Chore/refact homogeneization (#41)

iru · web-flow · commit 331b15691613 · 2021-11-09T22:21:31.000+01:00
* chore(refact): deploy vs. enable homogenization

* chore(doc): example homogeneization
* chore(doc): contrib homogeneization
* chore(doc): cc/cs intro
diff --git a/CONTRIBUTE.md b/CONTRIBUTE.md
@@ -49,9 +49,9 @@
 Technical validation for terraform **lint**, **validation**, and **documentation**
 
 We're using **pre-commit** |  https://pre-commit.com
-  - Defined in `/.pre-commit-config.yaml`
-  - custom configuration | https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/.pre-commit-config.yaml
-  - current `terraform-docs` version, requires developer to create `README.md` file, with the enclosure tags for docs to insert the automated content
+- Defined in `/.pre-commit-config.yaml`
+- custom configuration | https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/.pre-commit-config.yaml
+- current `terraform-docs` version, requires developer to create `README.md` file, with the enclosure tags for docs to insert the automated content
   ```markdown
   <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
   <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -72,7 +72,7 @@ Implemented vía **Terraform Kitchen** | https://newcontext-oss.github.io/kitche
 
 Ruby 2.7 is required to launch the tests.
 Run `bundle install` to get kitchen-terraform bundle.
-GCP project and AWS credentials should be configured locally.
+Cloud Provider credentials should be configured locally.
 ```shell
 # launch the tests, in other words, it will run `terraform apply`
 $ bundle exec kitchen converge
diff --git a/README.md b/README.md
@@ -29,13 +29,12 @@ More info in [`./examples/single-account`](https://github.com/sysdiglabs/terrafo
 
 ### - Single-Account with a pre-existing Kubernetes Cluster
 
-If you already own a Kubernetes Cluster on AWS, you can use it to deploy Sysdig Secure for Cloud, instead of default ECS cluster.
-
+If you already own a Kubernetes Cluster on AWS, you can use it to deploy Sysdig Secure for Cloud, instead of default ECS cluster.<br/>
 More info in [`./examples/single-account-k8s`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-k8s)
 
 ### - Organizational
 
-Using an organizational configuration Cloudtrail.
+Using an organizational configuration Cloudtrail.<br/>
 More info in [`./examples/organizational`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational)
 
 ![organizational diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/5b7cf5e8028b3177536c9c847020ad6319342b44/examples/organizational/diagram-org.png)
@@ -109,9 +108,9 @@ Notice that:
     source_profile=<AWS_MANAGEMENT_ACCOUNT_PROFILE>
     ```
 
- - Q: How to test **cloud-scanner** image-scanning?<br/>
-   A: Upload any image to the ECR repository of AWS. You should see a log in the ECS-cloud-scanner task + CodeBuild project being launched successfully
-   <br/>
+- Q: How to test **cloud-scanner** image-scanning?<br/>
+  A: Upload any image to the ECR repository of AWS. You should see a log in the ECS-cloud-scanner task + CodeBuild project being launched successfully
+  <br/>
 
 
 <br/><br/>
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -1,4 +1,4 @@
-# Sysdig Secure for Cloud in AWS :: Shared Organizational Trail
+# Sysdig Secure for Cloud in AWS<br/>[ Example :: Shared Organizational Trail ]
 
 Deploy Sysdig Secure for Cloud sharing the Trail within an organization.
 
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
@@ -1,4 +1,4 @@
-# Sysdig Secure for Cloud in AWS <br/>:: Single-Account on Kubernetes Cluster
+# Sysdig Secure for Cloud in AWS <br/>[ Example :: Single-Account on Kubernetes Cluster ]
 
 Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.
 
