refactor!: remove all providers from examples to enable conditional usage (#66)

* refactor: remove all providers
* ci: revert. org hack to avoid kitchen initial destroy problem with aliased aws provider

Author: iru

.github/workflows/ci-integration-tests.yaml

@@ -22,7 +22,7 @@ jobs:
     name: Test-Kitchen-EKS
     runs-on: ubuntu-latest
     env:
-      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
+      TF_VAR_sysdig_secure_url: https://secure.sysdig.com
       TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
 
     steps:
@@ -74,12 +74,7 @@ jobs:
           TF_VAR_cloudnative_secretAccessKey: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
           TF_VAR_region: ${{secrets.AWS_QA_MANAGED_RESOURCES_REGION }}
           TF_VAR_cloudtrail_s3_name: ${{ secrets.AWS_QA_MANAGED_CLOUDTRAIL_NAME }}
-        run: |
-          bundle exec kitchen create "organizational-k8s-aws"
-          bundle exec kitchen converge "organizational-k8s-aws"
-          bundle exec kitchen setup "organizational-k8s-aws"
-          bundle exec kitchen verify "organizational-k8s-aws"
-          bundle exec kitchen destroy "organizational-k8s-aws"
+        run: bundle exec kitchen test "organizational-k8s-aws"
 
       - name: Inspect k8s failures
         if: ${{ failure() }}
@@ -111,7 +106,7 @@ jobs:
     name: Test-Kitchen-ECS
     runs-on: ubuntu-latest
     env:
-      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
+      TF_VAR_sysdig_secure_url: https://secure.sysdig.com
       TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
 
     steps:
@@ -144,12 +139,7 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ secrets.AWS_REGION }}
           TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
-        run: |
-          bundle exec kitchen create "organizational-aws"
-          bundle exec kitchen converge "organizational-aws"
-          bundle exec kitchen setup "organizational-aws"
-          bundle exec kitchen verify "organizational-aws"
-          bundle exec kitchen destroy "organizational-aws"
+        run: bundle exec kitchen test "organizational-aws"
 
       - name: Destroy organizational resources
         env:

.github/workflows/ci-test-cleanup.yaml

@@ -12,7 +12,7 @@ jobs:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_CLOUDNATIVE_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ secrets.AWS_REGION }}
-      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
+      TF_VAR_sysdig_secure_url: https://secure.sysdig.com
       TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
     steps:
       - name: Checkout
@@ -37,7 +37,7 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ secrets.AWS_REGION }}
       TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
-      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
+      TF_VAR_sysdig_secure_url: https://secure.sysdig.com
       TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
     steps:
       - name: Checkout

.pre-commit-terraform-validate-examples.sh

@@ -8,6 +8,13 @@ bash ./resources/terraform-clean.sh
 
 for dir in examples*/*
 do
+
+  # skip aliased providers due to terraform validate unresolved bug
+  # https://github.com/hashicorp/terraform/issues/28490
+  if [ $dir == "examples/organizational" ]; then
+    echo "skipping validation on [$dir]"
+    break
+  fi
   echo validating example [$dir]
   cd $dir
   terraform init

CONTRIBUTE.md

@@ -55,8 +55,8 @@ We're using **pre-commit** |  https://pre-commit.com
 - custom configuration | https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/.pre-commit-config.yaml
 - current `terraform-docs` version, requires developer to create `README.md` file, with the enclosure tags for docs to insert the automated content
   ```markdown
-  <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-  <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+  <!-- BEGIN_TF_DOCS -->
+  <!-- END_TF_DOCS -->
   ```
 
 - If pre-commit fails on Github but not on your local, try cleaning-up `terraform` files with

README.md

@@ -93,7 +93,7 @@ provider "sysdig" {
 }
 
 module "cloud_bench" {
-  source      = "sysdiglabs/secure-for-cloud/aws//modules/cloud-bench"
+  source      = "sysdiglabs/secure-for-cloud/aws//modules/services/cloud-bench"
 }
 
 ```

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md

@@ -31,6 +31,19 @@ Client is responsible for provisioning the ARN of this SQS, which will be requir
 For quick testing, use this snippet on your terraform files.
 
