diff --git a/.github/workflows/ci-integration-tests.yaml b/.github/workflows/ci-integration-tests.yaml
index 6927a8b7..57e94bee 100644
--- a/.github/workflows/ci-integration-tests.yaml
+++ b/.github/workflows/ci-integration-tests.yaml
@@ -160,23 +160,6 @@ jobs:
if: ${{ failure() }}
run: bundle exec kitchen destroy "organizational-aws"
-
- - name: Run organizational-single test
- env:
- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
- AWS_REGION: ${{ secrets.AWS_REGION }}
- TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
- run: bundle exec kitchen test "organizational-single-aws"
-
- - name: Destroy organizational-single resources
- env:
- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_QA_MANAGED_ACCESS_KEY_ID }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_QA_MANAGED_SECRET_ACCESS_KEY }}
- AWS_REGION: ${{ secrets.AWS_REGION }}
- TF_VAR_sysdig_secure_for_cloud_member_account_id: ${{ secrets.AWS_QA_CLOUDNATIVE_ACCOUNT_ID }}
- if: ${{ failure() }}
- run: bundle exec kitchen destroy "organizational-single-aws"
integration_test_app_runner:
needs: integration_test_ecs
concurrency: terraform-account
diff --git a/.kitchen.yml b/.kitchen.yml
index ef397dbe..ecb28bc4 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -19,9 +19,6 @@ suites:
- name: organizational-k8s
driver:
root_module_directory: test/fixtures/organizational-k8s
- - name: organizational-single
- driver:
- root_module_directory: test/fixtures/organizational-single
- name: single-account-apprunner
driver:
root_module_directory: test/fixtures/single-account-apprunner
diff --git a/README.md b/README.md
index d3b004df..92066ee6 100644
--- a/README.md
+++ b/README.md
@@ -333,7 +333,7 @@ Error: Not enough privileges to complete the action, Access is denied
│ Error: error waiting for CloudFormation StackSet(sysdig - secure - cloudbench) update: unexpected state 'FAILED', wanted target 'SUCCEEDED'.last error: Operation(terraform - 20221130212414336200000001) Results: 6 errors occurred:
│ * Account(***) Region(us - east - 1) Status(SUCCEEDED) Status Reason: No updates are to be performed.
-│ * Account(***) Region(us - east - 1) Status(FAILED) Status Reason: Account *** should have
+│ * Account(***) Region(us - east - 1) Status(FAILED) Status Reason: Account *** should have
'stacksets-exec-70e2f8a88d368a5d3df60f4eb8c247dc' role with trust relationship to Role 'aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin
```
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index 7ddcb566..d215942c 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -186,6 +186,7 @@ $ terraform apply
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
+| [autoscaling\_config](#input\_autoscaling\_config) | if enable\_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code | object({
min_replicas = number
max_replicas = number
upscale_threshold = number
downscale_threshold = number
}) | {
"downscale_threshold": 30,
"max_replicas": 15,
"min_replicas": 2,
"upscale_threshold": 60
} | no |
| [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose. | `bool` | `true` | no |
| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
@@ -204,8 +205,6 @@ $ terraform apply
| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
| [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not | `bool` | `false` | no |
| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created in the **management account**.
If provided through Option 1, resources (cloudtrail,cloudtrail-s3) must exist in the management account.
Option 2, is mandatory to be used when the cloudtrail-s3 is in a different account than where SFC worklaod is installed.
Option 3, is an alterntive to Option1, to be able to ingest events through cloudtrail-s3-sns subscribed SQS, instead of just cloudtrail-sns
Check [use-cases](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/use-cases) for proper permission setup.