@@ -17,17 +17,12 @@ All the required resources and workloads will be run under the same AWS account.
 Minimum requirements:
 
 1. **AWS** profile credentials configuration
-
 2. **Kubernetes** cluster configured within your helm provider
-
 3. **Sysdig** Secure requirements, as input variable value
-
    ```
    sysdig_secure_api_token=<SECURE_API_TOKEN>
    ```
 
-
-
 ## Usage
 
 For quick testing, use this snippet on your terraform files
@@ -106,8 +101,8 @@ Notice that:
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
-| <a name="input_enable_cloud_connector"></a> [enable\_cloud\_connector](#input\_enable\_cloud\_connector) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
-| <a name="input_enable_cloud_scanning"></a> [enable\_cloud\_scanning](#input\_enable\_cloud\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to deploy cloud\_scanning | `bool` | `true` | no |
+| <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to deploy cloud\_connector | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation | `string` | `"eu-central-1"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
diff --git a/examples/single-account-k8s/cloud-connector.tf b/examples/single-account-k8s/cloud-connector.tf
@@ -2,7 +2,7 @@
 # requirements
 #-------------------------------------
 module "cloud_connector_sqs" {
-  count  = var.enable_cloud_connector ? 1 : 0
+  count  = var.deploy_threat_detection ? 1 : 0
   source = "../../modules/infrastructure/sqs-sns-subscription"
 
   name          = "${var.name}-cloud_connector"
@@ -15,7 +15,7 @@ module "cloud_connector_sqs" {
 # cloud_connector
 #-------------------------------------
 resource "helm_release" "cloud_connector" {
-  count = var.enable_cloud_connector ? 1 : 0
+  count = var.deploy_threat_detection ? 1 : 0
 
   name       = "cloud-connector"
   repository = "https://charts.sysdig.com"
diff --git a/examples/single-account-k8s/cloud-scanning.tf b/examples/single-account-k8s/cloud-scanning.tf
@@ -2,7 +2,7 @@
 # requirements
 #-------------------------------------
 module "cloud_scanning_sqs" {
-  count  = var.enable_cloud_scanning ? 1 : 0
+  count  = var.deploy_image_scanning ? 1 : 0
   source = "../../modules/infrastructure/sqs-sns-subscription"
 
   name          = "${var.name}-cloud_scanning"
@@ -12,7 +12,7 @@ module "cloud_scanning_sqs" {
 
 
 module "codebuild" {
-  count  = var.enable_cloud_scanning ? 1 : 0
+  count  = var.deploy_image_scanning ? 1 : 0
   source = "../../modules/infrastructure/codebuild"
 
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
@@ -26,7 +26,7 @@ module "codebuild" {
 # cloud_scanning
 #-------------------------------------
 resource "helm_release" "cloud_scanning" {
-  count = var.enable_cloud_scanning ? 1 : 0
+  count = var.deploy_image_scanning ? 1 : 0
   name  = "cloud-scanning"
 
   repository = "https://charts.sysdig.com"
diff --git a/examples/single-account-k8s/credentials.tf b/examples/single-account-k8s/credentials.tf
@@ -2,6 +2,6 @@ module "iam_user" {
   source                   = "../../modules/infrastructure/permissions/iam-user"
   name                     = var.name
   ssm_secure_api_token_arn = module.ssm.secure_api_token_secret_arn
-  enable_cloud_connector   = var.enable_cloud_connector
-  enable_cloud_scanning    = var.enable_cloud_scanning
+  deploy_threat_detection  = var.deploy_threat_detection
+  deploy_image_scanning    = var.deploy_image_scanning
 }
diff --git a/examples/single-account-k8s/variables.tf b/examples/single-account-k8s/variables.tf
@@ -8,15 +8,15 @@ variable "sysdig_secure_api_token" {
 # optionals - with defaults
 #---------------------------------
 
-variable "enable_cloud_connector" {
+variable "deploy_threat_detection" {
   type        = bool
-  description = "true/false whether to provision cloud_connector permissions"
+  description = "true/false whether to deploy cloud_connector"
   default     = true
 }
 
-variable "enable_cloud_scanning" {
+variable "deploy_image_scanning" {
   type        = bool
-  description = "true/false whether to provision cloud_scanning permissions"
+  description = "true/false whether to deploy cloud_scanning"
   default     = true
 }
 
diff --git a/examples/single-account/README.md b/examples/single-account/README.md
@@ -1,8 +1,7 @@
-# Sysdig Secure for Cloud in AWS :: Single-Account on ECS Fargate Service
+# Sysdig Secure for Cloud in AWS<br/>[ Example :: Single-Account ]
 
