Merge branch 'master' into feat-zones-v2-support

Author: tembleking

examples/serverless-agent/ecs-fargate/README.md

@@ -0,0 +1,35 @@
+# Workload with Serverless Workload Agent
+This example deploys a cluster running a workload application secured by the Serverless Workload Agent.
+The workload used is [falcosecurity/event-generator](https://github.com/falcosecurity/event-generator), which produces synthetic suspicious actions that will trigger Sysdig managed policies. 
+
+
+## Prerequisites
+The following prerequisites are required to deploy this sample:
+- `VPC ID`, the ID of an already existing VPC
+- `Subnet ID`, the ID of an already existing Subnet within the VPC above
+
+
+## Usage
+```
+$ terraform init
+$ terraform apply
+```
+
+
+## Components
+| **Component**      | **Name**                   | **Description**                                                                                                                                     |
+|--------------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| ECS Cluster        | `<prefix>-cluster`         | The cluster containing the ECS Service below.                                                                                                       |
+| ECS Service        | `<prefix>-service`         | The service running the TaskDefinition below.                                                                                                       |
+| ECS TaskDefinition | `<prefix>-task-definition` | The task definition including a workload container being secured by the Serverless Agent.                                                           |
+| ECS SecurityGroup  | `<prefix>-security-group`  | The security group ensuring connectivity to the Serverless Agent. This security group has no restrictions applied and is intended for testing only. |
+
+
+## Files
+| **File**       | **Description**                                                                                          |
+|----------------|----------------------------------------------------------------------------------------------------------|
+| `output.tf`    | Contains the reference to the cluster, service, and task revision being deployed.                        |
+| `providers.tf` | Contains the configuration parameters for the providers.                                                 |
+| `resources.tf` | Contains the resources to deploy, including the task definition being secured with the Serverless Agent. |
+| `variables.tf` | Contains the configuration parameters for AWS and the Serverless Agent.                                  |
+| `versions.tf`  | Defines the version of the providers.                                                                    |

…-agent/fargate/workload-legacy/output.tf …s/serverless-agent/ecs-fargate/output.tfexamples/serverless-agent/fargate/workload-legacy/output.tf renamed to examples/serverless-agent/ecs-fargate/output.tf examples/serverless-agent/fargate/workload-legacy/output.tf renamed to examples/serverless-agent/ecs-fargate/output.tf

@@ -7,20 +7,7 @@ data "sysdig_fargate_workload_agent" "containers_instrumented" {
       "logConfiguration" : {
         "logDriver" : "awslogs",
         "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
-          "awslogs-region" : var.region,
-          "awslogs-stream-prefix" : "task"
-        },
-      }
-    },
-    {
-      "name" : "event-gen-2",
-      "image" : "falcosecurity/event-generator",
-      "command" : ["run", "syscall", "--all", "--loop"],
-      "logConfiguration" : {
-        "logDriver" : "awslogs",
-        "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
+          "awslogs-group" : aws_cloudwatch_log_group.logs.name,
           "awslogs-region" : var.region,
           "awslogs-stream-prefix" : "task"
         },
@@ -35,19 +22,19 @@ data "sysdig_fargate_workload_agent" "containers_instrumented" {
   collector_port    = var.collector_port
 
   log_configuration {
-    group         = aws_cloudwatch_log_group.instrumented_logs.name
+    group         = aws_cloudwatch_log_group.logs.name
     stream_prefix = "instrumentation"
     region        = var.region
   }
 }
 
 resource "aws_ecs_task_definition" "task_definition" {
-  family             = "${var.prefix}-instrumented-task-definition"
+  family             = "${var.prefix}-task-definition"
   task_role_arn      = aws_iam_role.task_role.arn
   execution_role_arn = aws_iam_role.execution_role.arn
 
-  cpu                      = "256"
-  memory                   = "512"
+  cpu                      = "512"
+  memory                   = "1024"
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   pid_mode                 = "task"
@@ -57,10 +44,10 @@ resource "aws_ecs_task_definition" "task_definition" {
 
 
 resource "aws_ecs_cluster" "cluster" {
-  name = "${var.prefix}-instrumented-workload"
+  name = "${var.prefix}-cluster"
 }
 
-resource "aws_cloudwatch_log_group" "instrumented_logs" {
+resource "aws_cloudwatch_log_group" "logs" {
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
@@ -106,7 +93,7 @@ data "aws_iam_policy_document" "task_policy" {
 }
 
 resource "aws_ecs_service" "service" {
-  name = "${var.prefix}-instrumented-service"
+  name = "${var.prefix}-service"
 
   cluster          = aws_ecs_cluster.cluster.id
   task_definition  = aws_ecs_task_definition.task_definition.arn
@@ -115,7 +102,7 @@ resource "aws_ecs_service" "service" {
   platform_version = "1.4.0"
 
   network_configuration {
-    subnets          = [var.subnet_1, var.subnet_2]
+    subnets          = [var.subnet]
     security_groups  = [aws_security_group.security_group.id]
     assign_public_ip = true
   }
@@ -126,7 +113,7 @@ resource "aws_security_group" "security_group" {
   vpc_id      = var.vpc_id
 }
 
-resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
+resource "aws_security_group_rule" "ingress_rule" {
   type              = "ingress"
   protocol          = "tcp"
   from_port         = 0
@@ -135,7 +122,7 @@ resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
   security_group_id = aws_security_group.security_group.id
 }
 
-resource "aws_security_group_rule" "orchestrator_agent_egress_rule" {
+resource "aws_security_group_rule" "egress_rule" {
   type              = "egress"
   protocol          = "all"
   from_port         = 0

…ent/fargate/workload-legacy/providers.tf …erverless-agent/ecs-fargate/providers.tfexamples/serverless-agent/fargate/workload-legacy/providers.tf renamed to examples/serverless-agent/ecs-fargate/providers.tf examples/serverless-agent/fargate/workload-legacy/providers.tf renamed to examples/serverless-agent/ecs-fargate/providers.tf

@@ -9,20 +9,15 @@ variable "profile" {
 }
 
 variable "region" {
-  description = "AWS Region for deployment"
-  default     = "us-east-1"
+  description = "AWS Region for deployment, for example: us-east-1"
 }
 
-variable "subnet_1" {
-  description = "Subnet-1 Id"
-}
-
-variable "subnet_2" {
-  description = "Subnet-2 Id"
+variable "vpc_id" {
+  description = "VPC Id (for example: vpc-1234567890abcde)"
 }
 
-variable "vpc_id" {
-  description = "VPC Id"
+variable "subnet" {
+  description = "Subnet Id (for example: subnet-1234567890abcde)"
 }
 
 variable "tags" {
@@ -33,7 +28,7 @@ variable "tags" {
 
 variable "replicas" {
   description = "Number of workload replicas to run"
-  default     = 2
+  default     = 1
 }
 
 # Serverless Agent Configuration

…nt/fargate/workload/instrumented_load.tf …erverless-agent/ecs-fargate/resources.tfexamples/serverless-agent/fargate/workload/instrumented_load.tf renamed to examples/serverless-agent/ecs-fargate/resources.tf examples/serverless-agent/fargate/workload/instrumented_load.tf renamed to examples/serverless-agent/ecs-fargate/resources.tf

@@ -4,15 +4,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.35.0"
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "~> 2.4.1"
+      version = "~>6.32.0"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"
-      version = "~> 1.24.5"
+      version = "~>3.4.0"
     }
   }
 }