- cloudtrail\_s3\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"
- cloudtrail\_sns\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block
- cloudtrail\_s3\_role\_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature
- cloudtrail\_s3\_sns\_sqs\_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns
- cloudtrail\_s3\_sns\_sqs\_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<
| object({
cloudtrail_s3_arn = optional(string)
cloudtrail_sns_arn = optional(string)
cloudtrail_s3_role_arn = optional(string)
cloudtrail_s3_sns_sqs_arn = optional(string)
cloudtrail_s3_sns_sqs_url = optional(string)
}) | {
"cloudtrail_s3_arn": "create",
"cloudtrail_s3_role_arn": null,
"cloudtrail_s3_sns_sqs_arn": null,
"cloudtrail_s3_sns_sqs_url": null,
"cloudtrail_sns_arn": "create"
} | no |
-| [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `30` | no |
-| [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
| [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
| [tags](#input\_tags) | customization of tags to be assigned to all resources.
always include 'product' default tag for resource-group proper functioning.
can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
index 2db67fe4..f9d27112 100644
--- a/examples/organizational/main.tf
+++ b/examples/organizational/main.tf
@@ -104,8 +104,12 @@ module "cloud_connector" {
ecs_task_memory = var.ecs_task_memory
enable_autoscaling = var.enable_autoscaling
- max_replicas = var.max_replicas
- min_replicas = var.min_replicas
+ autoscaling_config = {
+ min_replicas = var.autoscaling_config.min_replicas
+ max_replicas = var.autoscaling_config.max_replicas
+ upscale_threshold = var.autoscaling_config.upscale_threshold
+ downscale_threshold = var.autoscaling_config.downscale_threshold
+ }
tags = var.tags
depends_on = [local.cloudtrail_sns_arn, module.ssm]
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
index 5a0532f6..82bc7b75 100644
--- a/examples/organizational/variables.tf
+++ b/examples/organizational/variables.tf
@@ -198,15 +198,19 @@ variable "enable_autoscaling" {
default = false
}
+variable "autoscaling_config" {
+ type = object({
+ min_replicas = number
+ max_replicas = number
+ upscale_threshold = number
+ downscale_threshold = number
+ })
-variable "min_replicas" {
- type = number
- default = 1
- description = "If autoscaling is enabled, this is the minimum number of replicas to run"
-}
-
-variable "max_replicas" {
- type = number
- default = 30
- description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+ default = {
+ min_replicas = 2
+ max_replicas = 15
+ upscale_threshold = 60
+ downscale_threshold = 30
+ }
+ description = "if enable_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code"
}
diff --git a/examples/single-account-ecs/README.md b/examples/single-account-ecs/README.md
index e22dc70e..93ac5ae9 100644
--- a/examples/single-account-ecs/README.md
+++ b/examples/single-account-ecs/README.md
@@ -97,6 +97,7 @@ $ terraform apply
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [autoscaling\_config](#input\_autoscaling\_config) | if enable\_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code | object({
min_replicas = number
max_replicas = number
upscale_threshold = number
downscale_threshold = number
}) | {
"downscale_threshold": 30,
"max_replicas": 10,
"min_replicas": 1,
"upscale_threshold": 60
} | no |
| [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no |
| [cloud\_connector\_image](#input\_cloud\_connector\_image) | Image to use for the cloud connector. If empty, the default image will be used. | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
@@ -114,8 +115,6 @@ $ terraform apply
| [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
| [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not | `bool` | `false` | no |
-| [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `10` | no |
-| [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
| [tags](#input\_tags) | customization of tags to be assigned to all resources.
always include 'product' default tag for resource-group proper functioning.
