Deploy Sysdig Secure for Cloud in a single AWS account using App Runner.
All the required resources and workloads will be run under the same account.
Minimum requirements:
- Configure Terraform AWS Provider
- Secure requirements, as input variable value
sysdig_secure_api_token=<SECURE_API_TOKEN>
- Resource creation inventory Find all the resources created by Sysdig examples in the resource-group
sysdig-secure-for-cloud(AWS Resource Group & Tag Editor) - Deployment cost This example will create resources that cost money.
Runterraform destroywhen you don't need them anymore - AppRunner enabled zones AppRunner isn't available in all AWS zones, check AppRunner Service endpoints for enabled zones.
For quick testing, use this snippet on your terraform files
terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
version = ">=0.5.33"
}
}
}
provider "sysdig" {
sysdig_secure_api_token = "<SYSDIG_SECURE_URL>"
sysdig_secure_url = "<SYSDIG_SECURE_API_TOKEN"
}
provider "aws" {
region = "<AWS_REGION> Take care of AppRunner available zones: https://docs.aws.amazon.com/general/latest/gr/apprunner.html"
}
module "cloudvision_aws_apprunner_single_account" {
source = "sysdiglabs/secure-for-cloud/aws//examples/single-account-apprunner"
}See inputs summary or module module variables.tf file for more optional configuration.
To run this example you need have your aws account profile configured in CLI and to execute:
$ terraform init
$ terraform plan
$ terraform apply| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| sysdig | >= 0.5.33 |
| Name | Version |
|---|---|
| sysdig | 0.5.39 |
| Name | Source | Version |
|---|---|---|
| cloud_bench | ../../modules/services/cloud-bench | n/a |
| cloud_connector | ../../modules/services/cloud-connector-apprunner | n/a |
| cloudtrail | ../../modules/infrastructure/cloudtrail | n/a |
| codebuild | ../../modules/infrastructure/codebuild | n/a |
| resource_group | ../../modules/infrastructure/resource-group | n/a |
| ssm | ../../modules/infrastructure/ssm | n/a |
| Name | Type |
|---|---|
| sysdig_secure_connection.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| benchmark_regions | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | list(string) |
[] |
no |
| cloudconnector_ecr_image_uri | URI to cloudconnectors image on ECR | string |
"public.ecr.aws/o5x4u2t4/cloud-connector:latest" |
no |
| cloudtrail_is_multi_region_trail | true/false whether cloudtrail will ingest multiregional events | bool |
true |
no |
| cloudtrail_kms_enable | true/false whether cloudtrail delivered events to S3 should persist encrypted | bool |
true |
no |
| cloudtrail_sns_arn | ARN of a pre-existing cloudtrail_sns. If defaulted, a new cloudtrail will be created. ARN of a pre-existing cloudtrail_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | string |
"create" |
no |
| deploy_benchmark | Whether to deploy or not the cloud benchmarking | bool |
true |
no |
| deploy_image_scanning_ecr | true/false whether to deploy the image scanning on ECR pushed images | bool |
false |
no |
| deploy_image_scanning_ecs | true/false whether to deploy the image scanning on ECS running images | bool |
false |
no |
| name | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | string |
"sfc" |
no |
| tags | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | map(string) |
{ |
no |
| Name | Description |
|---|---|
| cloudtrail_sns_topic_arn | ARN of cloudtrail_sns topic |
Module is maintained and supported by Sysdig.
Apache 2 Licensed. See LICENSE for full details.