refactor: cloud-connector config depends on ecs o ecr deploy (#56)

Author: hayk99

templates/CloudConnector.yaml

@@ -43,10 +43,26 @@ Parameters:
       - "No"
     Default: "Yes"
     Description: Whether to deploy cloud scanning or not
+  ECRImageScanningDeploy:
+    Type: String
+    AllowedValues:
+      - "Yes"
+      - "No"
+    Default: "Yes"
+    Description: Whether to deploy ECR Image Scanning or not
+  ECSImageScanningDeploy:
+    Type: String
+    AllowedValues:
+      - "Yes"
+      - "No"
+    Default: "Yes"
+    Description: Whether to deploy ECS Image Scanning or not
 
 Conditions:
   VerifySSL: !Equals [ !Ref VerifySSL, "Yes" ]
   DeployCloudScanning: !Equals [ !Ref DeployCloudScanning, "Yes"]
+  ECRImageScanningDeploy: !Equals [ !Ref ECRImageScanningDeploy, "Yes"]
+  ECSImageScanningDeploy: !Equals [ !Ref ECSImageScanningDeploy, "Yes"]
 
 Resources:
 
@@ -231,15 +247,31 @@ Resources:
                     Scanners:
                       'Fn::If':
                         - DeployCloudScanning
-                        - !Sub |
+                        - !Sub
+                            - |
 
-                          - aws-ecr:
-                                codeBuildProject: ${BuildProject}
-                                secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
-                          - aws-ecs:
-                              codeBuildProject: ${BuildProject}
-                              secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
+                              ${ECRCode}
+                              ${ECSCode}
+                            - ECRCode:
+                                'Fn::If':
+                                  - ECRImageScanningDeploy
+                                  - !Sub |
+
+                                    - aws-ecr:
+                                          codeBuildProject: ${BuildProject}
+                                          secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
+                                  - ""
+                              ECSCode:
+                                'Fn::If':
+                                  - ECSImageScanningDeploy
+                                  - !Sub |
+
+                                    - aws-ecs:
+                                          codeBuildProject: ${BuildProject}
+                                          secureAPITokenSecretName: ${SysdigSecureAPITokenSsm}
+                                  - ""
                         - "[]"
+
           Secrets:
             - Name: SECURE_URL
               ValueFrom: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SysdigSecureEndpointSsm}

templates/CloudVision.yaml

@@ -126,6 +126,8 @@ Conditions:
   DeployCloudScanning: !Or
     - !Equals [!Ref ECRImageScanningDeploy, "Yes"]
     - !Equals [!Ref ECSImageScanningDeploy, "Yes"]
+  ECRImageScanningDeploy: !Equals [ !Ref ECRImageScanningDeploy, "Yes"]
+  ECSImageScanningDeploy: !Equals [ !Ref ECSImageScanningDeploy, "Yes"]
   DeployCloudTrail: !And
     - !Condition RequiresCloudTrail
     - !Or
@@ -218,6 +220,8 @@ Resources:
         BuildProject: !If [ DeployCloudScanning, !GetAtt [ "ScanningCodeBuildStack", "Outputs.BuildProject" ], ""]
         CloudTrailTopic: !If [ DeployCloudTrail, !GetAtt ["CloudTrailStack", "Outputs.Topic"], !Ref ExistentCloudTrailSNSTopic ]
         DeployCloudScanning: !If [ DeployCloudScanning, "Yes", "No" ]
+        ECRImageScanningDeploy: !If [ ECRImageScanningDeploy, "Yes", "No"]
+        ECSImageScanningDeploy: !If [ ECSImageScanningDeploy, "Yes", "No"]
 
   CloudAgentlessRole:
     Type: AWS::CloudFormation::Stack

templates/Makefile

@@ -2,7 +2,7 @@ S3_BUCKET ?= "s4c-cft"
 S3_PREFIX ?= "test"
 # We need the REGION or the TemplateURLs might be created for a different region, resulting in a deployment error
 S3_REGION ?= "eu-west-1"
-SECURE_API_TOKEN="2732cad7-edee-4e23-aaea-a6671ceef7af"
+SECURE_API_TOKEN=""
 
 .PHONY: packaged-template.yaml