feat: enable benchmark on single-account-k8s (#83)

iru · web-flow · commit a706aad6258c · 2021-11-24T16:04:43.000+01:00
diff --git a/README.md b/README.md
@@ -1,16 +1,18 @@
 # Sysdig Secure for Cloud in GCP
 
 Terraform module that deploys the [**Sysdig Secure for Cloud** stack in **Google Cloud**](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-gcp/).
-<br/>It provides unified threat detection, compliance, forensics and analysis.
+<br/>
 
-There are three major components:
+Provides unified threat-detection, compliance, forensics and analysis through these major components:
+
+* **[CSPM/Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/benchmarks/)**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through `cloud-bench` module. <br/>
+
+* **[CIEM](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)**: Permissions and Entitlements management. Requires BOTH modules  `cloud-connector` and `cloud-bench`. <br/>
+
+* **[Cloud Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/insights/)**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through `cloud-connector` module. <br/>
+
+* **[Cloud Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**: Automatically scans all container images pushed to the registry or as soon a new task which involves a container is spawned in your account. Managed through `cloud-connector`. <br/>
 
-* **CSPM/Compliance**: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through [cloud-bench module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-bench).
-  <br/><br/>
-* **Cloud Threat Detection**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-connector).
-<br/><br/>
-* **Cloud Scanning**: Automatically scans all container images pushed to the registry or as soon a new task which involves a container is spawned in your account. Managed through [cloud-connector module](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/tree/master/modules/services/cloud-connector).
-  <br/><br/>
 
 For other Cloud providers check: [AWS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud), [Azure](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud)
 
@@ -133,38 +135,40 @@ In the `cloud-connector` logs you should see similar logs to these
 
 ## Troubleshooting
 
-### Q1: Getting "Error creating WorkloadIdentityPool: googleapi: Error 409: Requested entity already exists"<br/>
-  A1: Currently Sysdig Backend does not support dynamic WorkloadPool and it's name is fixed to `sysdiglcoud`.
-  <br/>Besides, Google, only performs a soft-deletion of this resource.
-  https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#delete-pool
+### Q: Getting "Error creating WorkloadIdentityPool: googleapi: Error 409: Requested entity already exists"<br/>
+A: Currently Sysdig Backend does not support dynamic WorkloadPool and it's name is fixed to `sysdiglcoud`.
+<br/>Besides, Google, only performs a soft-deletion of this resource.
+https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#delete-pool
 
 > You can undelete a pool for up to 30 days after deletion. After 30 days, deletion is permanent. Until a pool is permanently deleted, you cannot reuse its   name when creating a new workload identity pool.<br/>
 
-  S1: For the moment, federation workload identity pool+provider have fixed name. In case you want to reuse it, you can reactivate and import it, into your terraform state manually.
-  ```bash
-  # re-activate pool and provider
-  $ gcloud iam workload-identity-pools undelete sysdigcloud  --location=global
-  $ gcloud iam workload-identity-pools providers undelete sysdigcloud --workload-identity-pool="sysdigcloud" --location=global
+S: For the moment, federation workload identity pool+provider have fixed name. In case you want to reuse it, you can reactivate and import it, into your terraform state manually.
+```bash
+# re-activate pool and provider
+$ gcloud iam workload-identity-pools undelete sysdigcloud  --location=global
+$ gcloud iam workload-identity-pools providers undelete sysdigcloud --workload-identity-pool="sysdigcloud" --location=global
+
+# import to terraform state
+# input your project-id, and for organization example, change the import resource accordingly
+$ terraform import 'module.sfc_example_single-project.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool.pool' sysdigcloud
+$ terraform import 'module.sfc_example_single-project.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' sysdigcloud/sysdigcloud
+ ```
+
+### Q: Scanning does not seem to work<br/>
+A: Verify that `gcr` topic exists. If `create_gcr_topic` is set to false and `gcr` topic is not found, the GCR scanning is ommited and won't be deployed. For more info see GCR PubSub topic.
+<br/><br/>
 
-  # import to terraform state
-  # input your project-id, and for organization example, change the import resource accordingly
-  $ terraform import 'module.sfc_example_single-project.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool.pool' sysdigcloud
-  $ terraform import 'module.sfc_example_single-project.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' sysdigcloud/sysdigcloud
-   ```
+### Q: Scanning, I get an error saying:
+```
+error starting scan runner for image ****: rpc error: code = PermissionDenied desc = Cloud Build API has not been used in project *** before or it is disabled.
+Enable it by visiting https://console.developers.google.com/apis/api/cloudbuild.googleapis.com/overview?project=*** then retry.
 
-### Q2: Scanning does not seem to work<br/>
-  A2: Verify that `gcr` topic exists. If `create_gcr_topic` is set to false and `gcr` topic is not found, the GCR scanning is ommited and won't be deployed. For more info see GCR PubSub topic.
+If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry
+```
+A: Do as the error says and activate CloudBuild API. Check the list of all the required APIs that need to be activated per feature module.
 <br/><br/>
 
-### Q3: Scanning, I get an error saying:
-  ```
-  error starting scan runner for image ****: rpc error: code = PermissionDenied desc = Cloud Build API has not been used in project *** before or it is disabled.
-  Enable it by visiting https://console.developers.google.com/apis/api/cloudbuild.googleapis.com/overview?project=*** then retry.
 