-Deploy Sysdig Secure for Cloud in a single AWS account
-
-All the required resources and workloads will be run under the same AWS account.
+Deploy Sysdig Secure for Cloud in a single AWS account.<br/>
+All the required resources and workloads will be run under the same account.
 
 ![single-account diagram](https://raw.githubusercontent.com/sysdiglabs/terraform-aws-secure-for-cloud/7d142829a701ce78f13691a4af4be373625e7ee2/examples/single-account/diagram-single.png)
 
diff --git a/modules/infrastructure/permissions/eks-org-role/README.md b/modules/infrastructure/permissions/eks-org-role/README.md
@@ -52,8 +52,8 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | Cloudtrail S3 bucket ARN | `string` | n/a | yes |
 | <a name="input_user_arn"></a> [user\_arn](#input\_user\_arn) | ARN of the IAM user to which roles will be added | `string` | n/a | yes |
-| <a name="input_enable_cloud_connector"></a> [enable\_cloud\_connector](#input\_enable\_cloud\_connector) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
-| <a name="input_enable_cloud_scanning"></a> [enable\_cloud\_scanning](#input\_enable\_cloud\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
+| <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_role_per_account"></a> [organizational\_role\_per\_account](#input\_organizational\_role\_per\_account) | Name of the organizational role deployed by AWS in each account of the organization | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
diff --git a/modules/infrastructure/permissions/eks-org-role/main.tf b/modules/infrastructure/permissions/eks-org-role/main.tf
@@ -22,13 +22,13 @@ data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_trusted" {
 # ------------------------------
 
 resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_s3" {
-  count  = var.enable_cloud_connector ? 1 : 0
+  count  = var.deploy_threat_detection ? 1 : 0
   name   = "${var.name}-AllowCloudtrailS3Policy"
   role   = aws_iam_role.secure_for_cloud_role.id
   policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_s3[0].json
 }
 data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_s3" {
-  count = var.enable_cloud_connector ? 1 : 0
+  count = var.deploy_threat_detection ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
@@ -47,13 +47,13 @@ data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_s3" {
 # enable image-scanning on member-account repositories
 # ------------------------------
 resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_assume_role" {
-  count  = var.enable_cloud_scanning ? 1 : 0
+  count  = var.deploy_image_scanning ? 1 : 0
   name   = "${var.name}-AllowAssumeRoleInChildAccounts"
   role   = aws_iam_role.secure_for_cloud_role.id
   policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_assume_role[0].json
 }
 data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_assume_role" {
-  count = var.enable_cloud_scanning ? 1 : 0
+  count = var.deploy_image_scanning ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
diff --git a/modules/infrastructure/permissions/eks-org-role/variables.tf b/modules/infrastructure/permissions/eks-org-role/variables.tf
@@ -12,13 +12,13 @@ variable "cloudtrail_s3_arn" {
 # optionals - with defaults
 #---------------------------------
 
-variable "enable_cloud_connector" {
+variable "deploy_threat_detection" {
   type        = bool
   description = "true/false whether to provision cloud_connector permissions"
   default     = true
 }
 
-variable "enable_cloud_scanning" {
+variable "deploy_image_scanning" {
   type        = bool
   description = "true/false whether to provision cloud_scanning permissions"
   default     = true
diff --git a/modules/infrastructure/permissions/iam-user/README.md b/modules/infrastructure/permissions/iam-user/README.md
@@ -37,8 +37,8 @@ Will create an IAM user and add add permissions for required modules
 |------|-------------|------|---------|:--------:|
 | <a name="input_cloudtrail_s3_bucket_arn"></a> [cloudtrail\_s3\_bucket\_arn](#input\_cloudtrail\_s3\_bucket\_arn) | ARN of cloudtrail s3 bucket | `string` | `"*"` | no |
 | <a name="input_cloudtrail_subscribed_sqs_arn"></a> [cloudtrail\_subscribed\_sqs\_arn](#input\_cloudtrail\_subscribed\_sqs\_arn) | ARN of the cloudtrail subscribed sqs's | `string` | `"*"` | no |
-| <a name="input_enable_cloud_connector"></a> [enable\_cloud\_connector](#input\_enable\_cloud\_connector) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
