feat: enable benchmark on organizational management account (#58)

* create option to deploy in mgmt acc
* chore: fix pre-commit docs
* chore: add ci changes from WIP PR
* update required sysdig provider
* chore: doc lint

Author: Alex Qiu

examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md

@@ -81,7 +81,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.4.1 |
 
 ## Modules

examples/organizational/README.md

@@ -3,10 +3,10 @@
 Deploy Sysdig Secure for Cloud using an Organizational Cloudtrail that will fetch events from all organization member accounts (and the managed one too).
 
 * In the **management account**
-  * An Organizational Cloutrail will be deployed  (with required S3,SNS)
-  * An additional role `SysdigSecureForCloudRole` will be created
-     * to be able to read cloudtrail-s3 bucket events from sysdig workload member account.
-     * will also be used to asummeRole over other roles, and enable the process of scanning on ECR's that may be present in other member accounts.
+    * An Organizational Cloutrail will be deployed  (with required S3,SNS)
+    * An additional role `SysdigSecureForCloudRole` will be created
+        * to be able to read cloudtrail-s3 bucket events from sysdig workload member account.
+        * will also be used to asummeRole over other roles, and enable the process of scanning on ECR's that may be present in other member accounts.
 * In the **user-provided member account**
     * All the Sysdig Secure for Cloud service-related resources/workload will be created
 
@@ -24,7 +24,7 @@ Minimum requirements:
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
     * When an account is created within an organization, AWS will create an `OrganizationAccountAccessRole` [for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
     * However, when the account is invited into the organization, it's required to [create the role manually](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role)
-       > You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.
+      > You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.
     * This role name, `OrganizationAccountAccessRole`, is currently hardcoded on the module.
 3. Provide a member **account ID for Sysdig Secure for Cloud workload** to be deployed.
    Our recommendation is for this account to be empty, so that deployed resources are not mixed up with your workload.
@@ -75,14 +75,14 @@ Notice that:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.0 |
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 3.74.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.1 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 3.74.1 |
 
 ## Modules
 

examples/organizational/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 0.5.19"
+      version = ">= 0.5.29"
     }
   }
 }

examples/single-account-k8s/README.md

@@ -66,13 +66,13 @@ Notice that:
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >=2.3.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.19 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.74.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.4.1 |
 
 ## Modules

examples/single-account-k8s/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 0.5.19"
+      version = ">= 0.5.29"
     }
     helm = {
       source  = "hashicorp/helm"

examples/single-account/README.md

@@ -25,9 +25,9 @@ provider "aws" {
 }
 
 module "secure_for_cloud_aws_single_account" {
-  source = "sysdiglabs/secure-for-cloud/aws//examples/single-account"
+   source = "sysdiglabs/secure-for-cloud/aws//examples/single-account"
 
-  sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
+   sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
 }
 ```
 
@@ -51,7 +51,7 @@ Notice that:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.29 |
 
 ## Providers
 

examples/single-account/versions.tf

@@ -6,7 +6,7 @@ terraform {
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = ">= 0.5.21"
+      version = ">= 0.5.29"
     }
   }
 }

modules/services/cloud-bench/README.md

@@ -20,15 +20,15 @@ Deployed on **Sysdig Backend**
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.62.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
-| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.21 |
+| <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.62.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1.0 |
-| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 0.5.21 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | >= 0.5.29 |
 
 ## Modules
 
@@ -59,6 +59,7 @@ No modules.
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"sfc-cloudbench"` | no |
+| <a name="input_provision_in_management_account"></a> [provision\_in\_management\_account](#input\_provision\_in\_management\_account) | Whether to deploy the stack in the management account | `bool` | `true` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 

modules/services/cloud-bench/main.tf

@@ -13,10 +13,11 @@ data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
 }
 
 locals {
-  member_account_ids = var.is_organizational ? [for a in data.aws_organizations_organization.org[0].non_master_accounts : a.id] : []
+  member_account_ids    = var.is_organizational ? [for a in data.aws_organizations_organization.org[0].non_master_accounts : a.id] : []
+  account_ids_to_deploy = var.is_organizational && var.provision_in_management_account ? concat(local.member_account_ids, [data.aws_organizations_organization.org[0].master_account_id]) : local.member_account_ids
 
   benchmark_task_name   = var.is_organizational ? "Organization: ${data.aws_organizations_organization.org[0].id}" : data.aws_caller_identity.me.account_id
-  accounts_scope_clause = var.is_organizational ? "aws.accountId in (\"${join("\", \"", local.member_account_ids)}\")" : "aws.accountId = \"${data.aws_caller_identity.me.account_id}\""
+  accounts_scope_clause = var.is_organizational ? "aws.accountId in (\"${join("\", \"", local.account_ids_to_deploy)}\")" : "aws.accountId = \"${data.aws_caller_identity.me.account_id}\""
   regions_scope_clause  = length(var.benchmark_regions) == 0 ? "" : " and aws.region in (\"${join("\", \"", var.benchmark_regions)}\")"
 }
 
@@ -25,7 +26,7 @@ locals {
 #----------------------------------------------------------
 
 resource "sysdig_secure_cloud_account" "cloud_account" {
-  for_each = var.is_organizational ? toset(local.member_account_ids) : [data.aws_caller_identity.me.account_id]
+  for_each = var.is_organizational ? toset(local.account_ids_to_deploy) : [data.aws_caller_identity.me.account_id]
 
   account_id     = each.value
   cloud_provider = "aws"
@@ -35,7 +36,7 @@ resource "sysdig_secure_cloud_account" "cloud_account" {
 
 locals {
   external_id = try(
-    sysdig_secure_cloud_account.cloud_account[local.member_account_ids[0]].external_id,
+    sysdig_secure_cloud_account.cloud_account[local.account_ids_to_deploy[0]].external_id,
     sysdig_secure_cloud_account.cloud_account[data.aws_caller_identity.me.account_id].external_id,
   )
 }
@@ -90,7 +91,7 @@ data "aws_iam_policy_document" "trust_relationship" {
 }
 
 resource "aws_iam_role" "cloudbench_role" {
-  count = var.is_organizational ? 0 : 1
+  count = var.is_organizational && !var.provision_in_management_account ? 0 : 1
 
   name               = var.name
   assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
@@ -99,7 +100,7 @@ resource "aws_iam_role" "cloudbench_role" {
 
 
 resource "aws_iam_role_policy_attachment" "cloudbench_security_audit" {
-  count = var.is_organizational ? 0 : 1
+  count = var.is_organizational && !var.provision_in_management_account ? 0 : 1
 
   role       = aws_iam_role.cloudbench_role[0].id
   policy_arn = data.aws_iam_policy.security_audit.arn

modules/services/cloud-bench/variables.tf

@@ -34,3 +34,9 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+variable "provision_in_management_account" {
+  type        = bool
+  default     = true
+  description = "Whether to deploy the stack in the management account"
+}