sysdiglabs
diff --git a/‎.github/workflows/ci-test-cleanup.yaml
+27 b/‎.github/workflows/ci-test-cleanup.yaml
+27
diff --git a/‎README.md
+8 b/‎README.md
+8
diff --git a/‎examples/organizational/README.md
+3-1 b/‎examples/organizational/README.md
+3-1
diff --git a/‎examples/organizational/utils.tf
+1-1 b/‎examples/organizational/utils.tf
+1-1
diff --git a/‎examples/single-account-k8s/README.md
+108 b/‎examples/single-account-k8s/README.md
+108
diff --git a/‎examples/single-account-k8s/cloud-connector.tf
+57 b/‎examples/single-account-k8s/cloud-connector.tf
+57
diff --git a/‎examples/single-account-k8s/cloud-scanning.tf
+73 b/‎examples/single-account-k8s/cloud-scanning.tf
+73
diff --git a/‎examples/single-account-k8s/credentials.tf
+13 b/‎examples/single-account-k8s/credentials.tf
+13
diff --git a/‎examples/single-account-k8s/main.tf
+38 b/‎examples/single-account-k8s/main.tf
+38
diff --git a/‎examples/single-account-k8s/outputs.tf b/‎examples/single-account-k8s/outputs.tf
@@ -0,0 +1,27 @@
+name: CI - Test Cleanup
+on:
+  workflow_dispatch
+
+jobs:
+  test_cleanup:
+    name: Test Cleanup
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      TF_VAR_sysdig_secure_endpoint: https://secure.sysdig.com
+      TF_VAR_sysdig_secure_api_token: ${{secrets.KUBELAB_SECURE_API_TOKEN}}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.7
+          bundler-cache: true
+
+      - name: Destroy resources
+        if: ${{ failure() }}
+        run: bundle exec kitchen destroy
@@ -20,11 +20,19 @@ For other Cloud providers check: [GCP](https://github.com/sysdiglabs/terraform-g
 There are several ways to deploy this in you AWS infrastructure:
 
 ### Single-Account
+
 Sysdig workload will be deployed in the same account where user's resources will be watched.<br/>
 More info in [`./examples/single-account`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account)
 
 ![single-account diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/7d142829a701ce78f13691a4af4be373625e7ee2/examples/single-account/diagram-single.png)
 
+
+### Single-Account with a pre-existing Kubernetes Cluster
+
+If you already own a Kubernetes Cluster on AWS, you can use it to deploy Sysdig Secure for Cloud, instead of default ECS cluster.
+
+More info in [`./examples/single-account-k8s`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-k8s)
+
 ### Organizational
 
 Using an organizational configuration Cloudtrail.
 
@@ -2,6 +2,8 @@
 
 Deploy Sysdig Secure for Cloud sharing the Trail within an organization.
 
+_Note: At this time, only the Threat Detection module is supported for organizational accounts_
+
 * In the **management account**
   * An Organizational Cloutrail will be deployed  (with required S3,SNS)
   * An additional role `SysdigSecureForCloudRole` will be created
@@ -87,7 +89,7 @@ Notice that:
 | <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | ../../modules/infrastructure/resource-group |  |
 | <a name="module_resource_group_secure_for_cloud_member"></a> [resource\_group\_secure\_for\_cloud\_member](#module\_resource\_group\_secure\_for\_cloud\_member) | ../../modules/infrastructure/resource-group |  |
-| <a name="module_secure_for_cloud_role"></a> [secure\_for\_cloud\_role](#module\_secure\_for\_cloud\_role) | ../../modules/infrastructure/organizational/secure-for-cloud-role |  |
+| <a name="module_secure_for_cloud_role"></a> [secure\_for\_cloud\_role](#module\_secure\_for\_cloud\_role) | ../../modules/infrastructure/permissions/org-management-role |  |
 | <a name="module_ssm"></a> [ssm](#module\_ssm) | ../../modules/infrastructure/ssm |  |
 
 ## Resources
 
@@ -9,7 +9,7 @@ module "resource_group_secure_for_cloud_member" {
 
 
 module "secure_for_cloud_role" {
-  source = "../../modules/infrastructure/organizational/secure-for-cloud-role"
+  source = "../../modules/infrastructure/permissions/org-management-role"
   providers = {
     aws.member = aws.member
   }
 
