feature: organizational use-case (#77)

Author: iru

.gitignore

@@ -1,4 +1,6 @@
 packaged-template.yaml
 *.zip
 .idea/
-.DS_Store
+.DS_Store
+
+.envrc

.pre-commit-config.yaml

@@ -0,0 +1,8 @@
+repos:
+ - repo: local
+    hooks:
+    -   id: format
+        pass_filenames: false
+        name: lint
+        entry: make -C templates_apprunner lint && make -C templates_ecs lint
+        language: system

CONTRIBUTE.md

@@ -0,0 +1,71 @@
+
+## Contribute
+
+### Release
+
+Templates are [uploaded on the CI release cycle](https://github.com/sysdiglabs/aws-cloudvision-templates/blob/main/.github/workflows/release.yaml#L63) to `cf-templates-cloudvision-ci` on Sysdig `draios-demo` account.
+
+Leading to the latest entry-point, which will be used on the Sysdig Secure > Getting Started > AWS Cloudformation
+<br/>`https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/master/entry-point.yaml`
+
+
+### Pull Request
+
+When the PR is drafted, a new template will be available for testing:
+- For ECS
+  <br/>`https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/ecs/pr/<PR_NAME>/entry-point.yaml`
+- For AppRunner
+  <br/>`https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/apprunner/pr/<PR_NAME>/entry-point.yaml`
+
+
+### Testing
+
+see [Makefile](templates_ecs/Makefile)
+
+#### Validation
+
+ECS:
+
+```bash
+$ aws cloudformation validate-template --template-body file://./templates_ecs/CloudVision.yaml
+```
+
+AppRunner:
+
+```bash
+$ aws cloudformation validate-template --template-body file://./templates_apprunner/SecureForCloudAppRunner.yaml
+```
+
+#### Launch Template
+
+ECS full cycle:
+
+```
+-- test
+$ aws cloudformation delete-stack --stack-name test ; \
+sleep 10 ; \
+aws cloudformation deploy --template-file templates_ecs/CloudVision.yaml --stack-name test ; \
+aws cloudformation describe-stack-events --stack-name test
+```
+
+AppRunner full cycle:
+
+```
+-- test
+$ aws cloudformation delete-stack --stack-name test ; \
+sleep 10 ; \
+aws cloudformation deploy --template-file templates_apprunner/SecureForCloudAppRunner.yaml --stack-name test ; \
+aws cloudformation describe-stack-events --stack-name test
+```
+
+#### Test Template wizard (UI)
+  ```
+  Aws console > cloudformation > create new stack (template, upload template: select ./templates/Cloudvision.yaml)
+  ```
+- note: this will upload the template into an s3 bucket, remember to delete it afterwards
+
+
+#### Cleanup
+
+Delete stack to clean test environment. [CFT limitation does not allow to automatically delete non-empty S3 bucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html), so Stack deletion will fail when you request it. Delete S3 bucket manually and relaunch deletion for a full cleanup.
+

DecissionRecord.md

@@ -0,0 +1,43 @@
+# Decision Record
+
+## 2022.05.19 - helm chart deployment
+
+Analysed possible ways of deploying things into k8s through cloudformation.
+Not official but aws-quickstart team offers cloudformation [AWSQS::Kubernetes::Helm](https://github.com/aws-quickstart/quickstart-helm-resource-provider/blob/main/README.md) cloudformation resource.
+
+Resolution: not implemented due to client not needing cloudformation, due to using Spinnaker for Helm deployments.
+
+
+## 2022.05.13 - organizational/multi-account deployment method
+
+https://github.com/sysdiglabs/aws-templates-secure-for-cloud/pull/77
+
+client needs to deploy things on different levels of accounts
+1. management account, requires the creation of a SysdiRole to be able to get organizational cloudtrail data (+s3,sns)
+2. all member accounts, require the creation of a SysdigAgentlessRole for benchmark
+3. sysdig workload (ecs,apprunner or eks) must be deployed on a selected member account.
+
+Each requirement is separated on its own `Stack` and put all together on a `Stackset` 
+We can make use the [`AWS::CloudFormation::StackSet` `StackInstancesGroup.DeploymentTargets`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-stackinstances.html#cfn-cloudformation-stackset-stackinstances-deploymenttargets)
+attribute to configure where (org unit or account) to deploy what.
+
+Resolution: none of this is developed yet, because client did not need cloudformation in the end we just delivered a use-case.
+
+
+## 2022.05.13 - organizational/manual sysdig pre-setup - bash scripts
+
+https://github.com/sysdiglabs/aws-templates-secure-for-cloud/pull/77
+
+for Compliance feature, on self-baked use-cases (which are not launched from the Sysdig Onboarding page)
+a pre-setup must be made on Sysdig Secure backend for cloud-account(s) and compliance task provisioning.
+
+a setup guide is given to the client to execute manually (1. sysdig provisioning > 2. aws provisioning > 3. validation)
+Options to automatize this I researched are
+- https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner
+- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html
+
+Think these options would only complicate things (bash script maintenance and troubleshooting), not worthy automatizing.
+
+Resolution: we will provide a utility script to handle this from outside cloudformation templates.
+
+

README.md

@@ -1,80 +1,46 @@
-# Sysdig CloudVision for AWS
+# Sysdig Secure for Cloud in AWS - Cloudformation Templates
 
-This repository contains the CloudFormation templates to deploy the Sysdig
-CloudVision suite in an AWS Account using ECS or AppRunner.
+This repository contains the CloudFormation templates to deploy [Sysdig Secure for Cloud](https://docs.sysdig.com/en/docs/sysdig-secure/sysdig-secure-for-cloud/)
+suite.
 
