chore: infer region from provider (#42)

iru · web-flow · commit ce44f753fbb6 · 2021-11-10T16:12:20.000+01:00
* chore: remove providers from examples
* chore(test): add region to module
* chore(doc): update provider READMES
* chore(qa): org region KO :/
diff --git a/examples-internal/organizational-k8s-threat-reuse_cloudtrail/README.md b/examples-internal/organizational-k8s-threat-reuse_cloudtrail/README.md
@@ -15,8 +15,8 @@ All the required resources and workloads will be run under the same AWS account,
 
 Minimum requirements:
 
-1. **AWS** profile credentials configured within yor `aws` provider
-2. A **Kubernetes** cluster configured within your `helm` provider
+1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+2. Configure [**Helm** Provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) for **Kubernetes** cluster
 3. **Sysdig** Secure API token , as input variable value
     ```
     sysdig_secure_api_token=<SECURE_API_TOKEN>
@@ -32,12 +32,13 @@ For quick testing, use this snippet on your terraform files.
 
 ```terraform
 provider "aws" {
-  region = var.region
-  ...
+  region = "<AWS-REGION>; ex. us-east-1"
 }
 
 provider "helm" {
-  ...
+  kubernetes {
+    config_path = "~/.kube/config"
+  }
 }
 
 module "org_k8s_threat_reuse_cloudtrail" {
@@ -80,6 +81,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.50.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >=2.3.0 |
 
 ## Modules
@@ -94,6 +96,7 @@ Notice that:
 | Name | Type |
 |------|------|
 | [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -104,7 +107,6 @@ Notice that:
 | <a name="input_cloudtrail_s3_sns_sqs_url"></a> [cloudtrail\_s3\_sns\_sqs\_url](#input\_cloudtrail\_s3\_sns\_sqs\_url) | Organization cloudtrail event notification  S3-SNS-SQS URL to listen to | `string` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig Secure API token | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
-| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
diff --git a/examples-internal/organizational-k8s-threat-reuse_cloudtrail/cloud-connector.tf b/examples-internal/organizational-k8s-threat-reuse_cloudtrail/cloud-connector.tf
@@ -32,7 +32,7 @@ resource "helm_release" "cloud_connector" {
 
   set {
     name  = "aws.region"
-    value = var.region
+    value = data.aws_region.current.name
   }
 
   set {
diff --git a/examples-internal/organizational-k8s-threat-reuse_cloudtrail/data.tf b/examples-internal/organizational-k8s-threat-reuse_cloudtrail/data.tf
@@ -0,0 +1 @@
+data "aws_region" "current" {}
diff --git a/examples-internal/organizational-k8s-threat-reuse_cloudtrail/variables.tf b/examples-internal/organizational-k8s-threat-reuse_cloudtrail/variables.tf
@@ -31,12 +31,6 @@ variable "aws_secret_access_key" {
 #
 # general
 #
-variable "region" {
-  type        = string
-  default     = "eu-central-1"
-  description = "Default region for resource creation in both organization master and secure-for-cloud member account"
-}
-
 variable "name" {
   type        = string
   description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -19,18 +19,18 @@ Minimum requirements:
 1. Have an existing AWS account as the organization management account
     * Organizational CloudTrail service must be enabled
     * [Organizational CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) service must be enabled
-2. AWS profile credentials configuration of the `management` account of the organization
+1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) of the `management` account of the organization
     * This account credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
     * When an account becomes part of an organization, AWS will create an `OrganizationAccountAccessRole` [for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
       <br/>This Role name is currently hardcoded.
-3. Provide a member account ID for Sysdig Secure for Cloud workload to be deployed.
+3. Provide a member **account ID for Sysdig Secure for Cloud workload** to be deployed.
    Our recommendation is for this account to be empty, so that deployed resources are not mixed up with your workload.
    This input must be provided as terraform required input value
     ```
     sysdig_secure_for_cloud_member_account_id=<ORGANIZATIONAL_SECURE_FOR_CLOUD_ACCOUNT_ID>
     ```
-4. Sysdig Secure requirements, as input variable value with the `api-token`
+4. **Sysdig Secure** requirements, as input variable value with the `api-token`
     ```
     sysdig_secure_api_token=<SECURE_API_TOKEN>
     ```
@@ -41,13 +41,14 @@ For quick testing, use this snippet on your terraform files
 
