Deploy Sysdig Secure for Cloud in a single AWS account.
All the required resources and workloads will be run under the same account.
- All Sysdig Secure for Cloud features but Image Scanning are enabled by default. You can enable it through
deploy_image_scanning_ecranddeploy_image_scanning_ecsinput variable parameters. - Resource creation inventory Find all the resources created by Sysdig examples in the resource-group
sysdig-secure-for-cloud(AWS Resource Group & Tag Editor) - Deployment cost This example will create resources that cost money.
Runterraform destroywhen you don't need them anymore
Minimum requirements:
- Configure Terraform AWS Provider
- Secure requirements, as input variable value
sysdig_secure_api_token=<SECURE_API_TOKEN>
For quick testing, use this snippet on your terraform files
terraform {
required_providers {
sysdig = {
source = "sysdiglabs/sysdig"
}
}
}
provider "sysdig" {
sysdig_secure_url = "<SYSDIG_SECURE_URL>"
sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}
provider "aws" {
region = "<AWS-REGION>; ex. us-east-1"
}
module "secure_for_cloud_aws_single_account_ecs" {
source = "sysdiglabs/secure-for-cloud/aws//examples/single-account-ecs"
}See inputs summary or module module variables.tf file for more optional configuration.
To run this example you need have your aws account profile configured in CLI and to execute:
$ terraform init
$ terraform plan
$ terraform apply| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| sysdig | >= 0.5.33 |
| Name | Version |
|---|---|
| sysdig | 0.5.39 |
| Name | Source | Version |
|---|---|---|
| cloud_bench | ../../modules/services/cloud-bench | n/a |
| cloud_connector | ../../modules/services/cloud-connector-ecs | n/a |
| cloudtrail | ../../modules/infrastructure/cloudtrail | n/a |
| codebuild | ../../modules/infrastructure/codebuild | n/a |
| ecs_vpc | ../../modules/infrastructure/ecs-vpc | n/a |
| resource_group | ../../modules/infrastructure/resource-group | n/a |
| ssm | ../../modules/infrastructure/ssm | n/a |
| Name | Type |
|---|---|
| sysdig_secure_connection.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| benchmark_regions | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | list(string) |
[] |
no |
| cloudtrail_is_multi_region_trail | true/false whether cloudtrail will ingest multiregional events | bool |
true |
no |
| cloudtrail_kms_enable | true/false whether cloudtrail delivered events to S3 should persist encrypted | bool |
true |
no |
| cloudtrail_sns_arn | ARN of a pre-existing cloudtrail_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | string |
"create" |
no |
| deploy_benchmark | Whether to deploy or not the cloud benchmarking | bool |
true |
no |
| deploy_image_scanning_ecr | true/false whether to deploy the image scanning on ECR pushed images | bool |
false |
no |
| deploy_image_scanning_ecs | true/false whether to deploy the image scanning on ECS running images | bool |
false |
no |
| ecs_cluster_name | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. If specified all three parameters ecs_cluster_name, ecs_vpc_id and ecs_vpc_subnets_private_ids are required. |
string |
"create" |
no |
| ecs_task_cpu | Amount of CPU (in CPU units) to reserve for cloud-connector task | string |
"256" |
no |
| ecs_task_memory | Amount of memory (in megabytes) to reserve for cloud-connector task | string |
"512" |
no |
| ecs_vpc_id | ID of the VPC where the workload is to be deployed. If defaulted a new VPC will be created. If specified all three parameters ecs_cluster_name, ecs_vpc_id and ecs_vpc_subnets_private_ids are required |
string |
"create" |
no |
| ecs_vpc_region_azs | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws_availability_zones' datasource will be taken | list(string) |
[] |
no |
| ecs_vpc_subnets_private_ids | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters ecs_cluster_name, ecs_vpc_id and ecs_vpc_subnets_private_ids are required. |
list(string) |
[] |
no |
| name | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | string |
"sfc" |
no |
| tags | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | map(string) |
{ |
no |
| Name | Description |
|---|---|
| cloudtrail_sns_topic_arn | ARN of cloudtrail_sns topic |
Module is maintained and supported by Sysdig.
Apache 2 Licensed. See LICENSE for full details.