Merge branch 'master' into feat-implement-sysdig-secure-accept-vulner…

…ability-risk
sysdiglabs · Dec 20, 2024 · 17e3a64 · 17e3a64
2 parents d9a43a1 + c31d9e0
commit 17e3a64
Show file tree

Hide file tree

Showing 11 changed files with 284 additions and 191 deletions.
diff --git a/examples/serverless-agent/fargate/workload-legacy/README.md b/examples/serverless-agent/fargate/workload-legacy/README.md
@@ -0,0 +1,30 @@
+# Workload with Serverless Workload Agent
+
+This example deploys a cluster with a workload and the Serverless Workload Agent as a sidecar to secure the workload.
+
+The Workload Agent will use an Orchestrator Agent as a proxy to the Sysdig Collector.
+
+## Prerequisites
+
+The following prerequisites are required to deploy this cluster:
+- Orchestrator Agent deployed
+- VPC
+- 2 subnets
+
+## Components
+
+The cluster will be called `<prefix>-instrumented-workload` and will deploy the following:
+- 1 Service (called `<prefix-instrumented-service`)
+  - 1 Task with 2 replicas, each running:
+    - 1 container named `event-gen-1` running `falcosecurity/event-generator`
+    - 1 container named `event-gen-2` also running `falcosecurity/event-generator`
+    - 1 container named `SysdigInstrumentation` running the latest Workload Agent which will secure both workload containers
+
+## Layout
+| **File** | **Purpose** |
+| --- | --- |
+| `instrumented_load.tf` | Workload definition. By default it instruments `falcosecurity/event-generator` |
+| `main.tf` | AWS provider configuration |
+| `output.tf` | Defines the output variables |
+| `variables.tf` | AWS and Agent configuration |
+| `versions.tf` | Defines TF provider versions |
diff --git a/examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf b/examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf
@@ -0,0 +1,145 @@
+data "sysdig_fargate_workload_agent" "containers_instrumented" {
+  container_definitions = jsonencode([
+    {
+      "name" : "event-gen-1",
+      "image" : "falcosecurity/event-generator",
+      "command" : ["run", "syscall", "--all", "--loop"],
+      "logConfiguration" : {
+        "logDriver" : "awslogs",
+        "options" : {
+          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
+          "awslogs-region" : var.region,
+          "awslogs-stream-prefix" : "task"
+        },
+      }
+    },
+    {
+      "name" : "event-gen-2",
+      "image" : "falcosecurity/event-generator",
+      "command" : ["run", "syscall", "--all", "--loop"],
+      "logConfiguration" : {
+        "logDriver" : "awslogs",
+        "options" : {
+          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
+          "awslogs-region" : var.region,
+          "awslogs-stream-prefix" : "task"
+        },
+      }
+    }
+  ])
+
+  workload_agent_image = var.agent_workload_image
+
+  sysdig_access_key = var.access_key
+  orchestrator_host = var.orchestrator_host
+  orchestrator_port = var.orchestrator_port
+
+  log_configuration {
+    group         = aws_cloudwatch_log_group.instrumented_logs.name
+    stream_prefix = "instrumentation"
+    region        = var.region
+  }
+}
+
+resource "aws_ecs_task_definition" "task_definition" {
+  family             = "${var.prefix}-instrumented-task-definition"
+  task_role_arn      = aws_iam_role.task_role.arn
+  execution_role_arn = aws_iam_role.execution_role.arn
+
+  cpu                      = "256"
+  memory                   = "512"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  pid_mode                 = "task"
+
+  container_definitions = data.sysdig_fargate_workload_agent.containers_instrumented.output_container_definitions
+}
+
+
+resource "aws_ecs_cluster" "cluster" {
+  name = "${var.prefix}-instrumented-workload"
+}
+
+resource "aws_cloudwatch_log_group" "instrumented_logs" {
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "execution_role" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
+}
+
+resource "aws_iam_role" "task_role" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  inline_policy {
+    name   = "root"
+    policy = data.aws_iam_policy_document.task_policy.json
+  }
+}
+
+data "aws_iam_policy_document" "task_policy" {
+  statement {
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_ecs_service" "service" {
+  name = "${var.prefix}-instrumented-service"
+
+  cluster          = aws_ecs_cluster.cluster.id
+  task_definition  = aws_ecs_task_definition.task_definition.arn
+  desired_count    = var.replicas
+  launch_type      = "FARGATE"
+  platform_version = "1.4.0"
+
+  network_configuration {
+    subnets          = [var.subnet_1, var.subnet_2]
+    security_groups  = [aws_security_group.security_group.id]
+    assign_public_ip = true
+  }
+}
+
+resource "aws_security_group" "security_group" {
+  description = "${var.prefix}-security-group"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.security_group.id
+}
+
+resource "aws_security_group_rule" "orchestrator_agent_egress_rule" {
+  type              = "egress"
+  protocol          = "all"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.security_group.id
+}
diff --git a/examples/serverless-agent/fargate/workload-legacy/output.tf b/examples/serverless-agent/fargate/workload-legacy/output.tf
@@ -0,0 +1,15 @@
+output "workload_cluster_name" {
+  value = aws_ecs_cluster.cluster.name
+}
+
+output "workload_cluster_arn" {
+  value = aws_ecs_cluster.cluster.arn
+}
+
+output "service_arn" {
+  value = aws_ecs_service.service.id
+}
+
+output "task_revision" {
+  value = aws_ecs_task_definition.task_definition.revision
+}
diff --git a/examples/serverless-agent/fargate/workload-legacy/providers.tf b/examples/serverless-agent/fargate/workload-legacy/providers.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  region = var.region
+  profile = var.profile
+}
diff --git a/examples/serverless-agent/fargate/workload-legacy/variables.tf b/examples/serverless-agent/fargate/workload-legacy/variables.tf
@@ -0,0 +1,56 @@
+# AWS configuration
+variable "prefix" {
+  description = "All resources created by Terraform have this prefix prepended to them"
+}
+
+variable "profile" {
+  description = "AWS profile name"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS Region for deployment"
+  default     = "us-east-1"
+}
+
+variable "subnet_1" {
+  description = "Subnet-1 Id"
+}
+
+variable "subnet_2" {
+  description = "Subnet-2 Id"
+}
+
+variable "vpc_id" {
+  description = "VPC Id"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to assign to resources in module"
+  default     = {}
+}
+
+variable "replicas" {
+  description = "Number of workload replicas to run"
+  default     = 2
+}
+
+# Serverless Agent Configuration
+variable "access_key" {
+  description = "Sysdig Agent access key"
+}
+
+variable "agent_workload_image" {
+  description = "Workload agent container image"
+  default     = "quay.io/sysdig/workload-agent:latest"
+}
+
+variable "orchestrator_host" {
+  description = "Orchestrator Host"
+}
+
+variable "orchestrator_port" {
+  description = "Orchestrator Port"
+  default     = 6667
+}
diff --git a/examples/serverless-agent/fargate/workload-legacy/versions.tf b/examples/serverless-agent/fargate/workload-legacy/versions.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">=1.7.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.35.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.4.1"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.24.5"
+    }
+  }
+}
diff --git a/examples/serverless-agent/fargate/workload/README.md b/examples/serverless-agent/fargate/workload/README.md
@@ -2,21 +2,22 @@
 
