From fb9c86970b2f364e69e3d24c3a9cc6dfa049606a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Gonz=C3=A1lez=20Diez?= Date: Thu, 23 Jun 2022 13:29:53 +0200 Subject: [PATCH 1/2] feat: enable scanner version2 --- templates_apprunner/CloudConnector.yaml | 33 +++++++++----- .../SecureForCloudAppRunner.yaml | 10 +++++ templates_ecs/CloudConnector.yaml | 45 +++++++++++-------- templates_ecs/CloudVision.yaml | 10 +++++ 4 files changed, 68 insertions(+), 30 deletions(-) diff --git a/templates_apprunner/CloudConnector.yaml b/templates_apprunner/CloudConnector.yaml index 69057b7..42e4e0b 100644 --- a/templates_apprunner/CloudConnector.yaml +++ b/templates_apprunner/CloudConnector.yaml @@ -48,12 +48,20 @@ Parameters: - "No" Default: "Yes" Description: Whether to deploy ECS Image Scanning or not + UseScanningV2: + Type: String + AllowedValues: + - "Yes" + - "No" + Default: "No" + Description: Whether to deploy Image Scanner V2 Conditions: VerifySSL: !Equals [ !Ref VerifySSL, "Yes" ] DeployCloudScanning: !Equals [ !Ref DeployCloudScanning, "Yes"] ECRImageScanningDeploy: !Equals [ !Ref ECRImageScanningDeploy, "Yes"] ECSImageScanningDeploy: !Equals [ !Ref ECSImageScanningDeploy, "Yes"] + UseScanningV2: !Equals [ !Ref UseScanningV2, "Yes"] Resources: @@ -125,26 +133,29 @@ Resources: - DeployCloudScanning - !Sub - | - ${ECRCode} ${ECSCode} - ECRCode: 'Fn::If': - ECRImageScanningDeploy - - !Sub | - - - aws-ecr: - codeBuildProject: ${BuildProject} - secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} + - !If | + - UseScanningV2 + - "- aws-ecr-inline: {}" + - !Sub | + - aws-ecr: + codeBuildProject: ${BuildProject} + secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} - "" ECSCode: 'Fn::If': - ECSImageScanningDeploy - - !Sub | - - - aws-ecs: - codeBuildProject: ${BuildProject} - secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} + - !If | + - UseScanningV2 + - "- aws-ecs-inline: {}" + - !Sub | + - aws-ecs: + codeBuildProject: ${BuildProject} + secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} - "" - "[]" diff --git a/templates_apprunner/SecureForCloudAppRunner.yaml b/templates_apprunner/SecureForCloudAppRunner.yaml index 3908521..60a93b9 100644 --- a/templates_apprunner/SecureForCloudAppRunner.yaml +++ b/templates_apprunner/SecureForCloudAppRunner.yaml @@ -41,8 +41,17 @@ Metadata: default: "Do you want to deploy Fargate Image Scanning?" ExistentCloudTrailSNSTopic: default: "CloudTrail SNS Topic" + UseScanningV2: + default: "Do you want to use image scanner version 2?" Parameters: + UseScanningV2: + Type: String + AllowedValues: + - "Yes" + - "No" + Default: "No" + ECRImageScanningDeploy: Type: String AllowedValues: @@ -154,6 +163,7 @@ Resources: DeployCloudScanning: !If [ DeployCloudScanning, "Yes", "No" ] ECRImageScanningDeploy: !If [ ECRImageScanningDeploy, "Yes", "No"] ECSImageScanningDeploy: !If [ ECSImageScanningDeploy, "Yes", "No"] + UseScanningV2: !If [ UseScanningV2, "Yes", "No"] CloudAgentlessRole: Type: AWS::CloudFormation::Stack diff --git a/templates_ecs/CloudConnector.yaml b/templates_ecs/CloudConnector.yaml index fa794d4..0ff615a 100644 --- a/templates_ecs/CloudConnector.yaml +++ b/templates_ecs/CloudConnector.yaml @@ -48,21 +48,29 @@ Parameters: AllowedValues: - "Yes" - "No" - Default: "Yes" + Default: "No" Description: Whether to deploy ECR Image Scanning or not ECSImageScanningDeploy: Type: String AllowedValues: - "Yes" - "No" - Default: "Yes" + Default: "No" Description: Whether to deploy ECS Image Scanning or not + UseScanningV2: + Type: String + AllowedValues: + - "Yes" + - "No" + Default: "No" + Description: Whether to deploy Image Scanner V2 Conditions: VerifySSL: !Equals [ !Ref VerifySSL, "Yes" ] DeployCloudScanning: !Equals [ !Ref DeployCloudScanning, "Yes"] ECRImageScanningDeploy: !Equals [ !Ref ECRImageScanningDeploy, "Yes"] ECSImageScanningDeploy: !Equals [ !Ref ECSImageScanningDeploy, "Yes"] + UseScanningV2: !Equals [ !Ref UseScanningV2, "Yes"] Resources: @@ -224,41 +232,40 @@ Resources: "Fn::Base64": !Sub - | - rules: - - s3: - bucket: ${S3ConfigBucket} - path: rules + rules: [] ingestors: - cloudtrail-sns-sqs: queueURL: ${CloudTrailQueue} scanners: ${Scanners} - - S3ConfigBucket: !Ref