 ```terraform
+terraform {
+  required_providers {
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      configuration_aliases = [aws.member]
+    }
+  }
+}
+
+provider "sysdig" {
+  sysdig_secure_api_token    = "00000000-1111-2222-3333-444444444444"
+}
+
 provider "aws" {
   region = "<AWS-REGION>; ex. us-east-1"
 }
@@ -44,8 +57,6 @@ provider "helm" {
 module "org_k8s_threat_reuse_cloudtrail" {
   source = "sysdiglabs/secure-for-cloud/aws//examples-internal/organizational-k8s-threat-reuse_cloudtrail"
 
-  sysdig_secure_api_token   = "00000000-1111-2222-3333-444444444444"
-
   region                          = "CLOUDTRAIL_SNS_SQS_REGION"
   cloudtrail_s3_sns_sqs_url       = "SQS-URL"
 
@@ -68,7 +79,7 @@ Notice that:
 * This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 * All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -107,13 +118,13 @@ Notice that:
 | <a name="input_cloudtrail_s3_sns_sqs_url"></a> [cloudtrail\_s3\_sns\_sqs\_url](#input\_cloudtrail\_s3\_sns\_sqs\_url) | Organization cloudtrail event notification  S3-SNS-SQS URL to listen to | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
-| <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
+| <a name="input_sysdig_secure_url"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 
 ## Troubleshooting

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/cloud-connector.tf

@@ -17,12 +17,12 @@ resource "helm_release" "cloud_connector" {
 
   set {
     name  = "sysdig.url"
-    value = var.sysdig_secure_endpoint
+    value = data.sysdig_secure_connection.current.secure_url
   }
 
   set_sensitive {
     name  = "sysdig.secureAPIToken"
-    value = var.sysdig_secure_api_token
+    value = data.sysdig_secure_connection.current.secure_api_token
   }
 
   set_sensitive {

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/data.tf

@@ -1 +1,2 @@
 data "aws_region" "current" {}
+data "sysdig_secure_connection" "current" {}

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/main.tf

@@ -11,5 +11,5 @@ module "resource_group" {
 module "ssm" {
   source                  = "../../modules/infrastructure/ssm"
   name                    = var.name
-  sysdig_secure_api_token = var.sysdig_secure_api_token
+  sysdig_secure_api_token = data.sysdig_secure_connection.current.secure_api_token
 }

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/variables.tf

@@ -1,9 +1,3 @@
-variable "sysdig_secure_api_token" {
-  sensitive   = true
-  type        = string
-  description = "Sysdig Secure API token"
-}
-
 variable "cloudtrail_s3_sns_sqs_url" {
   type        = string
   description = "Organization cloudtrail event notification  S3-SNS-SQS URL to listen to"
@@ -37,12 +31,6 @@ variable "name" {
   default     = "sfc"
 }
 
-variable "sysdig_secure_endpoint" {
-  type        = string
-  default     = "https://secure.sysdig.com"
-  description = "Sysdig Secure API endpoint"
-}
-
 variable "tags" {
   type        = map(string)
   description = "sysdig secure-for-cloud tags"

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/versions.tf

@@ -8,5 +8,9 @@ terraform {
       source  = "hashicorp/helm"
       version = ">=2.3.0"
     }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = ">= 0.5.33"
+    }
   }
 }

examples-internal/use-cases-reuse-resources/org-existing-cloudtrail-ecs-vpc-subnet.md

@@ -107,18 +107,42 @@ module "utils_ecs-vpc" {
 ### Terraform Manifest Snippet
 
 ```terraform
+terraform {
+  required_providers {
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      configuration_aliases = [aws.member]
+    }
+  }
+}
+
+provider "sysdig" {
+  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
+}
 
 provider "aws" {
   region = "<AWS_REGION>"
 }
 
+provider "aws" {
+  alias  = "member"
+  region = "<AWS_REGION>"
+  assume_role {
+    # 'OrganizationAccountAccessRole' is the default role created by AWS for management-account users to be able to admin member accounts.
+    # if this is changed, please change to the `examples/organizational` input var `organizational_member_default_admin_role` too
+    # <br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
+    role_arn = "arn:aws:iam::<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>:role/OrganizationAccountAccessRole"
+  }
+}
+
 module "sysdig-s4c" {
+  providers = {
+    aws.member = aws.member
+  }
 
   source = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
   name   = "sysdig-s4c"
 
-  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
-
   sysdig_secure_for_cloud_member_account_id="<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>"
 
   cloudtrail_sns_arn  = "<CLOUDTRAIL_SNS_ARN>"

examples-internal/use-cases-reuse-resources/single-existing-cloudtrail.md

@@ -54,7 +54,7 @@ If cloudtrail is in another account
       "Sid": "AllowCrossAccountSNSSubscription,
       "Effect": "Allow",
       "Principal": {
-        "AWS": "arn:aws:iam::account-member:user/<SPECIFC_USER>"
+        "AWS": "arn:aws:iam::account-member:user/<SPECIFIC_USER>"
         # or
         #"AWS": "arn:aws:iam::account-member:root"
       },
@@ -68,15 +68,26 @@ If cloudtrail is in another account
 ### Terraform Manifest Snippet
 