 This example deploys a cluster with a workload and the Serverless Workload Agent as a sidecar to secure the workload.
 
+The Workload Agent will directly connect to the Sysdig Collector.
+
 ## Prerequisites
 
 The following prerequisites are required to deploy this cluster:
-- Orchestrator Agent deployed
 - VPC
 - 2 subnets
 
 ## Components
 
 The cluster will be called `<prefix>-instrumented-workload` and will deploy the following:
 - 1 Service (called `<prefix-instrumented-service`)
-  - 1 Task (with the latest version of the Serverless Orchestrator Agent)
+  - 1 Task with 2 replicas, each running:
     - 1 container named `event-gen-1` running `falcosecurity/event-generator`
     - 1 container named `event-gen-2` also running `falcosecurity/event-generator`
-    - 1 container named `SysdigInstrumentation` running the Workload Agent which will secure both workload containers
+    - 1 container named `SysdigInstrumentation` running the latest Workload Agent which will secure both workload containers
 
 ## Layout
 | **File** | **Purpose** |

diff --git a/examples/serverless-agent/fargate/workload/instrumented_load.tf b/examples/serverless-agent/fargate/workload/instrumented_load.tf
@@ -31,8 +31,8 @@ data "sysdig_fargate_workload_agent" "containers_instrumented" {
   workload_agent_image = var.agent_workload_image
 
   sysdig_access_key = var.access_key
-  orchestrator_host = var.orchestrator_host
-  orchestrator_port = var.orchestrator_port
+  collector_host    = var.collector_host
+  collector_port    = var.collector_port
 
   log_configuration {
     group         = aws_cloudwatch_log_group.instrumented_logs.name

diff --git a/examples/serverless-agent/fargate/workload/variables.tf b/examples/serverless-agent/fargate/workload/variables.tf
@@ -31,6 +31,11 @@ variable "tags" {
   default     = {}
 }
 
+variable "replicas" {
+  description = "Number of workload replicas to run"
+  default     = 2
+}
+
 # Serverless Agent Configuration
 variable "access_key" {
   description = "Sysdig Agent access key"
@@ -41,16 +46,11 @@ variable "agent_workload_image" {
   default     = "quay.io/sysdig/workload-agent:latest"
 }
 
-variable "orchestrator_host" {
-  description = "Orchestrator Host"
+variable "collector_host" {
+  description = "Collector Host"
 }
 
-variable "orchestrator_port" {
-  description = "Orchestrator Port"
-  default     = 6667
-}
-
-variable "replicas" {
-  description = "Number of workload replicas to run"
-  default     = 2
+variable "collector_port" {
+  description = "Collector Port"
+  default     = 6443
 }