can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
diff --git a/examples/single-account-ecs/main.tf b/examples/single-account-ecs/main.tf
index 0938180a..7b65013d 100644
--- a/examples/single-account-ecs/main.tf
+++ b/examples/single-account-ecs/main.tf
@@ -68,6 +68,10 @@ module "cloud_connector" {
depends_on = [local.cloudtrail_sns_arn, module.ssm]
enable_autoscaling = var.enable_autoscaling
- min_replicas = var.min_replicas
- max_replicas = var.max_replicas
+ autoscaling_config = {
+ min_replicas = var.autoscaling_config.min_replicas
+ max_replicas = var.autoscaling_config.max_replicas
+ upscale_threshold = var.autoscaling_config.upscale_threshold
+ downscale_threshold = var.autoscaling_config.downscale_threshold
+ }
}
diff --git a/examples/single-account-ecs/variables.tf b/examples/single-account-ecs/variables.tf
index a4fe6e10..d10c357d 100644
--- a/examples/single-account-ecs/variables.tf
+++ b/examples/single-account-ecs/variables.tf
@@ -146,15 +146,19 @@ variable "enable_autoscaling" {
default = false
}
+variable "autoscaling_config" {
+ type = object({
+ min_replicas = number
+ max_replicas = number
+ upscale_threshold = number
+ downscale_threshold = number
+ })
-variable "min_replicas" {
- type = number
- default = 1
- description = "If autoscaling is enabled, this is the minimum number of replicas to run"
-}
-
-variable "max_replicas" {
- type = number
- default = 10
- description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+ default = {
+ min_replicas = 1
+ max_replicas = 10
+ upscale_threshold = 60
+ downscale_threshold = 30
+ }
+ description = "if enable_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code"
}
diff --git a/modules/services/cloud-connector-ecs/README.md b/modules/services/cloud-connector-ecs/README.md
index a78f89b0..234d6d67 100644
--- a/modules/services/cloud-connector-ecs/README.md
+++ b/modules/services/cloud-connector-ecs/README.md
@@ -28,11 +28,13 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| Name | Type |
|------|------|
-| [aws_appautoscaling_policy.ecs_ram_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_policy.ecs_memory_above](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_policy.ecs_memory_below](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
| [aws_appautoscaling_target.ecs_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
| [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_stream.stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream) | resource |
-| [aws_cloudwatch_metric_alarm.ecs_ram_usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_cloudwatch_metric_alarm.ecs_memory_above](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_cloudwatch_metric_alarm.ecs_memory_below](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
| [aws_ecs_service.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
| [aws_ecs_task_definition.task_definition](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
| [aws_iam_role.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -72,6 +74,7 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. | `string` | n/a | yes |
| [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. | `list(string)` | n/a | yes |
| [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes |
+| [autoscaling\_config](#input\_autoscaling\_config) | if enable\_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code | object({
min_replicas = number
max_replicas = number
upscale_threshold = number
downscale_threshold = number
}) | {
"downscale_threshold": 30,
"max_replicas": 10,
"min_replicas": 1,
"upscale_threshold": 60
} | no |
| [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudConnector | `number` | `5` | no |
| [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no |
| [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
@@ -84,8 +87,6 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
| [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no |
| [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether `organizational_config` should be used to handle organizational setup | `bool` | `false` | no |
-| [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `10` | no |
-| [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
| [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudconnector"` | no |
| [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given
- `sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events
- `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role
- `organizational_role_per_account` is the name of the organizational role deployed by AWS in each account of the organization. used for image-scanning only
| object({
sysdig_secure_for_cloud_role_arn = string
organizational_role_per_account = string
connector_ecs_task_role_name = string
}) | {
"connector_ecs_task_role_name": null,
"organizational_role_per_account": null,
"sysdig_secure_for_cloud_role_arn": null
} | no |
| [tags](#input\_tags) | customization of tags to be assigned to all resources.
always include 'product' default tag for resource-group proper functioning.
