refact: enable optional cloudtrail (#43)

Author: iru

examples/organizational/README.md

@@ -116,6 +116,8 @@ Notice that:
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
+| <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | ARN of a pre-existing cloudtrail\_sns s3 bucket. If it does not exist, it will be inferred from create cloudtrail | `string` | `"create"` | no |
+| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for managed-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |

examples/organizational/cloudtrail.tf

@@ -0,0 +1,22 @@
+locals {
+  cloudtrail_deploy  = var.cloudtrail_sns_arn == "create"
+  cloudtrail_sns_arn = var.cloudtrail_sns_arn == "create" ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn
+  cloudtrail_s3_arn  = var.cloudtrail_sns_arn == "create" ? module.cloudtrail[0].s3_bucket_arn : var.cloudtrail_s3_arn
+}
+
+
+module "cloudtrail" {
+  count  = local.cloudtrail_deploy ? 1 : 0
+  source = "../../modules/infrastructure/cloudtrail"
+  name   = var.name
+
+  is_organizational = true
+  organizational_config = {
+    sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
+    organizational_role_per_account           = var.organizational_member_default_admin_role
+  }
+  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable = var.cloudtrail_kms_enable
+
+  tags = var.tags
+}

examples/organizational/credentials.tf

@@ -7,15 +7,14 @@ module "resource_group_secure_for_cloud_member" {
   tags   = var.tags
 }
 
-
 module "secure_for_cloud_role" {
   source = "../../modules/infrastructure/permissions/ecs-org-role"
   providers = {
     aws.member = aws.member
   }
   name = var.name
 
-  cloudtrail_s3_arn                 = module.cloudtrail.s3_bucket_arn
+  cloudtrail_s3_arn                 = local.cloudtrail_s3_arn
   cloudconnector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name
   organizational_role_per_account   = var.organizational_member_default_admin_role
 

examples/organizational/main.tf

@@ -25,21 +25,6 @@ module "resource_group" {
   tags   = var.tags
 }
 
-module "cloudtrail" {
-  source = "../../modules/infrastructure/cloudtrail"
-  name   = var.name
-
-  is_organizational = true
-  organizational_config = {
-    sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
-    organizational_role_per_account           = var.organizational_member_default_admin_role
-  }
-  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable = var.cloudtrail_kms_enable
-
-  tags = var.tags
-}
-
 
 #-------------------------------------
 # secure-for-cloud member account workload
@@ -84,14 +69,14 @@ module "cloud_connector" {
     connector_ecs_task_role_name     = aws_iam_role.connector_ecs_task.name
   }
 
-  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  sns_topic_arn = local.cloudtrail_sns_arn
 
   ecs_cluster = module.ecs_fargate_cluster.id
   vpc_id      = module.ecs_fargate_cluster.vpc_id
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
   tags       = var.tags
-  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
 }
 
 #
@@ -129,14 +114,14 @@ module "cloud_scanning" {
     scanning_ecs_task_role_name      = aws_iam_role.connector_ecs_task.name
   }
 
-  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  sns_topic_arn = local.cloudtrail_sns_arn
 
   ecs_cluster = module.ecs_fargate_cluster.id
   vpc_id      = module.ecs_fargate_cluster.vpc_id
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
   tags       = var.tags
-  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
 }
 
 #-------------------------------------

examples/organizational/variables.tf

@@ -34,6 +34,18 @@ variable "organizational_member_default_admin_role" {
 # cloudtrail configuration
 #
 
+variable "cloudtrail_sns_arn" {
+  type        = string
+  default     = "create"
+  description = "ARN of a pre-existing cloudtrail_sns. If it does not exist, it will be inferred from created cloudtrail"
+}
+
+variable "cloudtrail_s3_arn" {
+  type        = string
+  default     = "create"
+  description = "ARN of a pre-existing cloudtrail_sns s3 bucket. If it does not exist, it will be inferred from create cloudtrail"
+}
+
 variable "cloudtrail_is_multi_region_trail" {
   type        = bool
   default     = true

examples/single-account-k8s/README.md

@@ -104,6 +104,7 @@ Notice that:
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
+| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to deploy cloud\_scanning | `bool` | `true` | no |
 | <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to deploy cloud\_connector | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |

