Feature: enable vpc region availability zone variables (#53)

* feature: enable vpc-region-azs

Co-authored-by: Yu Kitazume <[email protected]>

Author: iru

README.md

@@ -132,8 +132,24 @@ Upload any image to the ECR repository of AWS.
 <br/>You should see a log in the ECS-cloud-scanner task + CodeBuild project being launched successfully
 
 <br/><br/>
+
 ## Troubleshooting
 
+
+### Q: Getting error when creating the ECS subnet due to nats not being supported
+```
+│ Error: error creating subnet: InvalidParameterValue: Value (apne1-az3) for parameter availabilityZoneId is invalid. Subnets can currently only be created in the following availability zones: apne1-az1, apne1-az2, apne1-az4.
+│ 	status code: 400, request id: 6e32d757-2e61-4220-8106-22ccf814e1fe
+│
+│   with module.vpc.aws_subnet.public[1],
+│   on .terraform/modules/vpc/main.tf line 376, in resource "aws_subnet" "public":
+│  376: resource "aws_subnet" "public" {
+```
+
+A: For the ECS workload deployment a VPC is being created under the hood. Some AWS zones, such as the 'apne1-az3' in the 'ap-northeast' region does not support NATS, which is activated by default.
+S: Specify the desired VPC region availability zones for the vpc module, using the `ecs_vpc_region_azs` variable to explicit its desired value and workaround the error until AWS gives support for your region.
+
+
 ### Q: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results
 A: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules
 

examples/organizational/README.md

@@ -121,6 +121,7 @@ Notice that:
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | Explicit list of availability zones for ECS VPC creation. eg: ["apne1-az1", "apne1-az2"]. If left empty it will be defaulted to two from the default datasource | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for managed-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |

examples/organizational/main.tf

@@ -34,9 +34,10 @@ module "ecs_fargate_cluster" {
   providers = {
     aws = aws.member
   }
-  source = "../../modules/infrastructure/ecs-fargate-cluster"
-  name   = var.name
-  tags   = var.tags
+  source             = "../../modules/infrastructure/ecs-fargate-cluster"
+  name               = var.name
+  ecs_vpc_region_azs = var.ecs_vpc_region_azs
+  tags               = var.tags
 }
 
 

examples/organizational/variables.tf

@@ -74,6 +74,17 @@ variable "benchmark_regions" {
   default     = []
 }
 
+
+#
+# ecs vpc configuration
+#
+variable "ecs_vpc_region_azs" {
+  type        = list(string)
+  description = "Explicit list of availability zones for ECS VPC creation. eg: [\"apne1-az1\", \"apne1-az2\"]. If left empty it will be defaulted to two from the default datasource"
+  default     = []
+}
+
+
 #
 # general
 #

examples/single-account/README.md

@@ -83,6 +83,7 @@ No resources.
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | Explicit list of availability zones for ECS VPC creation. eg: ["apne1-az1", "apne1-az2"]. If left empty it will be defaulted to two from the default datasource | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |

examples/single-account/main.tf

@@ -8,9 +8,10 @@ module "resource_group" {
 }
 
 module "ecs_fargate_cluster" {
-  source = "../../modules/infrastructure/ecs-fargate-cluster"
-  name   = var.name
-  tags   = var.tags
+  source             = "../../modules/infrastructure/ecs-fargate-cluster"
+  name               = var.name
+  ecs_vpc_region_azs = var.ecs_vpc_region_azs
+  tags               = var.tags
 }
 
 module "ssm" {

examples/single-account/variables.tf

@@ -9,6 +9,7 @@ variable "sysdig_secure_api_token" {
 # optionals - with defaults
 #---------------------------------
 
+
 #
 # cloudtrail configuration
 #
@@ -47,6 +48,16 @@ variable "benchmark_regions" {
 }
 
 
+#
+# ecs vpc configuration
+#
+variable "ecs_vpc_region_azs" {
+  type        = list(string)
+  description = "Explicit list of availability zones for ECS VPC creation. eg: [\"apne1-az1\", \"apne1-az2\"]. If left empty it will be defaulted to two from the default datasource"
+  default     = []
+}
+
+
 
 #
 # general

modules/infrastructure/ecs-fargate-cluster/README.md

@@ -32,6 +32,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | Explicit list of availability zones for VPC creation. eg: ["apne1-az1", "apne1-az2"]. If left empty it will be defaulted to two from the default datasource | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 

modules/infrastructure/ecs-fargate-cluster/variables.tf

@@ -2,6 +2,19 @@
 # optionals - with defaults
 #---------------------------------
 
+#
+# vpc configuration
+#
+variable "ecs_vpc_region_azs" {
+  type        = list(string)
+  description = "Explicit list of availability zones for VPC creation. eg: [\"apne1-az1\", \"apne1-az2\"]. If left empty it will be defaulted to two from the default datasource"
+  default     = []
+}
+
+
+#
+# general
+#
 variable "name" {
   type        = string
   description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"

modules/infrastructure/ecs-fargate-cluster/vpc.tf

@@ -1,4 +1,6 @@
-data "aws_availability_zones" "zones" {}
+data "aws_availability_zones" "zones" {
+}
+
 
 module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
@@ -9,7 +11,7 @@ module "vpc" {
   private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
   public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
 
-  azs = [data.aws_availability_zones.zones.names[0], data.aws_availability_zones.zones.names[1]]
+  azs = length(var.ecs_vpc_region_azs) > 0 ? var.ecs_vpc_region_azs : [data.aws_availability_zones.zones.names[0], data.aws_availability_zones.zones.names[1]]
 
   enable_dns_hostnames = true
   enable_dns_support   = true