@@ -0,0 +1,108 @@
+# Sysdig Secure for Cloud in AWS :: Single-Account on Kubernetes Cluster
+
+Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.
+
+- Sysdig **Helm** charts will be used to deploy threat-detection and scanning modules
+  - [Cloud-Connector Chart](https://charts.sysdig.com/charts/cloud-connector/)
+  - [Cloud-Scanning Chart](https://charts.sysdig.com/charts/cloud-scanning/)
+  - Because these charts require specific AWS credentials to be passed by parameter, a new user + access key will be created within account. See [`credentials.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-k8s/credentials.tf)
+- Used arquitecture is similar to [single-account](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account) but changing ECS <---> with an existing EKS
+
+All the required resources and workloads will be run under the same AWS account.
+
+## Prerequisites
+
+Minimum requirements:
+
+1. AWS profile credentials configuration
+2. A Kubernetes cluster configured within your `~/.kube/config`
+3. Secure requirements, as input variable value
+    ```
+    sysdig_secure_api_token=<SECURE_API_TOKEN>
+    ```
+
+## Usage
+
+For quick testing, use this snippet on your terraform files
+
+```terraform
+module "secure_for_cloud_aws_single_account" {
+  source = "sysdiglabs/secure-for-cloud/aws//examples/single-account-k8s"
+
+  sysdig_secure_api_token        = "00000000-1111-2222-3333-444444444444"
+}
+```
+
+See [inputs summary](#inputs) or module module [`variables.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-k8s/variables.tf) file for more optional configuration.
+
+To run this example you need have your [aws account profile configured in CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) and to execute:
+```terraform
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Notice that:
+* This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
+* All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the resource-group `sysdig-secure-for-cloud`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >=2.3.0 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >=2.3.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cloud_connector_sqs"></a> [cloud\_connector\_sqs](#module\_cloud\_connector\_sqs) | ../../modules/infrastructure/cloudtrail-subscription-sqs |  |
+| <a name="module_cloud_scanning_sqs"></a> [cloud\_scanning\_sqs](#module\_cloud\_scanning\_sqs) | ../../modules/infrastructure/cloudtrail-subscription-sqs |  |
+| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
+| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
+| <a name="module_credentials"></a> [credentials](#module\_credentials) | ../../modules/infrastructure/permissions/single-account-user |  |
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | ../../modules/infrastructure/resource-group |  |
+| <a name="module_ssm"></a> [ssm](#module\_ssm) | ../../modules/infrastructure/ssm |  |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.cloud_scanning](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
+| <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
+| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name for the Cloud Vision deployment | `string` | `"sysdig-secure-for-cloud-k8s"` | no |
+| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |
+| <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+
+## Authors
+
+Module is maintained and supported by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
@@ -0,0 +1,57 @@
+#-------------------------------------
+# requirements
+#-------------------------------------
+module "cloud_connector_sqs" {
+  source        = "../../modules/infrastructure/cloudtrail-subscription-sqs"
+  name          = "${var.name}-cloud_connector"
+  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  tags          = var.tags
+}
+
+
+#-------------------------------------
+# cloud_connector
+#-------------------------------------
+resource "helm_release" "cloud_connector" {
+  name = "cloud-connector"
+
+  repository = "https://charts.sysdig.com"
+  chart      = "cloud-connector"
+
+  create_namespace = true
+  namespace        = var.name
+
+  set_sensitive {
+    name  = "sysdig.secureAPIToken"
+    value = var.sysdig_secure_api_token
+  }