 ```terraform
+terraform {
+  required_providers {
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+    }
+  }
+}
+
+provider "sysdig" {
+  sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
+}
+
 provider "aws" {
-  region = <AWS_REGION>
+  region = "<AWS_REGION>"
 }
 
 module "sysdig-s4c" {
   source = "sysdiglabs/secure-for-cloud/aws//examples/single-account"
   name   = "sysdig-s4c"
 
-  sysdig_secure_api_token = <SYSDIG_API_TOKEN>
-  cloudtrail_sns_arn      = <CLOUDRAIL_SNS_TOPIC_ARN>
+  cloudtrail_sns_arn  = "<CLOUDRAIL_SNS_TOPIC_ARN>"
 }
 ```

examples-internal/use-cases-self-baked/org-s3-k8s-filtered-account.md

@@ -35,23 +35,22 @@ Skip step 4 and remove `aws_access_key_id` and `aws_secret_access_key` parameter
 ## Suggested building-blocks
 
 1. Define different **AWS providers**
-    1. Populate  `_REGION_`. Currently, same region is to be used
-    2. Because we are going to provision resources on multiple accounts, we're gonna need several AWS providers
-
-       2. `s3` for s3-sns-sqs resources to be deployed. IAM user-credentials, to be used for k8s must also be in S3 account
-       3. `sfc` for secure-for-cloud utility resources to be deployed
+    - Populate  `REGION`. Currently, same region is to be used
+    - Because we are going to provision resources on multiple accounts, we're gonna use **two AWS providers**
+       - `aws.s3` for s3-sns-sqs resources to be deployed. IAM user-credentials, to be used for k8s must also be in S3 account
+       - `aws.sfc` for secure-for-cloud utility resources to be deployed
 
 
 ```terraform
 provider "aws" {
   alias = "s3"
-  region = "_REGION_"
+  region = "<REGION>"
   ...
 }
 
 provider "aws" {
   alias = "sfc"
-  region = "_REGION_"
+  region = "<REGION>"
   ...
 }
 ```
@@ -72,12 +71,12 @@ provider "helm" {
 
 3. **Cloudtrail-S3-SNS-SQS**
 
-   1. Populate  `_CLOUDTRAIL_S3_NAME_`
+   1. Populate  `CLOUDTRAIL_S3_NAME`
    <br/>ex.:
        ```text
        cloudtrail_s3_name=cloudtrail-logging-237944556329
        ```
-   2. Populate `_CLOUDTRAIL_S3_FILTER_PREFIX_` in order to ingest a specific-account. Otherwise just remove its assignation
+   2. Populate `CLOUDTRAIL_S3_FILTER_PREFIX` in order to ingest a specific-account. Otherwise, just remove its assignation
    <br/>ex.:
        ```text
        s3_event_notification_filter_prefix=cloudtrail/AWSLogs/237944556329
@@ -89,8 +88,8 @@ module "cloudtrail_s3_sns_sqs" {
     aws = aws.s3
   }
   source  = "sysdiglabs/secure-for-cloud/aws//modules/infrastructure/cloudtrail_s3-sns-sqs"
-  cloudtrail_s3_name = _CLOUDTRAIL_S3_NAME_
-  s3_event_notification_filter_prefix=_CLOUDTRAIL_S3_FILTER_PREFIX_
+  cloudtrail_s3_name = "<CLOUDTRAIL_S3_NAME>"
+  s3_event_notification_filter_prefix="<CLOUDTRAIL_S3_FILTER_PREFIX>"
 }
 ```
 
@@ -112,7 +111,7 @@ module "org_user" {
 
 5. **Sysdig workload deployment on K8s**
 
-    * Populate  `_SYSDIG_SECURE_ENDPOINT_`, `_SYSDID_SECURE_API_TOKEN_` and `_REGION_`
+    * Populate  `sysdig_secure_url`, `SYSDID_SECURE_API_TOKEN` and `REGION`
 
 ```terraform
 resource "helm_release" "cloud_connector" {
@@ -134,12 +133,12 @@ resource "helm_release" "cloud_connector" {
 
   set {
     name  = "sysdig.url"
-    value =  "_SYSDIG_SECURE_ENDPOINT_"
+    value =  "<sysdig_secure_url>"
   }
 
   set_sensitive {
     name  = "sysdig.secureAPIToken"
-    value = "_SYSDID_SECURE_API_TOKEN_"
+    value = "<SYSDIG_SECURE_API_TOKEN>"
   }
 
   set_sensitive {
@@ -154,7 +153,7 @@ resource "helm_release" "cloud_connector" {
 
   set {
     name  = "aws.region"
-    value = "_REGION_"
+    value = "<REGION>"
   }
 
   values = [