diff --git a/README.md b/README.md
index d69a08e9..bebb508b 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,10 @@ It may take some time, but you should see logs detecting the new image in the EC
## Troubleshooting
+### Q: Getting error "Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values.
+A: Your ECS task_size values aren't valid for Fargate. Specifically, your mem_limit value is too big for the cpu_limit you specified
+S: Check [supported task cpu and memory values](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)
+
### Q: Getting error "404 Invalid parameter: TopicArn" when trying to reuse an existing cloudtrail-sns
```text
diff --git a/examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md b/examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md
index 54ac185c..67c17cec 100644
--- a/examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md
+++ b/examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md
@@ -81,7 +81,7 @@ Notice that:
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.74.1 |
+| [aws](#provider\_aws) | 4.0.0 |
| [helm](#provider\_helm) | 2.4.1 |
## Modules
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index e2c3cd25..3caeb117 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -74,15 +74,15 @@ Notice that:
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.0 |
-| [aws](#requirement\_aws) | >= 3.62.0 |
+| [aws](#requirement\_aws) | >= 4.0.0 |
| [sysdig](#requirement\_sysdig) | >= 0.5.29 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.74.1 |
-| [aws.member](#provider\_aws.member) | 3.74.1 |
+| [aws](#provider\_aws) | 4.0.0 |
+| [aws.member](#provider\_aws.member) | 4.0.0 |
## Modules
@@ -122,6 +122,8 @@ Notice that:
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
| [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. For both options, ECS location will/must be within the `sysdig_secure_for_cloud_member_account_id` parameter accountID | `string` | `"create"` | no |
+| [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |
+| [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no |
| [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. Defaulted to be created when `ecs_cluster_name is not provided.` | `string` | `"create"` | no |
| [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when `ecs_cluster_name is not provided.` | `list(string)` | `[]` | no |
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
index b1bd399d..48bce4b7 100644
--- a/examples/organizational/main.tf
+++ b/examples/organizational/main.tf
@@ -80,6 +80,8 @@ module "cloud_connector" {
ecs_cluster_name = local.ecs_cluster_name
ecs_vpc_id = local.ecs_vpc_id
ecs_vpc_subnets_private_ids = local.ecs_vpc_subnets_private_ids
+ ecs_task_cpu = var.ecs_task_cpu
+ ecs_task_memory = var.ecs_task_memory
tags = var.tags
depends_on = [local.cloudtrail_sns_arn, module.ssm]
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
index 492f2c45..74af125f 100644
--- a/examples/organizational/variables.tf
+++ b/examples/organizational/variables.tf
@@ -120,6 +120,20 @@ variable "ecs_vpc_region_azs" {
default = []
}
+# Configure CPU and memory in pairs.
+# See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size
+variable "ecs_task_cpu" {
+ type = string
+ description = "Amount of CPU (in CPU units) to reserve for cloud-connector task"
+ default = "256"
+}
+
+variable "ecs_task_memory" {
+ type = string
+ description = "Amount of memory (in megabytes) to reserve for cloud-connector task"
+ default = "512"
+}
+
#
diff --git a/examples/organizational/versions.tf b/examples/organizational/versions.tf
index 6c87654e..be6ab542 100644
--- a/examples/organizational/versions.tf
+++ b/examples/organizational/versions.tf
@@ -2,7 +2,7 @@ terraform {
required_version = ">= 0.15.0"
required_providers {
aws = {
- version = ">= 3.62.0"
+ version = ">= 4.0.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
index 3289c346..64acd973 100644
--- a/examples/single-account-k8s/README.md
+++ b/examples/single-account-k8s/README.md
@@ -72,7 +72,7 @@ Notice that:
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.74.1 |
+| [aws](#provider\_aws) | 4.0.0 |
| [helm](#provider\_helm) | 2.4.1 |
## Modules
diff --git a/examples/single-account/README.md b/examples/single-account/README.md
index bd78e0df..e811ed19 100644
--- a/examples/single-account/README.md
+++ b/examples/single-account/README.md
@@ -50,7 +50,7 @@ Notice that:
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.0 |
-| [aws](#requirement\_aws) | >= 3.62.0 |
+| [aws](#requirement\_aws) | >= 4.0.0 |
| [sysdig](#requirement\_sysdig) | >= 0.5.29 |
## Providers
@@ -86,6 +86,8 @@ No resources.
