Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add organizational support for cloud-bench #24

Merged
merged 4 commits into from
Oct 20, 2021
Merged

Add organizational support for cloud-bench #24

merged 4 commits into from
Oct 20, 2021

Conversation

nkraemer-sysdig
Copy link
Contributor

@nkraemer-sysdig nkraemer-sysdig commented Sep 9, 2021
edited
Loading

Now that hashicorp/terraform-provider-aws#21193 has been merged, this PR adds support for organizational cloud-bench onboarding. This PR was tested against out test org, and successfully onboarded & ran benchmarks in all member accounts.

Changes:

  • Remove the account_id variable from the cloud_bench module. It is not needed, as we can use the aws_caller_identity inside the module to figure this out. This simplifies the examples.
  • Bump minimum aws provider version
  • Uncomment cloud-bench in the organization example
  • Refactor cloud-bench module to do one of two things depending on is_organizational (using count and for_each):
    a) is_organizational = false - Pre-existing single-account implementation: Provisions a role/policy directly
    b) is_organizational = true - Fetches the list of member accounts, onboards each in our BE, creates benchmark task spanning all accounts, and uses a CFT StackSet in the management account to provision the required role/policies in each member account.

Notable features/behaviour:

  • If is_organizational is set to true, but the user is not authenticated into an organizational management account, the stack fails with:
│ Error: Iteration over null value
│ 
│   on ../../modules/services/cloud-bench/main.tf line 15, in locals:
│   15:   member_account_ids = var.is_organizational ? toset([for a in data.aws_organizations_organization.org.non_master_accounts : a.id]) : toset([])
│     ├────────────────
│     │ data.aws_organizations_organization.org.non_master_accounts is null
│ 
│ A null value cannot be used as the collection in a 'for' expression.
  • If a new member account is added/removed to the org, the role will be automatically created/removed. The Sysdig BE will not be updated however, so we may want to remove/rethink this setting

@wideawakening wideawakening marked this pull request as draft September 9, 2021 14:39
@nkraemer-sysdig nkraemer-sysdig force-pushed the feature/organizational-cloud-bench branch from 4b453e1 to f756fae Compare October 16, 2021 00:06
@nkraemer-sysdig nkraemer-sysdig force-pushed the feature/organizational-cloud-bench branch from f756fae to 5f16c3c Compare October 18, 2021 16:16
@nkraemer-sysdig nkraemer-sysdig marked this pull request as ready for review October 18, 2021 16:18
@wideawakening
Copy link
Contributor

wideawakening commented Oct 19, 2021
edited
Loading

LGTM, can merge it @nkraemer-sysdig

  • fixed pre-commit tf-docs

couple of non-blocking maintenance things though

  • could you update the org diagram to reflect the changes?
  • remove the "Note: CSPM/Compliance through cloud-bench module is not supported yet" note on the org README

@nkraemer-sysdig
Copy link
Contributor Author

@wideawakening 6c3726e

@wideawakening wideawakening merged commit 5b7cf5e into master Oct 20, 2021
@wideawakening wideawakening deleted the feature/organizational-cloud-bench branch October 20, 2021 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wideawakening wideawakening wideawakening approved these changes

@aq17 aq17 aq17 approved these changes

@nestorsalceda nestorsalceda Awaiting requested review from nestorsalceda

@tembleking tembleking Awaiting requested review from tembleking

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nkraemer-sysdig @wideawakening @aq17