ACCOUNT>:role/OrganizationAccountAccessRole
source_profile=<AWS_MASTER_ACCOUNT_PROFILE>

Authors

Module is maintained by Sysdig.

License

Apache 2 Licensed. See LICENSE for full details.