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
| [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created | `string` | `"create"` | no |
+| [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |
+| [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no |
| [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `string` | `"create"` | no |
| [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `list(string)` | `[]` | no |
diff --git a/examples/single-account/main.tf b/examples/single-account/main.tf
index 2ddddbb2..f8c37199 100644
--- a/examples/single-account/main.tf
+++ b/examples/single-account/main.tf
@@ -49,7 +49,8 @@ module "cloud_connector" {
ecs_cluster_name = local.ecs_cluster_name
ecs_vpc_id = local.ecs_vpc_id
ecs_vpc_subnets_private_ids = local.ecs_vpc_subnets_private_ids
-
+ ecs_task_cpu = var.ecs_task_cpu
+ ecs_task_memory = var.ecs_task_memory
tags = var.tags
depends_on = [local.cloudtrail_sns_arn, module.ssm]
diff --git a/examples/single-account/variables.tf b/examples/single-account/variables.tf
index ca92b207..462ff68e 100644
--- a/examples/single-account/variables.tf
+++ b/examples/single-account/variables.tf
@@ -60,6 +60,19 @@ variable "ecs_vpc_region_azs" {
default = []
}
+# Configure CPU and memory in pairs.
+# See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size
+variable "ecs_task_cpu" {
+ type = string
+ description = "Amount of CPU (in CPU units) to reserve for cloud-connector task"
+ default = "256"
+}
+
+variable "ecs_task_memory" {
+ type = string
+ description = "Amount of memory (in megabytes) to reserve for cloud-connector task"
+ default = "512"
+}
#
# scanning configuration
diff --git a/examples/single-account/versions.tf b/examples/single-account/versions.tf
index 6c87654e..be6ab542 100644
--- a/examples/single-account/versions.tf
+++ b/examples/single-account/versions.tf
@@ -2,7 +2,7 @@ terraform {
required_version = ">= 0.15.0"
required_providers {
aws = {
- version = ">= 3.62.0"
+ version = ">= 4.0.0"
}
sysdig = {
source = "sysdiglabs/sysdig"
diff --git a/examples/trigger-events/README.md b/examples/trigger-events/README.md
index cee9a298..7582ab3f 100644
--- a/examples/trigger-events/README.md
+++ b/examples/trigger-events/README.md
@@ -47,7 +47,7 @@ Notice that:
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.74.1 |
+| [aws](#provider\_aws) | 4.0.0 |
## Modules
diff --git a/modules/infrastructure/cloudtrail/README.md b/modules/infrastructure/cloudtrail/README.md
index 87dde203..e73b2fad 100644
--- a/modules/infrastructure/cloudtrail/README.md
+++ b/modules/infrastructure/cloudtrail/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.0 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [aws](#requirement\_aws) | >= 4.0.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.50.0 |
+| [aws](#provider\_aws) | >= 4.0.0 |
## Modules
@@ -26,6 +26,8 @@ No modules.
| [aws_kms_alias.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.cloudtrail_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
| [aws_s3_bucket_policy.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
diff --git a/modules/infrastructure/cloudtrail/s3.tf b/modules/infrastructure/cloudtrail/s3.tf
index a0029df8..015d8cb9 100644
--- a/modules/infrastructure/cloudtrail/s3.tf
+++ b/modules/infrastructure/cloudtrail/s3.tf
@@ -1,18 +1,27 @@
resource "aws_s3_bucket" "cloudtrail" {
bucket = "${var.name}-${data.aws_caller_identity.me.account_id}"
- acl = "private"
force_destroy = true
+ tags = var.tags
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
+ bucket = aws_s3_bucket.cloudtrail.id
- lifecycle_rule {
- enabled = true
+ rule {
+ id = "expire in ${var.s3_bucket_expiration_days} days"
+ status = "Enabled"
expiration {
days = var.s3_bucket_expiration_days
}
}
- tags = var.tags
}
+resource "aws_s3_bucket_acl" "cloudtrail" {
+ bucket = aws_s3_bucket.cloudtrail.id
+ acl = "private"
+}
+
# --------------------------
# iam, acl
diff --git a/modules/infrastructure/cloudtrail/versions.tf b/modules/infrastructure/cloudtrail/versions.tf
index ed2c3cdc..61dfbfd0 100644
--- a/modules/infrastructure/cloudtrail/versions.tf
+++ b/modules/infrastructure/cloudtrail/versions.tf
@@ -2,7 +2,7 @@ terraform {
required_version = ">= 0.15.0"
required_providers {
aws = {
- version = ">= 3.50.0"
+ version = ">= 4.0.0"
}
}
}
diff --git a/modules/services/cloud-connector/README.md b/modules/services/cloud-connector/README.md
index 42f9d91f..ac41110c 100644
--- a/modules/services/cloud-connector/README.md
+++ b/modules/services/cloud-connector/README.md
@@ -8,13 +8,13 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.0 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [aws](#requirement\_aws) | >= 4.0.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.50.0 |
+| [aws](#provider\_aws) | >= 4.0.0 |
## Modules
@@ -39,8 +39,10 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| [aws_iam_role_policy.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy.trigger_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_s3_bucket.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_object.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
+| [aws_s3_bucket_acl.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_public_access_block.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_versioning.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_object.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ecs_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_cluster) | data source |
@@ -71,6 +73,8 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `true` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `true` | no |
+| [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |
+| [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no |
| [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no |
| [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
| [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
diff --git a/modules/services/cloud-connector/ecs-service.tf b/modules/services/cloud-connector/ecs-service.tf
index 551deafa..0c64d7f2 100644
--- a/modules/services/cloud-connector/ecs-service.tf
+++ b/modules/services/cloud-connector/ecs-service.tf
@@ -24,8 +24,8 @@ resource "aws_ecs_task_definition" "task_definition" {
network_mode = "awsvpc"
execution_role_arn = aws_iam_role.execution.arn # ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume
task_role_arn = local.ecs_task_role_arn # ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS resource-group.
