fix: Remove legacy benchmark task creation (#165)

nkraemer-sysdig · web-flow · commit b45d453d63a5 · 2023-03-21T11:16:34.000-07:00
Removes creation of a deprecated resource.

Benchmarks has been replaced by a new Compliance system, which is
triggered by the creation of the cloud account. The explicit creation of
a benchmark task is thus not needed, and is failing since the API has
been disabled.
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -187,7 +187,6 @@ $ terraform apply
 |------|-------------|------|---------|:--------:|
 | <a name="input_sysdig_secure_for_cloud_member_account_id"></a> [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
 | <a name="input_autoscaling_config"></a> [autoscaling\_config](#input\_autoscaling\_config) | if enable\_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code | <pre>object({<br>    min_replicas        = number<br>    max_replicas        = number<br>    upscale_threshold   = number<br>    downscale_threshold = number<br>  })</pre> | <pre>{<br>  "downscale_threshold": 30,<br>  "max_replicas": 15,<br>  "min_replicas": 2,<br>  "upscale_threshold": 60<br>}</pre> | no |
-| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
 | <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
diff --git a/examples/organizational/cloud-bench.tf b/examples/organizational/cloud-bench.tf
@@ -9,7 +9,6 @@ module "cloud_bench_org" {
   name              = "${var.name}-cloudbench"
   is_organizational = true
   region            = data.aws_region.current.name
-  benchmark_regions = var.benchmark_regions
 
   tags = var.tags
 }
@@ -25,7 +24,6 @@ module "cloud_bench_single" {
   name              = "${var.name}-cloudbench"
   is_organizational = false
   region            = data.aws_region.current.name
-  benchmark_regions = var.benchmark_regions
 
   tags = var.tags
 }
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
@@ -126,12 +126,6 @@ variable "deploy_benchmark_organizational" {
   description = "true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)</li></ul>"
 }
 
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
-
 
 #---------------------------------
 # ecs, security group,  vpc
diff --git a/examples/single-account-apprunner/README.md b/examples/single-account-apprunner/README.md
@@ -96,7 +96,6 @@ $ terraform apply
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudconnector_ecr_image_uri"></a> [cloudconnector\_ecr\_image\_uri](#input\_cloudconnector\_ecr\_image\_uri) | URI to cloudconnectors image on ECR | `string` | `"public.ecr.aws/o5x4u2t4/cloud-connector:latest"` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
diff --git a/examples/single-account-apprunner/benchmark.tf b/examples/single-account-apprunner/benchmark.tf
@@ -2,8 +2,6 @@ module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
   count  = var.deploy_benchmark ? 1 : 0
 
-  name              = "${var.name}-cloudbench"
-  benchmark_regions = var.benchmark_regions
-
+  name = "${var.name}-cloudbench"
   tags = var.tags
 }
diff --git a/examples/single-account-apprunner/variables.tf b/examples/single-account-apprunner/variables.tf
@@ -58,12 +58,6 @@ variable "deploy_benchmark" {
   default     = true
 }
 
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
-
 #
 # general
 #
diff --git a/examples/single-account-ecs/README.md b/examples/single-account-ecs/README.md
@@ -98,7 +98,6 @@ $ terraform apply
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_autoscaling_config"></a> [autoscaling\_config](#input\_autoscaling\_config) | if enable\_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code | <pre>object({<br>    min_replicas        = number<br>    max_replicas        = number<br>    upscale_threshold   = number<br>    downscale_threshold = number<br>  })</pre> | <pre>{<br>  "downscale_threshold": 30,<br>  "max_replicas": 10,<br>  "min_replicas": 1,<br>  "upscale_threshold": 60<br>}</pre> | no |
-| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloud_connector_image"></a> [cloud\_connector\_image](#input\_cloud\_connector\_image) | Image to use for the cloud connector. If empty, the default image will be used. | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
diff --git a/examples/single-account-ecs/benchmark.tf b/examples/single-account-ecs/benchmark.tf
@@ -2,8 +2,6 @@ module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
   count  = var.deploy_benchmark ? 1 : 0
 
-  name              = "${var.name}-cloudbench"
-  benchmark_regions = var.benchmark_regions
-
+  name = "${var.name}-cloudbench"
   tags = var.tags
 }
diff --git a/examples/single-account-ecs/variables.tf b/examples/single-account-ecs/variables.tf
@@ -110,12 +110,6 @@ variable "deploy_benchmark" {
   default     = true
 }
 
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
-
 #
 # cloud connector connector configuration
 #
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
@@ -114,7 +114,6 @@ $ terraform apply
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, deployment region must match Cloudtrail S3 bucket region | `string` | `"create"` | no |
diff --git a/examples/single-account-k8s/benchmark.tf b/examples/single-account-k8s/benchmark.tf
@@ -2,8 +2,6 @@ module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
   count  = var.deploy_benchmark ? 1 : 0
 
-  name              = "${var.name}-cloudbench"
-  benchmark_regions = var.benchmark_regions
-
+  name = "${var.name}-cloudbench"
   tags = var.tags
 }
diff --git a/examples/single-account-k8s/variables.tf b/examples/single-account-k8s/variables.tf
@@ -69,11 +69,6 @@ variable "deploy_benchmark" {
   description = "Whether to deploy or not the cloud benchmarking"
   default     = true
 }
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
 
 #
 # aws iam user configuration
diff --git a/modules/services/cloud-bench/README.md b/modules/services/cloud-bench/README.md
@@ -21,15 +21,13 @@ This module will be deployed as a StackSet and it will take into account newly m
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.62.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 3.1.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 0.5.29 |
 
