forked from sysdiglabs/terraform-aws-secure-for-cloud
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdiagram-single.py
95 lines (68 loc) · 4.02 KB
/
diagram-single.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# diagrams as code vía https://diagrams.mingrammer.com
from diagrams import Diagram, Cluster, Diagram, Edge, Node
from diagrams.custom import Custom
from diagrams.aws.general import General
from diagrams.aws.management import Cloudtrail
from diagrams.aws.storage import S3, SimpleStorageServiceS3Bucket
from diagrams.aws.integration import SNS
from diagrams.aws.integration import SQS
from diagrams.aws.compute import ECS, ElasticContainerServiceService, ECR
from diagrams.aws.security import IAMRole,IAM
from diagrams.aws.management import Cloudwatch
from diagrams.aws.devtools import Codebuild
from diagrams.aws.management import SystemsManager
diagram_attr = {
"pad":"1.25"
}
role_attr = {
"imagescale":"true",
"width":"2",
"fontsize":"13",
}
color_event="firebrick"
color_scanning = "dark-green"
color_permission="steelblue3"
color_non_important="gray"
color_sysdig="lightblue"
with Diagram("Sysdig Secure for Cloud{}(single-account-ecs)".format("\n"), graph_attr=diagram_attr, filename="diagram-single", show=True):
public_registries = Custom("Public Registries","../../resources/diag-registry-icon.png")
with Cluster("AWS single-account-ecs"):
master_credentials = IAM("credentials \npermissions: cloudtrail, role creation,...", fontsize="10")
with Cluster("other resources", graph_attr={"bgcolor":"lightblue"}):
account_resources = [General("resource-1..n")]
ecr = ECR("container-registry\n*sends events on image push to cloudtrail\n*within any account")
with Cluster("ecs-cluster"):
ecs_services = ElasticContainerServiceService("other services\n*sends events with image runs to cloudtrail")
with Cluster("sysdig-secure-for-cloud resources"):
# cloudtrail
cloudtrail = Cloudtrail("cloudtrail\n* ingest events from all\norg member accounts+managed", shape="plaintext")
# cloudtrail_legend = ("for clarity purpose events received from sysdig-secure-for-cloud resources\nhave been removed from diagram, but will be processed too")
# Node(label=cloudtrail_legend, width="5",shape="plaintext", labelloc="t", fontsize="10")
cloudtrail_s3 = S3("cloudtrail-s3-events")
sns = SNS("cloudtrail-sns-events", comment="i'm a graph")
cloudwatch = Cloudwatch("cloudwatch\n(logs and alarms)")
cloudtrail >> Edge(color=color_event, style="dashed") >> cloudtrail_s3
cloudtrail >> Edge(color=color_event, style="dashed") >> sns
with Cluster("ecs-cluster"):
cloud_connector = ElasticContainerServiceService("cloud-connector")
sqs = SQS("cloudtrail-sqs")
sqs << Edge(color=color_event) << cloud_connector
cloud_connector >> Edge(color=color_non_important) >> cloudwatch
# scanning
codebuild = Codebuild("CodeBuild Project")
cloud_connector >> Edge(color=color_non_important) >> cloudwatch
cloud_connector >> codebuild
codebuild >> Edge(color=color_non_important) >> ecr
codebuild >> Edge(color=color_non_important) >> public_registries
# bench-role
cloud_bench_role = IAMRole("SysdigCloudBench\n(aws:SecurityAudit policy)", **role_attr)
#account_resources >> Edge(color=color_event, style="dashed") >> cloudtrail
sns >> Edge(color=color_event, style="dashed") >> sqs
(cloudtrail_s3 << Edge(color=color_non_important)) - cloud_connector
with Cluster("AWS account (sysdig)"):
sds = Custom("Sysdig Secure\n*receives cloud-connector and cloud-build results\n*assumeRole on SysdigCloudBench", "../../resources/diag-sysdig-icon.png")
sds_account = General("cloud-bench")
sds - Edge(label="aws_foundations_bench\n schedule on rand rand * * *") >> sds_account
cloud_connector >> Edge(color=color_sysdig) >> sds
codebuild >> Edge(color=color_sysdig) >> sds
sds_account >> Edge(color=color_permission, fontcolor=color_permission) >> cloud_bench_role