can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
diff --git a/modules/services/cloud-connector-ecs/ecs-service-autoscaling.tf b/modules/services/cloud-connector-ecs/ecs-service-autoscaling.tf
index e1d79134..ef956602 100644
--- a/modules/services/cloud-connector-ecs/ecs-service-autoscaling.tf
+++ b/modules/services/cloud-connector-ecs/ecs-service-autoscaling.tf
@@ -1,17 +1,21 @@
resource "aws_appautoscaling_target" "ecs_target" {
count = var.enable_autoscaling ? 1 : 0
- max_capacity = var.max_replicas
- min_capacity = var.min_replicas
- resource_id = "service/${data.aws_ecs_cluster.this.cluster_name}/${aws_ecs_service.service.name}"
+ max_capacity = var.autoscaling_config.max_replicas
+ min_capacity = var.autoscaling_config.min_replicas
+ resource_id = "service/${local.cluster_name}/${var.name}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
+
+ depends_on = [aws_ecs_service.service]
}
-resource "aws_appautoscaling_policy" "ecs_ram_policy" {
+
+# upscale memory > threshold
+resource "aws_appautoscaling_policy" "ecs_memory_above" {
count = var.enable_autoscaling ? 1 : 0
- name = "scale-cloud-connector-ram-usage"
+ name = "scale-cloud-connector-ram-above"
policy_type = "StepScaling"
resource_id = aws_appautoscaling_target.ecs_target[0].resource_id
scalable_dimension = aws_appautoscaling_target.ecs_target[0].scalable_dimension
@@ -22,49 +26,89 @@ resource "aws_appautoscaling_policy" "ecs_ram_policy" {
cooldown = 30
metric_aggregation_type = "Average"
- # Scale down on Memory usage if it's below 40% usage
step_adjustment {
- metric_interval_upper_bound = -10
- scaling_adjustment = -1
+ metric_interval_lower_bound = 0
+ scaling_adjustment = 1
}
+ }
+}
+
+resource "aws_cloudwatch_metric_alarm" "ecs_memory_above" {
+ count = var.enable_autoscaling ? 1 : 0
+
+ alarm_name = "Step-Scaling-Alarm-Upscale-ECS:service/${local.cluster_name}/${aws_ecs_service.service.name}"
+ alarm_description = "ECS cloud-connector service is above memory utilization threshold"
+
+ metric_name = "MemoryUtilization"
+ namespace = "AWS/ECS"
+ statistic = "Average"
+
+ period = "60" # minimum 60 seconds
+ evaluation_periods = "1"
+
+ comparison_operator = "GreaterThanOrEqualToThreshold"
+ threshold = var.autoscaling_config.upscale_threshold
+ alarm_actions = [aws_appautoscaling_policy.ecs_memory_above[0].arn]
+
+ dimensions = {
+ ClusterName = local.cluster_name,
+ ServiceName = aws_ecs_service.service.name
+ }
+
+ depends_on = [aws_ecs_service.service]
+}
+
+
+
+# downscale memory > threshold
+resource "aws_appautoscaling_policy" "ecs_memory_below" {
+ count = var.enable_autoscaling ? 1 : 0
+
+ name = "scale-cloud-connector-ram-below"
+ policy_type = "StepScaling"
+ resource_id = aws_appautoscaling_target.ecs_target[0].resource_id
+ scalable_dimension = aws_appautoscaling_target.ecs_target[0].scalable_dimension
+ service_namespace = aws_appautoscaling_target.ecs_target[0].service_namespace
+
+ step_scaling_policy_configuration {
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 30
+ metric_aggregation_type = "Average"
- # Do not scale if Memory usage is between 40% and 60% usage
step_adjustment {
+ metric_interval_upper_bound = 0
metric_interval_lower_bound = -10
- metric_interval_upper_bound = 10
scaling_adjustment = 0
}
- # Scale up on Memory usage if it's above 60% usage
step_adjustment {
- metric_interval_lower_bound = 10
- scaling_adjustment = 1
+ metric_interval_upper_bound = -10
+ scaling_adjustment = -1
}
-
}
}
-resource "aws_cloudwatch_metric_alarm" "ecs_ram_usage" {
+resource "aws_cloudwatch_metric_alarm" "ecs_memory_below" {
count = var.enable_autoscaling ? 1 : 0
- alarm_name = "Step-Scaling-AlarmHigh-ECS:service/${data.aws_ecs_cluster.this.cluster_name}/${aws_ecs_service.service.name}"
+ alarm_name = "Step-Scaling-Alarm-Dowscale-ECS:service/${local.cluster_name}/${aws_ecs_service.service.name}"