S3ConfigBucket - CloudTrailQueue: !Ref CloudTrailQueue + - CloudTrailQueue: !Ref CloudTrailQueue Scanners: 'Fn::If': - DeployCloudScanning - !Sub - | - ${ECRCode} ${ECSCode} - ECRCode: 'Fn::If': - ECRImageScanningDeploy - - !Sub | - - - aws-ecr: - codeBuildProject: ${BuildProject} - secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} + - !If | + - UseScanningV2 + - "- aws-ecr-inline: {}" + - !Sub | + - aws-ecr: + codeBuildProject: ${BuildProject} + secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} - "" ECSCode: 'Fn::If': - ECSImageScanningDeploy - - !Sub | - - - aws-ecs: - codeBuildProject: ${BuildProject} - secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} + - !If | + - UseScanningV2 + - "- aws-ecs-inline: {}" + - !Sub | + - aws-ecs: + codeBuildProject: ${BuildProject} + secureAPITokenSecretName: ${SysdigSecureAPITokenSsm} - "" - "[]" diff --git a/templates_ecs/CloudVision.yaml b/templates_ecs/CloudVision.yaml index f2845cb..19a86c8 100644 --- a/templates_ecs/CloudVision.yaml +++ b/templates_ecs/CloudVision.yaml @@ -50,8 +50,17 @@ Metadata: default: "Private subnet Id's" ExistentCloudTrailSNSTopic: default: "CloudTrail SNS Topic" + UseScanningV2: + default: "Do you want to use image scanner version 2?" Parameters: + UseScanningV2: + Type: String + AllowedValues: + - "Yes" + - "No" + Default: "No" + ECRImageScanningDeploy: Type: String AllowedValues: @@ -211,6 +220,7 @@ Resources: DeployCloudScanning: !If [ DeployCloudScanning, "Yes", "No" ] ECRImageScanningDeploy: !If [ ECRImageScanningDeploy, "Yes", "No"] ECSImageScanningDeploy: !If [ ECSImageScanningDeploy, "Yes", "No"] + UseScanningV2: !If [ UseScanningV2, "Yes", "No"] CloudAgentlessRole: Type: AWS::CloudFormation::Stack From 81107390e20cb6f3a2ca2e5c3179e51e1abf06b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Gonz=C3=A1lez=20Diez?= Date: Thu, 23 Jun 2022 16:27:41 +0200 Subject: [PATCH 2/2] fix: typo error --- templates_apprunner/CloudConnector.yaml | 4 ++-- templates_apprunner/SecureForCloudAppRunner.yaml | 1 + templates_ecs/CloudConnector.yaml | 4 ++-- templates_ecs/CloudVision.yaml | 1 + 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/templates_apprunner/CloudConnector.yaml b/templates_apprunner/CloudConnector.yaml index 42e4e0b..212947f 100644 --- a/templates_apprunner/CloudConnector.yaml +++ b/templates_apprunner/CloudConnector.yaml @@ -138,7 +138,7 @@ Resources: - ECRCode: 'Fn::If': - ECRImageScanningDeploy - - !If | + - !If - UseScanningV2 - "- aws-ecr-inline: {}" - !Sub | @@ -149,7 +149,7 @@ Resources: ECSCode: 'Fn::If': - ECSImageScanningDeploy - - !If | + - !If - UseScanningV2 - "- aws-ecs-inline: {}" - !Sub | diff --git a/templates_apprunner/SecureForCloudAppRunner.yaml b/templates_apprunner/SecureForCloudAppRunner.yaml index 60a93b9..f18cbe5 100644 --- a/templates_apprunner/SecureForCloudAppRunner.yaml +++ b/templates_apprunner/SecureForCloudAppRunner.yaml @@ -107,6 +107,7 @@ Conditions: - !Equals [!Ref SysdigSecureEndpoint, "https://secure.sysdig.com"] - !Equals [!Ref SysdigSecureEndpoint, "https://eu1.app.sysdig.com"] - !Equals [!Ref SysdigSecureEndpoint, "https://us2.app.sysdig.com"] + UseScanningV2: !Equals [ !Ref UseScanningV2, "Yes" ] Resources: SysdigConfigLoggingBucket: diff --git a/templates_ecs/CloudConnector.yaml b/templates_ecs/CloudConnector.yaml index 0ff615a..658cb37 100644 --- a/templates_ecs/CloudConnector.yaml +++ b/templates_ecs/CloudConnector.yaml @@ -248,7 +248,7 @@ Resources: - ECRCode: 'Fn::If': - ECRImageScanningDeploy - - !If | + - !If - UseScanningV2 - "- aws-ecr-inline: {}" - !Sub | @@ -259,7 +259,7 @@ Resources: ECSCode: 'Fn::If': - ECSImageScanningDeploy - - !If | + - !If - UseScanningV2 - "- aws-ecs-inline: {}" - !Sub | diff --git a/templates_ecs/CloudVision.yaml b/templates_ecs/CloudVision.yaml index 19a86c8..2ace4c2 100644 --- a/templates_ecs/CloudVision.yaml +++ b/templates_ecs/CloudVision.yaml @@ -142,6 +142,7 @@ Conditions: - !Equals [!Ref SysdigSecureEndpoint, "https://secure.sysdig.com"] - !Equals [!Ref SysdigSecureEndpoint, "https://eu1.app.sysdig.com"] - !Equals [!Ref SysdigSecureEndpoint, "https://us2.app.sysdig.com"] + UseScanningV2: !Equals [ !Ref UseScanningV2, "Yes" ] Resources: S3ConfigBucket: