Skip to content

Commit 29b399e

Browse files
authored
fix: Remove v2 scanning (#111)
* Revert "chore: fix precommit (#106)" This reverts commit 0d9e416. * Revert "chore: fix precommit errors" This reverts commit 97c7c2c. * Revert "chore: fix precommit" This reverts commit 9efb2da. * Revert "feat: org cloud connector based on binary scanner" This reverts commit 26d85de. * Revert "chore: fix wrong paramter" This reverts commit 4b77cf5. * Revert "feat: apprunner cloud connector based on binary scanner" This reverts commit fe45088. * Revert "feat: ecs cloud connector based on binary scanner" This reverts commit 6d37ea0. * Revert "fix: missing comma" This reverts commit ed9aca5. * Revert "chore: fix missing paramter" This reverts commit 47d4286. * Revert "feat: permission are created based on binary scanner use" This reverts commit be40cda. * Revert "feat: create k8s config base on binary scanner use" This reverts commit 0631890. * Revert "feat: add standalone bianry scanner" This reverts commit 22d6c7c. * chore: fix precommit
1 parent 0d9e416 commit 29b399e

File tree

64 files changed

+72
-602
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

64 files changed

+72
-602
lines changed

examples/organizational/README.md

+2-3
Original file line numberDiff line numberDiff line change
@@ -145,8 +145,8 @@ $ terraform apply
145145

146146
| Name | Version |
147147
|------|---------|
148-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
149-
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.19.0 |
148+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
149+
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.20.1 |
150150
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
151151

152152
## Modules
@@ -195,7 +195,6 @@ $ terraform apply
195195
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
196196
| <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
197197
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
198-
| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
199198

200199
## Outputs
201200

examples/organizational/main.tf

+1-6
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,3 @@
1-
locals {
2-
deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
3-
deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
4-
}
51
#-------------------------------------
62
# resources deployed always in management account
73
# with default provider
@@ -40,7 +36,7 @@ module "ssm" {
4036
# cloud-connector
4137
#-------------------------------------
4238
module "codebuild" {
43-
count = local.deploy_scanning_infra ? 1 : 0
39+
count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
4440

4541
providers = {
4642
aws = aws.member
@@ -66,7 +62,6 @@ module "cloud_connector" {
6662

6763
deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
6864
deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
69-
use_standalone_scanner = var.use_standalone_scanner
7065

7166
is_organizational = true
7267
organizational_config = {

examples/organizational/variables.tf

+1-5
Original file line numberDiff line numberDiff line change
@@ -69,11 +69,7 @@ variable "deploy_image_scanning_ecs" {
6969
default = false
7070
}
7171

72-
variable "use_standalone_scanner" {
73-
type = bool
74-
description = "true/false whether use inline scanner or not"
75-
default = false
76-
}
72+
7773
#
7874
# benchmark configuration
7975
#

examples/single-account-apprunner/README.md

-1
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,6 @@ $ terraform apply
104104
| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
105105
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
106106
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
107-
| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
108107

109108
## Outputs
110109

examples/single-account-apprunner/main.tf

+1-7
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,3 @@
1-
locals {
2-
deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
3-
deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
4-
}
5-
61
#-------------------------------------
72
# general resources
83
#-------------------------------------
@@ -24,7 +19,7 @@ module "ssm" {
2419
# cloud-connector
2520
#-------------------------------------
2621
module "codebuild" {
27-
count = local.deploy_scanning_infra ? 1 : 0
22+
count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
2823

2924
source = "../../modules/infrastructure/codebuild"
3025
name = "${var.name}-codebuild"
@@ -50,7 +45,6 @@ module "cloud_connector" {
5045
cloudconnector_ecr_image_uri = var.cloudconnector_ecr_image_uri
5146
deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
5247
deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
53-
use_standalone_scanner = var.use_standalone_scanner
5448

5549
cloudtrail_sns_arn = local.cloudtrail_sns_arn
5650
tags = var.tags

examples/single-account-apprunner/variables.tf

-6
Original file line numberDiff line numberDiff line change
@@ -42,12 +42,6 @@ variable "deploy_image_scanning_ecs" {
4242
default = false
4343
}
4444

45-
variable "use_standalone_scanner" {
46-
type = bool
47-
description = "true/false whether use inline scanner or not"
48-
default = false
49-
}
50-
5145
#
5246
# benchmark configuration
5347
#

examples/single-account-ecs/README.md

-1
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,6 @@ $ terraform apply
110110
| <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `list(string)` | `[]` | no |
111111
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
112112
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
113-
| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
114113