 ```terraform
 provider "aws" {
-   region = var.region
-   ...
+  region = "<AWS_REGION>; ex. us-east-1"
 }
 
 module "secure_for_cloud_organizational" {
   source = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
 
+  region = "<AWS_REGION>; ex. us-east-1"
+
   sysdig_secure_api_token                     = "00000000-1111-2222-3333-444444444444"
   sysdig_secure_for_cloud_member_account_id   = "<ORG_MEMBER_ACCOUNT_FOR_SYSDIG_SECURE_FOR_CLOUD>"
 }
@@ -80,6 +81,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.62.0 |
 | <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | >= 3.62.0 |
 
 ## Modules
@@ -103,6 +105,7 @@ Notice that:
 |------|------|
 | [aws_iam_role.connector_ecs_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
diff --git a/examples/organizational/data.tf b/examples/organizational/data.tf
@@ -0,0 +1 @@
+data "aws_region" "current" {}
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
@@ -1,5 +1,7 @@
 provider "aws" {
-  alias  = "member"
+  alias = "member"
+  # NOTE. this won't work with test, workaround with var
+  #  region = data.aws_region.current.name
   region = var.region
   assume_role {
     role_arn = "arn:aws:iam::${var.sysdig_secure_for_cloud_member_account_id}:role/${var.organizational_member_default_admin_role}"
@@ -147,6 +149,6 @@ module "cloud_bench" {
   name              = "${var.name}-cloudbench"
   tags              = var.tags
   is_organizational = true
-  region            = var.region
+  region            = data.aws_region.current.name
   benchmark_regions = var.benchmark_regions
 }
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
@@ -16,8 +16,8 @@ All the required resources and workloads will be run under the same AWS account.
 
 Minimum requirements:
 
-1. **AWS** profile credentials configuration
-2. **Kubernetes** cluster configured within your helm provider
+1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+2. Configure [**Helm** Provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) for **Kubernetes** cluster
 3. **Sysdig** Secure requirements, as input variable value
    ```
    sysdig_secure_api_token=<SECURE_API_TOKEN>
@@ -29,12 +29,13 @@ For quick testing, use this snippet on your terraform files
 
 ```terraform
 provider "aws" {
-  region = var.region
-  ...
+  region = "<AWS-REGION>; ex. us-east-1"
 }
 
 provider "helm" {
-  ...
+  kubernetes {
+    config_path = "~/.kube/config"
+  }
 }
 
 module "secure_for_cloud_aws_single_account" {
@@ -73,6 +74,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.50.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >=2.3.0 |
 
 ## Modules
@@ -93,6 +95,7 @@ Notice that:
 |------|------|
 | [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cloud_scanning](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -104,7 +107,6 @@ Notice that:
 | <a name="input_deploy_image_scanning"></a> [deploy\_image\_scanning](#input\_deploy\_image\_scanning) | true/false whether to deploy cloud\_scanning | `bool` | `true` | no |
 | <a name="input_deploy_threat_detection"></a> [deploy\_threat\_detection](#input\_deploy\_threat\_detection) | true/false whether to deploy cloud\_connector | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
-| <a name="input_region"></a> [region](#input\_region) | Default region for resource creation | `string` | `"eu-central-1"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 
diff --git a/examples/single-account-k8s/cloud-connector.tf b/examples/single-account-k8s/cloud-connector.tf
@@ -41,7 +41,7 @@ resource "helm_release" "cloud_connector" {
 
   set {
     name  = "aws.region"
-    value = var.region
+    value = data.aws_region.current.name
   }
 
   set {
diff --git a/examples/single-account-k8s/cloud-scanning.tf b/examples/single-account-k8s/cloud-scanning.tf
@@ -57,7 +57,7 @@ resource "helm_release" "cloud_scanning" {
 
   set {
     name  = "aws.region"
-    value = var.region
+    value = data.aws_region.current.name
   }
 
   set {
diff --git a/examples/single-account-k8s/data.tf b/examples/single-account-k8s/data.tf
@@ -0,0 +1 @@
+data "aws_region" "current" {}
diff --git a/examples/single-account-k8s/variables.tf b/examples/single-account-k8s/variables.tf
@@ -37,16 +37,6 @@ variable "cloudtrail_kms_enable" {
   description = "true/false whether s3 should be encrypted. testing/economization purpose."
 }
 
-
-#
-# general
-#
-variable "region" {
-  type        = string
-  default     = "eu-central-1"
-  description = "Default region for resource creation"
-}
-
 variable "name" {
   type        = string
   description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"
diff --git a/examples/single-account/README.md b/examples/single-account/README.md
@@ -9,7 +9,7 @@ All the required resources and workloads will be run under the same account.
 
 Minimum requirements:
 
-1. AWS profile credentials configuration
+1. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
 1. Secure requirements, as input variable value
     ```
     sysdig_secure_api_token=<SECURE_API_TOKEN>
@@ -21,14 +21,13 @@ For quick testing, use this snippet on your terraform files
 