 ## Modules
@@ -44,9 +42,6 @@ No modules.
 | [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
 | [aws_iam_role.cloudbench_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cloudbench_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [random_integer.hour](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
-| [random_integer.minute](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
-| [sysdig_secure_benchmark_task.benchmark_task](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_benchmark_task) | resource |
 | [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
 | [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
@@ -58,7 +53,6 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"sfc-cloudbench"` | no |
 | <a name="input_provision_caller_account"></a> [provision\_caller\_account](#input\_provision\_caller\_account) | true/false whether to provision the aws provider account (if is\_organizational=true management account, if is\_organizational=false it will depend on the provider setup on the caller module | `bool` | `true` | no |
diff --git a/modules/services/cloud-bench/main.tf b/modules/services/cloud-bench/main.tf
@@ -16,10 +16,6 @@ locals {
   caller_account        = data.aws_caller_identity.me.account_id
   member_account_ids    = var.is_organizational ? [for a in data.aws_organizations_organization.org[0].non_master_accounts : a.id] : []
   account_ids_to_deploy = var.is_organizational && var.provision_caller_account ? concat(local.member_account_ids, [data.aws_organizations_organization.org[0].master_account_id]) : local.member_account_ids
-
-  benchmark_task_name   = var.is_organizational ? "Organization: ${data.aws_organizations_organization.org[0].id}" : local.caller_account
-  accounts_scope_clause = var.is_organizational ? "aws.accountId in (\"${join("\", \"", local.account_ids_to_deploy)}\")" : "aws.accountId = \"${local.caller_account}\""
-  regions_scope_clause  = length(var.benchmark_regions) == 0 ? "" : " and aws.region in (\"${join("\", \"", var.benchmark_regions)}\")"
 }
 
 #----------------------------------------------------------
@@ -46,31 +42,6 @@ locals {
   )
 }
 
-resource "random_integer" "minute" {
-  max = 59
-  min = 0
-}
-
-resource "random_integer" "hour" {
-  max = 23
-  min = 0
-}
-
-resource "sysdig_secure_benchmark_task" "benchmark_task" {
-  name     = "Sysdig Secure for Cloud (AWS) - ${local.benchmark_task_name} - ${var.name}"
-  schedule = "${random_integer.minute.result} ${random_integer.hour.result} * * *"
-  schema   = "aws_foundations_bench-1.3.0"
-  scope    = "${local.accounts_scope_clause}${local.regions_scope_clause}"
-
-  # Creation of a task requires that the Cloud Account already exists in the backend, and has `role_enabled = true`
-  # We only want to create the task once the rust relationship is established, otherwise running the task will fail.
-  depends_on = [
-    sysdig_secure_cloud_account.cloud_account,
-    aws_iam_role_policy_attachment.cloudbench_security_audit, # Depends on cloudbench_role implicitly
-  ]
-}
-
-
 #----------------------------------------------------------
 # If this is not an Organizational deploy, create role/polices directly
 #----------------------------------------------------------
diff --git a/modules/services/cloud-bench/variables.tf b/modules/services/cloud-bench/variables.tf
@@ -20,12 +20,6 @@ variable "region" {
   description = "Default region for resource creation in organization mode"
 }
 
-variable "benchmark_regions" {
-  type        = list(string)
-  description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."
-  default     = []
-}
-
 variable "provision_caller_account" {
   type        = bool
   default     = true
diff --git a/modules/services/cloud-bench/versions.tf b/modules/services/cloud-bench/versions.tf
@@ -1,11 +1,6 @@
 terraform {
   required_version = ">= 1.0.0"
   required_providers {
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 3.1.0"
-    }
-
     aws = {
       version = ">= 3.62.0"
     }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@ module "cloud_bench_org" {`
`9`	`9`	`name = "${var.name}-cloudbench"`
`10`	`10`	`is_organizational = true`
`11`	`11`	`region = data.aws_region.current.name`
`12`		`- benchmark_regions = var.benchmark_regions`
`13`	`12`
`14`	`13`	`tags = var.tags`
`15`	`14`	`}`
`@@ -25,7 +24,6 @@ module "cloud_bench_single" {`
`25`	`24`	`name = "${var.name}-cloudbench"`
`26`	`25`	`is_organizational = false`
`27`	`26`	`region = data.aws_region.current.name`
`28`		`- benchmark_regions = var.benchmark_regions`
`29`	`27`
`30`	`28`	`tags = var.tags`
`31`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,6 @@ module "cloud_bench" {`
`2`	`2`	`source = "../../modules/services/cloud-bench"`
`3`	`3`	`count = var.deploy_benchmark ? 1 : 0`
`4`	`4`
`5`		`- name = "${var.name}-cloudbench"`
`6`		`- benchmark_regions = var.benchmark_regions`
`7`		`-`
	`5`	`+ name = "${var.name}-cloudbench"`
`8`	`6`	`tags = var.tags`
`9`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,12 +58,6 @@ variable "deploy_benchmark" {`
`58`	`58`	`default = true`
`59`	`59`	`}`
`60`	`60`
`61`		`-variable "benchmark_regions" {`
`62`		`- type = list(string)`
`63`		`- description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."`
`64`		`- default = []`
`65`		`-}`
`66`		`-`
`67`	`61`	`#`
`68`	`62`	`# general`
`69`	`63`	`#`
Original file line number	Diff line number	Diff line change
`@@ -110,12 +110,6 @@ variable "deploy_benchmark" {`
`110`	`110`	`default = true`
`111`	`111`	`}`
`112`	`112`
`113`		`-variable "benchmark_regions" {`
`114`		`- type = list(string)`
`115`		`- description = "List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default."`
`116`		`- default = []`
`117`		`-}`
`118`		`-`
`119`	`113`	`#`
`120`	`114`	`# cloud connector connector configuration`
`121`	`115`	`#`