115114
## Outputs
116115

examples/single-account-ecs/main.tf

+1-6
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,3 @@
1-
locals {
2-
deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
3-
deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
4-
}
51
#-------------------------------------
62
# general resources
73
#-------------------------------------
@@ -25,7 +21,7 @@ module "ssm" {
2521
#
2622

2723
module "codebuild" {
28-
count = local.deploy_scanning_infra ? 1 : 0
24+
count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
2925

3026
source = "../../modules/infrastructure/codebuild"
3127
name = "${var.name}-codebuild"
@@ -49,7 +45,6 @@ module "cloud_connector" {
4945

5046
deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
5147
deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
52-
use_standalone_scanner = var.use_standalone_scanner
5348

5449
is_organizational = false
5550

examples/single-account-ecs/variables.tf

-5
Original file line numberDiff line numberDiff line change
@@ -85,11 +85,6 @@ variable "deploy_image_scanning_ecs" {
8585
default = false
8686
}
8787

88-
variable "use_standalone_scanner" {
89-
type = bool
90-
description = "true/false whether use inline scanner or not"
91-
default = false
92-
}
9388

9489
#
9590
# benchmark configuration

examples/single-account-k8s/README.md

+1-2
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ $ terraform apply
8484

8585
| Name | Version |
8686
|------|---------|
87-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
87+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
8888
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.6.0 |
8989
| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
9090

@@ -121,7 +121,6 @@ $ terraform apply
121121
| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
122122
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
123123
| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
124-
| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
125124

126125
## Outputs
127126

examples/single-account-k8s/cloud-connector.tf

+9-24
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,5 @@
11
locals {
2-
deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
3-
deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
4-
ecr_standalone_scanning = var.deploy_image_scanning_ecr && var.use_standalone_scanner
5-
ecs_standalone_scanning = var.deploy_image_scanning_ecs && var.use_standalone_scanner
6-
ecr_scanning_with_infra = var.deploy_image_scanning_ecr && !var.use_standalone_scanner
7-
ecs_scanning_with_infra = var.deploy_image_scanning_ecs && !var.use_standalone_scanner
2+
deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
83
}
94

105
#-------------------------------------
@@ -19,7 +14,7 @@ module "cloud_connector_sqs" {
1914
}
2015

2116
module "codebuild" {
22-
count = local.deploy_scanning_infra ? 1 : 0
17+
count = local.deploy_image_scanning ? 1 : 0
2318
source = "../../modules/infrastructure/codebuild"
2419

2520
name = var.name
@@ -73,8 +68,6 @@ resource "helm_release" "cloud_connector" {
7368

7469
values = [
7570
yamlencode({
76-
logging = "info"
77-
rules = []
7871
ingestors = [
7972
{
8073
cloudtrail-sns-sqs = {
@@ -83,26 +76,18 @@ resource "helm_release" "cloud_connector" {
8376
}
8477
]
8578
scanners = local.deploy_image_scanning ? [
86-
merge(
87-
local.ecr_scanning_with_infra ? {
88-
aws-ecr = {
89-
codeBuildProject = module.codebuild[0].project_name
90-
secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
91-
}
79+
merge(var.deploy_image_scanning_ecr ? {
80+
aws-ecr = {
81+
codeBuildProject = module.codebuild[0].project_name
82+
secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
83+
}
9284
} : {},
93-
local.ecs_scanning_with_infra ? {
85+
var.deploy_image_scanning_ecs ? {
9486
aws-ecs = {
9587
codeBuildProject = module.codebuild[0].project_name
9688
secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
9789
}
98-
} : {},
99-
local.ecr_standalone_scanning ? {
100-
aws-ecr-inline = {},
101-
} : {},
102-
local.ecs_standalone_scanning ? {
103-
aws-ecs-inline = {},
104-
} : {},
105-
)
90+
} : {})
10691
] : []
10792
})
10893
]

examples/single-account-k8s/credentials.tf

+1-2
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,7 @@ module "iam_user" {
22
source = "../../modules/infrastructure/permissions/iam-user"
33
name = var.name
44

5-
deploy_image_scanning = local.deploy_image_scanning
6-
use_standalone_scanner = var.use_standalone_scanner
5+
deploy_image_scanning = local.deploy_image_scanning
76

87
ssm_secure_api_token_arn = module.ssm.secure_api_token_secret_arn
98
cloudtrail_s3_bucket_arn = length(module.cloudtrail) > 0 ? module.cloudtrail[0].s3_bucket_arn : "*"

examples/single-account-k8s/variables.tf

-5
Original file line numberDiff line numberDiff line change
@@ -54,11 +54,6 @@ variable "deploy_image_scanning_ecs" {
5454
default = false
5555
}
5656

57-
variable "use_standalone_scanner" {
58-
type = bool
59-
description = "true/false whether use inline scanner or not"
60-
default = false
61-
}
6257