 ```terraform
 provider "aws" {
-   region = var.region
-   ...
+   region = "<AWS-REGION>; ex. us-east-1"
 }
 
 module "secure_for_cloud_aws_single_account" {
   source = "sysdiglabs/secure-for-cloud/aws//examples/single-account"
 
-  sysdig_secure_api_token        = "00000000-1111-2222-3333-444444444444"
+  sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
 }
 ```
 
diff --git a/test/fixtures/organizational-k8s/main.tf b/test/fixtures/organizational-k8s/main.tf
@@ -57,7 +57,6 @@ module "org_k8s_threat_reuse_cloudtrail" {
   }
   source = "../../../examples-internal/organizational-k8s-threat-reuse_cloudtrail"
   name   = "${var.name}-orgk8s"
-  region = var.region
 
   sysdig_secure_api_token   = var.sysdig_secure_api_token
   sysdig_secure_endpoint    = var.sysdig_secure_endpoint
diff --git a/test/fixtures/organizational/main.tf b/test/fixtures/organizational/main.tf
@@ -6,8 +6,9 @@ module "cloudvision_aws_organizational" {
   source = "../../../examples/organizational"
   name   = "${var.name}-org"
 
+  region = var.region
+
   sysdig_secure_api_token                   = var.sysdig_secure_api_token
   sysdig_secure_endpoint                    = var.sysdig_secure_endpoint
   sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
-  region                                    = var.region
 }
diff --git a/test/fixtures/single-account-k8s/main.tf b/test/fixtures/single-account-k8s/main.tf
@@ -14,5 +14,4 @@ module "cloudvision_aws_single_account_k8s" {
 
   sysdig_secure_api_token = var.sysdig_secure_api_token
   sysdig_secure_endpoint  = var.sysdig_secure_endpoint
-  region                  = var.region
 }

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ resource "helm_release" "cloud_connector" {`
`32`	`32`
`33`	`33`	`set {`
`34`	`34`	`name = "aws.region"`
`35`		`- value = var.region`
	`35`	`+ value = data.aws_region.current.name`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`set {`
Original file line number	Diff line number	Diff line change
`@@ -31,12 +31,6 @@ variable "aws_secret_access_key" {`
`31`	`31`	`#`
`32`	`32`	`# general`
`33`	`33`	`#`
`34`		`-variable "region" {`
`35`		`- type = string`
`36`		`- default = "eu-central-1"`
`37`		`- description = "Default region for resource creation in both organization master and secure-for-cloud member account"`
`38`		`-}`
`39`		`-`
`40`	`34`	`variable "name" {`
`41`	`35`	`type = string`
`42`	`36`	`description = "Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances"`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ resource "helm_release" "cloud_connector" {`
`41`	`41`
`42`	`42`	`set {`
`43`	`43`	`name = "aws.region"`
`44`		`- value = var.region`
	`44`	`+ value = data.aws_region.current.name`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`set {`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ resource "helm_release" "cloud_scanning" {`
`57`	`57`
`58`	`58`	`set {`
`59`	`59`	`name = "aws.region"`
`60`		`- value = var.region`
	`60`	`+ value = data.aws_region.current.name`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`set {`