Skip to content

Latest commit

 

History

History
137 lines (101 loc) · 7.42 KB

README.md

File metadata and controls

137 lines (101 loc) · 7.42 KB

Sysdig Secure for Cloud in AWS
[ Example :: Single-Account on Kubernetes Cluster ]

Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.

  • Sysdig Helm cloud-connector chart will be used to deploy threat-detection and scanning features
    Because these charts require specific AWS credentials to be passed by parameter, a new user + access key will be created within account. See credentials.tf
  • Used architecture is similar to single-account but changing ECS <---> with an existing K8s cluster (EKS or vanilla)

Notice

  • All the required resources and workloads will be run under the same AWS account.

  • All Sysdig Secure for Cloud features but Image Scanning are enabled by default. You can enable it through deploy_image_scanning_ecr and deploy_image_scanning_ecs input variable parameters.

  • Resource creation inventory Find all the resources created by Sysdig examples in the resource-group sysdig-secure-for-cloud (AWS Resource Group & Tag Editor)

  • Deployment cost This example will create resources that cost money.
    Run terraform destroy when you don't need them anymore

single-account-k8s diagram

Prerequisites

Minimum requirements:

  1. Configure Terraform AWS Provider
  2. Configure Helm Provider for Kubernetes cluster
  3. Sysdig Secure requirements, as input variable value 
    sysdig_secure_api_token=<SECURE_API_TOKEN>

Usage

For quick testing, use this snippet on your terraform files

terraform {
  required_providers {
    sysdig = {
      source  = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url         = "<SYSDIG_SECURE_URL>"
  sysdig_secure_api_token   = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "aws" {
  region = "<AWS-REGION>; ex. us-east-1"
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

module "secure_for_cloud_aws_single_account_k8s" {
  source = "sysdiglabs/secure-for-cloud/aws//examples/single-account-k8s"
}

See inputs summary or module module variables.tf file for more optional configuration.

To run this example you need have your aws account profile configured in CLI and to execute:

$ terraform init
$ terraform plan
$ terraform apply

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.0.0
helm >=2.3.0
sysdig >= 0.5.33

Providers

Name Version
aws 4.26.0
helm 2.6.0
sysdig 0.5.39

Modules

Name Source Version
cloud_bench ../../modules/services/cloud-bench n/a
cloud_connector_sqs ../../modules/infrastructure/sqs-sns-subscription n/a
cloudtrail ../../modules/infrastructure/cloudtrail n/a
codebuild ../../modules/infrastructure/codebuild n/a
iam_user ../../modules/infrastructure/permissions/iam-user n/a
resource_group ../../modules/infrastructure/resource-group n/a
ssm ../../modules/infrastructure/ssm n/a

Resources

Name Type
helm_release.cloud_connector resource
aws_region.current data source
sysdig_secure_connection.current data source

Inputs

Name Description Type Default Required
benchmark_regions List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. list(string) [] no
cloudtrail_is_multi_region_trail true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. bool true no
cloudtrail_kms_enable true/false whether s3 should be encrypted. testing/economization purpose. bool true no
cloudtrail_sns_arn ARN of a pre-existing cloudtrail_sns. If defaulted, a new cloudtrail will be created. If specified, deployment region must match Cloudtrail S3 bucket region string "create" no
deploy_benchmark Whether to deploy or not the cloud benchmarking bool true no
deploy_image_scanning_ecr true/false whether to deploy the image scanning on ECR pushed images bool false no
deploy_image_scanning_ecs true/false whether to deploy the image scanning on ECS running images bool false no
name Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances string "sfc" no
tags sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning map(string) 
{
  "product": "sysdig-secure-for-cloud"
}
 no

Outputs

No outputs.

Authors

Module is maintained and supported by Sysdig.

License

Apache 2 Licensed. See LICENSE for full details.