6358
#
6459
# benchmark configuration

examples/trigger-events/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ $ terraform apply
4949

5050
| Name | Version |
5151
|------|---------|
52-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
52+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
5353

5454
## Modules
5555

modules/infrastructure/cloudtrail/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
| Name | Version |
1414
|------|---------|
15-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
15+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
1616

1717
## Modules
1818

modules/infrastructure/cloudtrail_s3-sns-sqs/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ EVENT FILTER/fine-tunning, regarding what we want to send to Sysdig Cloud-Connec
4646

4747
| Name | Version |
4848
|------|---------|
49-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
49+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
5050

5151
## Modules
5252

modules/infrastructure/codebuild/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
| Name | Version |
1414
|------|---------|
15-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
15+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
1616

1717
## Modules
1818

modules/infrastructure/ecs-vpc/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
| Name | Version |
1515
|------|---------|
16-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
16+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
1717

1818
## Modules
1919

modules/infrastructure/permissions/cloud-connector/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
| Name | Version |
1414
|------|---------|
15-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
15+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
1616

1717
## Modules
1818

modules/infrastructure/permissions/cloud-scanning/README.md

+1-2
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
| Name | Version |
1414
|------|---------|
15-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
15+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
1616

1717
## Modules
1818

@@ -34,7 +34,6 @@ No modules.
3434
| <a name="input_scanning_codebuild_project_arn"></a> [scanning\_codebuild\_project\_arn](#input\_scanning\_codebuild\_project\_arn) | ARN of codebuild to launch the image scanning process | `string` | n/a | yes |
3535
| <a name="input_sfc_user_name"></a> [sfc\_user\_name](#input\_sfc\_user\_name) | Name of the IAM user to provision permissions | `string` | n/a | yes |
3636
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
37-
| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
3837

3938
## Outputs
4039

modules/infrastructure/permissions/cloud-scanning/main.tf

+8-11
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
resource "aws_iam_user_policy" "cloud_scanner" {
2-
32
name = "${var.name}-cs"
43
user = data.aws_iam_user.this.user_name
54
policy = data.aws_iam_policy_document.cloud_scanner.json
@@ -18,18 +17,16 @@ data "aws_iam_policy_document" "cloud_scanner" {
1817
resources = [var.cloudtrail_subscribed_sqs_arn]
1918
}
2019

21-
dynamic "statement" {
22-
for_each = var.use_standalone_scanner ? [1] : []
23-
content {
24-
sid = "AllowScanningCodeBuildStartBuild"
25-
effect = "Allow"
26-
actions = [
27-
"codebuild:StartBuild"
28-
]
29-
resources = [var.scanning_codebuild_project_arn]
30-
}
20+
statement {
21+
sid = "AllowScanningCodeBuildStartBuild"
22+
effect = "Allow"
23+
actions = [
24+
"codebuild:StartBuild"
25+
]
26+
resources = [var.scanning_codebuild_project_arn]
3127
}
3228

29+
3330
statement {
3431
sid = "AllowScanningECRRead"
3532
effect = "Allow"

modules/infrastructure/permissions/cloud-scanning/variables.tf

-5
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,6 @@ variable "scanning_codebuild_project_arn" {
1414
description = "ARN of codebuild to launch the image scanning process"
1515
}
1616

17-
variable "use_standalone_scanner" {
18-
type = bool
19-
description = "true/false whether use inline scanner or not"
20-
default = false
21-
}
2217

2318
#---------------------------------
2419
# optionals - with default

modules/infrastructure/permissions/general/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ General permissions that apply to both cloud-connector and cloud-scanning module
1515

1616
| Name | Version |
1717
|------|---------|
18-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
18+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
1919

2020
## Modules
2121

modules/infrastructure/permissions/iam-user/README.md

+1-2
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ Note: Contact us if this authentication system does not match your requirement.
4545

4646
| Name | Version |
4747
|------|---------|
48-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
48+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
4949

5050
## Modules
5151

@@ -72,7 +72,6 @@ Note: Contact us if this authentication system does not match your requirement.
7272
| <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
7373
| <a name="input_scanning_codebuild_project_arn"></a> [scanning\_codebuild\_project\_arn](#input\_scanning\_codebuild\_project\_arn) | ARN of codebuild to launch the image scanning process | `string` | `"*"` | no |
7474
| <a name="input_ssm_secure_api_token_arn"></a> [ssm\_secure\_api\_token\_arn](#input\_ssm\_secure\_api\_token\_arn) | ARN of the security credentials for the secure\_api\_token | `string` | `"*"` | no |
75-
| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
7675

7776
## Outputs
7877

0 commit comments

Comments
 (0)