-| <a name="input_enable_cloud_scanning"></a> [enable\_cloud\_scanning](#input\_enable\_cloud\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
+| <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to provision cloud\_scanning permissions | `bool` | `true` | no |
+| <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to provision cloud\_connector permissions | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_scanning_codebuild_project_arn"></a> [scanning\_codebuild\_project\_arn](#input\_scanning\_codebuild\_project\_arn) | ARN of codebuild to launch the image scanning process | `string` | `"*"` | no |
 | <a name="input_ssm_secure_api_token_arn"></a> [ssm\_secure\_api\_token\_arn](#input\_ssm\_secure\_api\_token\_arn) | ARN of the security credentials for the secure\_api\_token | `string` | `"*"` | no |
diff --git a/modules/infrastructure/permissions/iam-user/main.tf b/modules/infrastructure/permissions/iam-user/main.tf
@@ -23,7 +23,7 @@ module "credentials_general" {
 
 
 module "credentials_cloud_connector" {
-  count  = var.enable_cloud_connector ? 1 : 0
+  count  = var.deploy_threat_detection ? 1 : 0
   source = "../cloud-connector"
   name   = var.name
 
@@ -35,7 +35,7 @@ module "credentials_cloud_connector" {
 }
 
 module "credentials_cloud_scanning" {
-  count  = var.enable_cloud_scanning ? 1 : 0
+  count  = var.deploy_image_scanning ? 1 : 0
   source = "../cloud-scanning"
   name   = var.name
 
diff --git a/modules/infrastructure/permissions/iam-user/variables.tf b/modules/infrastructure/permissions/iam-user/variables.tf
@@ -2,13 +2,13 @@
 # optionals - with defaults
 #---------------------------------
 
-variable "enable_cloud_connector" {
+variable "deploy_threat_detection" {
   type        = bool
   description = "true/false whether to provision cloud_connector permissions"
   default     = true
 }
 
-variable "enable_cloud_scanning" {
+variable "deploy_image_scanning" {
   type        = bool
   description = "true/false whether to provision cloud_scanning permissions"
   default     = true
diff --git a/modules/services/cloud-connector/README.md b/modules/services/cloud-connector/README.md
@@ -1,8 +1,6 @@
 # Cloud Connector
 
-[Cloud Connector](https://github.com/sysdiglabs/cloud-connector)
-Deploys a Cloud Connector in AWS as an ECS container deployment that will detect events in your infrastructure.
-
+A task deployed on an **ECS deployment** will detect events in your infrastructure.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
diff --git a/modules/services/cloud-scanning/README.md b/modules/services/cloud-scanning/README.md
@@ -1,7 +1,7 @@
 # Cloud Connector
 
-[Cloud Scanning](https://github.com/sysdiglabs/cloud-connector) (contained within cloud-connector project)
-Deploys a Cloud Scanning in AWS as an ECS container deployment that will detect events in your infrastructure.
+A task deployed on an **ECS deployment** will detect new images and will trigger image scans based on changes in your infrastructure into
+a **Code Build** run that will evaluate its status.
 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/test/fixtures/organizational-k8s/main.tf b/test/fixtures/organizational-k8s/main.tf
@@ -36,7 +36,7 @@ module "org_user" {
     aws = aws.admin
   }
   source                        = "../../../modules/infrastructure/permissions/iam-user"
-  enable_cloud_scanning         = false
+  deploy_image_scanning         = false
   cloudtrail_s3_bucket_arn      = module.cloudtrail_s3_sns_sqs.cloudtrail_s3_arn
   cloudtrail_subscribed_sqs_arn = module.cloudtrail_s3_sns_sqs.cloudtrail_subscribed_sqs_arn
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Sysdig Secure for Cloud in AWS :: Shared Organizational Trail`
	`1`	`+# Sysdig Secure for Cloud in AWS<br/>[ Example :: Shared Organizational Trail ]`
`2`	`2`
`3`	`3`	`Deploy Sysdig Secure for Cloud sharing the Trail within an organization.`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,6 @@ module "iam_user" {`
`2`	`2`	`source = "../../modules/infrastructure/permissions/iam-user"`
`3`	`3`	`name = var.name`
`4`	`4`	`ssm_secure_api_token_arn = module.ssm.secure_api_token_secret_arn`
`5`		`- enable_cloud_connector = var.enable_cloud_connector`
`6`		`- enable_cloud_scanning = var.enable_cloud_scanning`
	`5`	`+ deploy_threat_detection = var.deploy_threat_detection`
	`6`	`+ deploy_image_scanning = var.deploy_image_scanning`
`7`	`7`	`}`