-  If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry
-  ```
-  A3: Do as the error says and activate CloudBuild API. Check the list of all the required APIs that need to be activated per feature module.
-<br/><br/>
 ## Authors
 
 Module is maintained and supported by [Sysdig](https://sysdig.com).
diff --git a/examples/single-project-k8s/README.md b/examples/single-project-k8s/README.md
@@ -2,11 +2,10 @@
 
 Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.
 
-- Sysdig **Helm** charts will be used to deploy the secure-for-cloud stack:
-    - [Cloud-Connector Chart](https://charts.sysdig.com/charts/cloud-connector/)
-    - Because these charts require specific GCP credentials to be passed by parameter, a new service account + key will
-      be created within the project. See [`credentials.tf`](./credentials.tf)
-- Used architecture is similar to [single-project](../single-project) but changing Cloud Run <---> with an existing K8s
+- Sysdig **Helm** [cloud-connector chart](https://charts.sysdig.com/charts/cloud-connector/) will be used to deploy threat-detection and scanning features
+  <br/>Because these charts require specific GCP credentials to be passed by parameter, a new service account + key will be created
+  within the project. See [`credentials.tf`](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/examples/single-project-k8s/credentials.tf)
+- Used architecture is similar to [single-project](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/examples/single-project) but changing Cloud Run <---> with an existing K8s
 
 All the required resources and workloads will be run under the same GCP project.
 
@@ -71,6 +70,7 @@ Notice that:
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_connector_project_sink"></a> [connector\_project\_sink](#module\_connector\_project\_sink) | ../../modules/infrastructure/project_sink |  |
 
 ## Resources
@@ -89,7 +89,10 @@ Notice that:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
+| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
+| <a name="input_benchmark_role_name"></a> [benchmark\_role\_name](#input\_benchmark\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
 | <a name="input_cloud_connector_image"></a> [cloud\_connector\_image](#input\_cloud\_connector\_image) | Cloud-connector image to deploy | `string` | `"quay.io/sysdig/cloud-connector"` | no |
+| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 
diff --git a/examples/single-project-k8s/benchmark.tf b/examples/single-project-k8s/benchmark.tf
@@ -0,0 +1,9 @@
+module "cloud_bench" {
+  count  = var.deploy_benchmark ? 1 : 0
+  source = "../../modules/services/cloud-bench"
+
+  is_organizational = false
+  role_name         = "${var.name}${var.benchmark_role_name}"
+  project_id        = data.google_client_config.current.project
+  regions           = var.benchmark_regions
+}
diff --git a/examples/single-project-k8s/variables.tf b/examples/single-project-k8s/variables.tf
@@ -7,6 +7,28 @@ variable "sysdig_secure_api_token" {
 # --------------------------
 # optionals, with defaults
 # -------------------------
+
+# benchmark
+variable "deploy_benchmark" {
+  type        = bool
+  description = "whether benchmark module is to be deployed"
+  default     = true
+}
+
+variable "benchmark_regions" {
+  type        = list(string)
+  description = "List of regions in which to run the benchmark. If empty, the task will contain all regions by default."
+  default     = []
+}
+
+variable "benchmark_role_name" {
+  type        = string
+  description = "The name of the Service Account that will be created."
+  default     = "sysdigcloudbench"
+}
+
+
+# general
 variable "sysdig_secure_endpoint" {
   type        = string
   default     = "https://secure.sysdig.com"
diff --git a/examples/single-project/README.md b/examples/single-project/README.md
@@ -93,7 +93,7 @@ module "secure-for-cloud_example_single-project" {
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
 | <a name="input_benchmark_role_name"></a> [benchmark\_role\_name](#input\_benchmark\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
-| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | whether benchmark module is to be deployed | `bool` | `true` | no |
+| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 
diff --git a/examples/single-project/benchmark.tf b/examples/single-project/benchmark.tf
@@ -0,0 +1,9 @@
+module "cloud_bench" {
+  count  = var.deploy_benchmark ? 1 : 0
+  source = "../../modules/services/cloud-bench"
+
+  is_organizational = false
+  role_name         = "${var.name}${var.benchmark_role_name}"
+  project_id        = data.google_client_config.current.project
+  regions           = var.benchmark_regions
+}
diff --git a/examples/single-project/main.tf b/examples/single-project/main.tf
@@ -62,16 +62,3 @@ module "pubsub_http_subscription" {
 
   push_http_endpoint = "${module.cloud_connector.cloud_run_service_url}/gcr_scanning"
 }
-
-#######################
-#      BENCHMARKS     #
-#######################
-module "cloud_bench" {
-  count  = var.deploy_bench ? 1 : 0
-  source = "../../modules/services/cloud-bench"
-
-  is_organizational = false
-  role_name         = "${var.name}${var.benchmark_role_name}"
-  project_id        = data.google_client_config.current.project
-  regions           = var.benchmark_regions
-}
diff --git a/examples/single-project/variables.tf b/examples/single-project/variables.tf
@@ -26,7 +26,7 @@ variable "name" {
 
 # benchmark
 
-variable "deploy_bench" {
+variable "deploy_benchmark" {
   type        = bool
   description = "whether benchmark module is to be deployed"
   default     = true
diff --git a/test/fixtures/single-project/main.tf b/test/fixtures/single-project/main.tf
@@ -21,5 +21,5 @@ module "sfc_example_single_project" {
   sysdig_secure_api_token = var.sysdig_secure_api_token
   sysdig_secure_endpoint  = var.sysdig_secure_endpoint
   name                    = "sfc${random_string.random.result}"
-  deploy_bench            = false
+  deploy_benchmark        = false
 }

Original file line number	Diff line number	Diff line change
`@@ -21,5 +21,5 @@ module "sfc_example_single_project" {`
`21`	`21`	`sysdig_secure_api_token = var.sysdig_secure_api_token`
`22`	`22`	`sysdig_secure_endpoint = var.sysdig_secure_endpoint`
`23`	`23`	`name = "sfc${random_string.random.result}"`
`24`		`- deploy_bench = false`
	`24`	`+ deploy_benchmark = false`
`25`	`25`	`}`