- cpu = "256"
- memory = "512"
+ cpu = var.ecs_task_cpu
+ memory = var.ecs_task_memory
container_definitions = jsonencode([
{
diff --git a/modules/services/cloud-connector/s3-config.tf b/modules/services/cloud-connector/s3-config.tf
index 7e0dcffb..e434469a 100644
--- a/modules/services/cloud-connector/s3-config.tf
+++ b/modules/services/cloud-connector/s3-config.tf
@@ -2,9 +2,10 @@ locals {
s3_bucket_config_id = aws_s3_bucket.s3_config_bucket.id
}
-resource "aws_s3_bucket_object" "config" {
- bucket = local.s3_bucket_config_id
- key = "cloud-connector.yaml"
+resource "aws_s3_object" "config" {
+ bucket = local.s3_bucket_config_id
+ key = "cloud-connector.yaml"
+
content = local.default_config
tags = var.tags
}
diff --git a/modules/services/cloud-connector/s3.tf b/modules/services/cloud-connector/s3.tf
index 015aa7d1..140bc959 100644
--- a/modules/services/cloud-connector/s3.tf
+++ b/modules/services/cloud-connector/s3.tf
@@ -2,12 +2,22 @@ data "aws_caller_identity" "me" {}
resource "aws_s3_bucket" "s3_config_bucket" {
bucket = "${var.name}-${data.aws_caller_identity.me.account_id}-config"
- acl = "private"
force_destroy = true
- versioning {
- enabled = true
+ tags = var.tags
+}
+
+
+resource "aws_s3_bucket_acl" "s3_config_bucket" {
+ bucket = aws_s3_bucket.s3_config_bucket.id
+ acl = "private"
+}
+
+
+resource "aws_s3_bucket_versioning" "s3_config_bucket" {
+ bucket = aws_s3_bucket.s3_config_bucket.id
+ versioning_configuration {
+ status = "Enabled"
}
- tags = var.tags
}
diff --git a/modules/services/cloud-connector/variables.tf b/modules/services/cloud-connector/variables.tf
index 5e60656b..5d2ec76d 100644
--- a/modules/services/cloud-connector/variables.tf
+++ b/modules/services/cloud-connector/variables.tf
@@ -47,7 +47,6 @@ variable "sns_topic_arn" {
# optionals - with default
#---------------------------------
-
#
# module composition
#
@@ -84,6 +83,21 @@ variable "organizational_config" {
#
# module config
#
+
+# Configure CPU and memory in pairs.
+# See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size
+variable "ecs_task_cpu" {
+ type = string
+ description = "Amount of CPU (in CPU units) to reserve for cloud-connector task"
+ default = "256"
+}
+
+variable "ecs_task_memory" {
+ type = string
+ description = "Amount of memory (in megabytes) to reserve for cloud-connector task"
+ default = "512"
+}
+
variable "connector_ecs_task_role_name" {
type = string
default = "ECSTaskRole"
diff --git a/modules/services/cloud-connector/versions.tf b/modules/services/cloud-connector/versions.tf
index ed2c3cdc..61dfbfd0 100644
--- a/modules/services/cloud-connector/versions.tf
+++ b/modules/services/cloud-connector/versions.tf
@@ -2,7 +2,7 @@ terraform {
required_version = ">= 0.15.0"
required_providers {
aws = {
- version = ">= 3.50.0"
+ version = ">= 4.0.0"
}
}
}