-**[Deploy ECS latest version!](https://console.aws.amazon.com/cloudformation/home#/stacks/quickCreate?stackName=Sysdig-CloudVision&templateURL=https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/ecs/latest/entry-point.yaml)**
+## UseCases
 
-**[Deploy AppRunner latest version!](https://console.aws.amazon.com/cloudformation/home#/stacks/quickCreate?stackName=Sysdig-CloudVision&templateURL=https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/apprunner/latest/entry-point.yaml)**
+If you're unsure about what/how to use this module, please fill the [questionnaire](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/use-cases/_questionnaire.md) report as an issue and let us know your context, we will be happy to help and improve our module.
 
-## Contribute
+### Single-Account
 
+Deploy the latest versions using one of the workloads that most suit you:
 
-### Release
+#### ECS-based workload
 
-Templates are [uploaded on the CI release cycle](https://github.com/sysdiglabs/aws-cloudvision-templates/blob/main/.github/workflows/release.yaml#L63) to `cf-templates-cloudvision-ci` on Sysdig `draios-demo` account.
+[Template for ECS workload](https://console.aws.amazon.com/cloudformation/home#/stacks/quickCreate?stackName=Sysdig-CloudVision&templateURL=https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/ecs/latest/entry-point.yaml)
+ 
+![single-account diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-ecs/diagram-single.png)
 
-Leading to the latest entry-point, which will be used on the Sysdig Secure > Getting Started > AWS Cloudformation
-<br/>`https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/master/entry-point.yaml`
 
+#### AppRunner-based workload
 
-### Pull Request
+Less resource-demanding and economic deployment (ECS requires VPCs and Gateways), but Apprunner is not available on all regions yet
 
-When the PR is drafted, a new template will be available for testing:  
-- For ECS
-  <br/>`https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/ecs/pr/<PR_NAME>/entry-point.yaml`
-- For AppRunner
-  <br/>`https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/apprunner/pr/<PR_NAME>/entry-point.yaml`
+[Template for AppRunner workload](https://console.aws.amazon.com/cloudformation/home#/stacks/quickCreate?stackName=Sysdig-CloudVision&templateURL=https://cf-templates-cloudvision-ci.s3-eu-west-1.amazonaws.com/apprunner/latest/entry-point.yaml)
 
+![single-account diagram on apprunner](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/master/examples/single-account-apprunner/diagram-single.png)
 
-### Testing
 
-see [Makefile](templates_ecs/Makefile)
+If needed, we also have an <a href="https://github.com/sysdiglabs/terraform-aws-secure-for-cloud">Sysdig Secure for Cloud Terraform version</a>
 
-#### Validation
 
-ECS:
+## Organizational
 
-```bash
-$ aws cloudformation validate-template --template-body file://./templates_ecs/CloudVision.yaml
-```
+No official templates available yet.
 
-AppRunner:
+Find some [organizational use-case](./use_cases/org-k8s) as reference and contact us for support.
 
-```bash
-$ aws cloudformation validate-template --template-body file://./templates_apprunner/SecureForCloudAppRunner.yaml
-```
+---
+## Authors
 
-#### Launch Template
+Module is maintained and supported by [Sysdig](https://sysdig.com).
 
-ECS full cycle:
-
-```
--- test
-$ aws cloudformation delete-stack --stack-name test ; \
-sleep 10 ; \
-aws cloudformation deploy --template-file templates_ecs/CloudVision.yaml --stack-name test ; \
-aws cloudformation describe-stack-events --stack-name test
-```
-
-AppRunner full cycle:
-
-```
--- test
-$ aws cloudformation delete-stack --stack-name test ; \
-sleep 10 ; \
-aws cloudformation deploy --template-file templates_apprunner/SecureForCloudAppRunner.yaml --stack-name test ; \
-aws cloudformation describe-stack-events --stack-name test
-```
-
-#### Test Template wizard (UI)
-  ```
-  Aws console > cloudformation > create new stack (template, upload template: select ./templates/Cloudvision.yaml)
-  ```
-  - note: this will upload the template into an s3 bucket, remember to delete it afterwards 
-
-
-#### Cleanup
-
-Delete stack to clean test environment. [CFT limitation does not allow to automatically delete non-empty S3 bucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html), so Stack deletion will fail when you request it. Delete S3 bucket manually and relaunch deletion for a full cleanup.
+## License
 
+Apache 2 Licensed. See LICENSE for full details.