+
+  set_sensitive {
+    name  = "aws.accessKeyId"
+    value = module.credentials.s4c_user_access_key_id
+  }
+
+  set_sensitive {
+    name  = "aws.secretAccessKey"
+    value = module.credentials.s4c_user_secret_access_key
+  }
+
+  set {
+    name  = "aws.region"
+    value = var.region
+  }
+
+  set {
+    name  = "sysdig.url"
+    value = var.sysdig_secure_endpoint
+  }
+
+  values = [
+    <<CONFIG
+ingestors:
+  - cloudtrail-sns-sqs:
+      queueURL: ${module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url}
+      interval: 60s
+CONFIG
+  ]
+}
@@ -0,0 +1,73 @@
+#-------------------------------------
+# requirements
+#-------------------------------------
+module "cloud_scanning_sqs" {
+  source        = "../../modules/infrastructure/cloudtrail-subscription-sqs"
+  name          = "${var.name}-cloud_scanning"
+  sns_topic_arn = module.cloudtrail.sns_topic_arn
+  tags          = var.tags
+}
+
+
+module "codebuild" {
+  source                       = "../../modules/infrastructure/codebuild"
+  name                         = var.name
+  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+
+  tags = var.tags
+  # note. this is required to avoid race conditions
+  depends_on = [module.ssm]
+}
+
+#-------------------------------------
+# cloud_scanning
+#-------------------------------------
+resource "helm_release" "cloud_scanning" {
+  name = "cloud-scanning"
+
+  repository = "https://charts.sysdig.com"
+  chart      = "cloud-scanning"
+
+  create_namespace = true
+  namespace        = var.name
+
+  set_sensitive {
+    name  = "aws.accessKeyId"
+    value = module.credentials.s4c_user_access_key_id
+  }
+
+  set_sensitive {
+    name  = "aws.secretAccessKey"
+    value = module.credentials.s4c_user_secret_access_key
+  }
+
+  set_sensitive {
+    name  = "sysdig.secureAPIToken"
+    value = var.sysdig_secure_api_token
+  }
+
+  set {
+    name  = "secureAPITokenSecret"
+    value = module.ssm.secure_api_token_secret_name
+  }
+
+  set {
+    name  = "aws.region"
+    value = var.region
+  }
+
+  set {
+    name  = "sysdig.url"
+    value = var.sysdig_secure_endpoint
+  }
+
+  set {
+    name  = "sqsQueueUrl"
+    value = module.cloud_scanning_sqs.cloudtrail_sns_subscribed_sqs_url
+  }
+
+  set {
+    name  = "codeBuildProject"
+    value = module.codebuild.project_name
+  }
+}
@@ -0,0 +1,13 @@
+module "credentials" {
+  source = "../../modules/infrastructure/permissions/single-account-user"
+  name   = var.name
+
+  secure_api_token_secret_name       = module.ssm.secure_api_token_secret_name
+  cloudtrail_s3_bucket_arn           = module.cloudtrail.s3_bucket_arn
+  cloudtrail_sns_subscribed_sqs_arns = [module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_arn, module.cloud_scanning_sqs.cloudtrail_sns_subscribed_sqs_arn]
+  scanning_build_project_arn         = module.codebuild.project_arn
+
+  tags = var.tags
+  # required to avoid ParameterNotFound on tf-plan
+  depends_on = [module.ssm]
+}
@@ -0,0 +1,38 @@
+provider "aws" {
+  region = var.region
+}
+
+# TODO review ways to pass content as input var
+provider "helm" {
+  kubernetes {
+    config_path = "~/.kube/config"
+  }
+}
+
+
+#-------------------------------------
+# general resources
+#-------------------------------------
+
+module "resource_group" {
+  source = "../../modules/infrastructure/resource-group"
+  name   = var.name
+  tags   = var.tags
+}
+
+module "ssm" {
+  source                  = "../../modules/infrastructure/ssm"
+  name                    = var.name
+  sysdig_secure_api_token = var.sysdig_secure_api_token
+}
+
+module "cloudtrail" {
+  source = "../../modules/infrastructure/cloudtrail"
+  name   = var.name
+
+  is_organizational     = false
+  is_multi_region_trail = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable = var.cloudtrail_kms_enable
+
+  tags = var.tags
+}
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ module "resource_group_secure_for_cloud_member" {`
`9`	`9`
`10`	`10`
`11`	`11`	`module "secure_for_cloud_role" {`
`12`		`- source = "../../modules/infrastructure/organizational/secure-for-cloud-role"`
	`12`	`+ source = "../../modules/infrastructure/permissions/org-management-role"`
`13`	`13`	`providers = {`
`14`	`14`	`aws.member = aws.member`
`15`	`15`	`}`