examples/single-account-k8s/cloud-connector.tf

@@ -6,7 +6,7 @@ module "cloud_connector_sqs" {
   source = "../../modules/infrastructure/sqs-sns-subscription"
 
   name          = "${var.name}-cloud_connector"
-  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  sns_topic_arn = local.cloudtrail_sns_arn
   tags          = var.tags
 }
 

examples/single-account-k8s/cloud-scanning.tf

@@ -6,7 +6,7 @@ module "cloud_scanning_sqs" {
   source = "../../modules/infrastructure/sqs-sns-subscription"
 
   name          = "${var.name}-cloud_scanning"
-  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  sns_topic_arn = local.cloudtrail_sns_arn
   tags          = var.tags
 }
 

examples/single-account-k8s/cloudtrail.tf

@@ -1,4 +1,10 @@
+locals {
+  cloudtrail_deploy  = var.cloudtrail_sns_arn == "create"
+  cloudtrail_sns_arn = var.cloudtrail_sns_arn == "create" ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn
+}
+
 module "cloudtrail" {
+  count  = local.cloudtrail_deploy ? 1 : 0
   source = "../../modules/infrastructure/cloudtrail"
   name   = var.name
 

examples/single-account-k8s/variables.tf

@@ -25,6 +25,12 @@ variable "deploy_image_scanning" {
 # cloudtrail configuration
 #
 
+variable "cloudtrail_sns_arn" {
+  type        = string
+  default     = "create"
+  description = "ARN of a pre-existing cloudtrail_sns. If it does not exist, it will be inferred from created cloudtrail"
+}
+
 variable "cloudtrail_is_multi_region_trail" {
   type        = bool
   default     = true

examples/single-account/README.md

@@ -82,6 +82,7 @@ No resources.
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
+| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

examples/single-account/cloudtrail.tf

@@ -0,0 +1,15 @@
+locals {
+  cloudtrail_deploy  = var.cloudtrail_sns_arn == "create"
+  cloudtrail_sns_arn = var.cloudtrail_sns_arn == "create" ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn
+}
+
+module "cloudtrail" {
+  count                 = local.cloudtrail_deploy ? 1 : 0
+  source                = "../../modules/infrastructure/cloudtrail"
+  name                  = var.name
+  is_organizational     = false
+  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable = var.cloudtrail_kms_enable
+
+  tags = var.tags
+}

examples/single-account/main.tf

@@ -8,15 +8,6 @@ module "resource_group" {
   tags   = var.tags
 }
 
-module "cloudtrail" {
-  source                = "../../modules/infrastructure/cloudtrail"
-  name                  = var.name
-  is_organizational     = false
-  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable = var.cloudtrail_kms_enable
-
-  tags = var.tags
-}
 
 module "ecs_fargate_cluster" {
   source = "../../modules/infrastructure/ecs-fargate-cluster"
@@ -44,14 +35,14 @@ module "cloud_connector" {
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
   is_organizational            = false
 
-  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  sns_topic_arn = local.cloudtrail_sns_arn
 
   ecs_cluster = module.ecs_fargate_cluster.id
   vpc_id      = module.ecs_fargate_cluster.vpc_id
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
   tags       = var.tags
-  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.ssm]
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
 }
 
 
@@ -81,15 +72,15 @@ module "cloud_scanning" {
   build_project_arn  = module.codebuild.project_arn
   build_project_name = module.codebuild.project_name
 
-  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  sns_topic_arn = local.cloudtrail_sns_arn
 
   ecs_cluster = module.ecs_fargate_cluster.id
   vpc_id      = module.ecs_fargate_cluster.vpc_id
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
   tags = var.tags
   # note. this is required to avoid race conditions
-  depends_on = [module.cloudtrail, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
 }
 
 #-------------------------------------

examples/single-account/variables.tf

@@ -12,6 +12,11 @@ variable "sysdig_secure_api_token" {
 #
 # cloudtrail configuration
 #
+variable "cloudtrail_sns_arn" {
+  type        = string
+  default     = "create"
+  description = "ARN of a pre-existing cloudtrail_sns. If it does not exist, it will be inferred from created cloudtrail"
+}
 
 variable "cloudtrail_is_multi_region_trail" {
   type        = bool