+ alarm_description = "ECS cloud-connector service is below memory utilization threshold"
metric_name = "MemoryUtilization"
- namespace = "AWS/EC2"
+ namespace = "AWS/ECS"
statistic = "Average"
- period = "30"
- evaluation_periods = "2"
- threshold = "50"
+ period = "60" # minimum 60 seconds
+ evaluation_periods = "1"
- comparison_operator = "GreaterThanOrEqualToThreshold"
+ threshold = var.autoscaling_config.downscale_threshold
+ comparison_operator = "LessThanThreshold"
+ alarm_actions = [aws_appautoscaling_policy.ecs_memory_below[0].arn]
dimensions = {
- Name = data.aws_ecs_cluster.this.cluster_name,
+ ClusterName = local.cluster_name,
ServiceName = aws_ecs_service.service.name
}
- alarm_actions = [aws_appautoscaling_policy.ecs_ram_policy[0].arn]
-
- alarm_description = "This metric monitors ECS Memory Utilization of Cloud Connector"
+ depends_on = [aws_ecs_service.service]
}
diff --git a/modules/services/cloud-connector-ecs/main.tf b/modules/services/cloud-connector-ecs/main.tf
index 6ae368bc..ba4745f0 100644
--- a/modules/services/cloud-connector-ecs/main.tf
+++ b/modules/services/cloud-connector-ecs/main.tf
@@ -1,5 +1,6 @@
data "aws_region" "current" {}
locals {
- verify_ssl = var.verify_ssl == "auto" ? length(regexall("https://.*?\\.sysdig(cloud)?.com/?", data.sysdig_secure_connection.current.secure_url)) == 1 : var.verify_ssl == "true"
+ verify_ssl = var.verify_ssl == "auto" ? length(regexall("https://.*?\\.sysdig(cloud)?.com/?", data.sysdig_secure_connection.current.secure_url)) == 1 : var.verify_ssl == "true"
+ cluster_name = coalesce(split("/", var.ecs_cluster_name)[1], var.ecs_cluster_name)
}
diff --git a/modules/services/cloud-connector-ecs/variables.tf b/modules/services/cloud-connector-ecs/variables.tf
index ee386035..8182e7cc 100644
--- a/modules/services/cloud-connector-ecs/variables.tf
+++ b/modules/services/cloud-connector-ecs/variables.tf
@@ -196,14 +196,20 @@ variable "enable_autoscaling" {
description = "Enable autoscaling for the ECS service"
}
-variable "min_replicas" {
- type = number
- default = 1
- description = "If autoscaling is enabled, this is the minimum number of replicas to run"
-}
-variable "max_replicas" {
- type = number
- default = 10
- description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+variable "autoscaling_config" {
+ type = object({
+ min_replicas = number
+ max_replicas = number
+ upscale_threshold = number
+ downscale_threshold = number
+ })
+
+ default = {
+ min_replicas = 1
+ max_replicas = 10
+ upscale_threshold = 60
+ downscale_threshold = 30
+ }
+ description = "if enable_autoscaliing is enabled, ECS autoscaling configuration. for more insight check source code"
}
diff --git a/test/fixtures/organizational-k8s/main.tf b/test/fixtures/organizational-k8s/main.tf
index b685bac5..2bd234bb 100644
--- a/test/fixtures/organizational-k8s/main.tf
+++ b/test/fixtures/organizational-k8s/main.tf
@@ -3,6 +3,7 @@ terraform {
sysdig = {
source = "sysdiglabs/sysdig"
}
+ # version pinned until this is solved: hashicorp/terraform-provider-aws#29042
aws = {
source = "hashicorp/aws"
version = "<4.51.0"
diff --git a/test/fixtures/organizational-single/backend.tf b/test/fixtures/organizational-single/backend.tf
deleted file mode 100644
index d3a1f9e7..00000000
--- a/test/fixtures/organizational-single/backend.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Terraform state storage backend
-terraform {
- backend "s3" {
- bucket = "secure-cloud-terraform-tests-org" # org examples deploy in qa org/s3 bucket
- key = "aws-organizational-single/terraform.tfstate"
- dynamodb_table = "secure-cloud-terraform-tests"
- region = "eu-west-3"
- }
-}
diff --git a/test/fixtures/organizational-single/main.tf b/test/fixtures/organizational-single/main.tf
deleted file mode 100644
index a0c638a6..00000000
--- a/test/fixtures/organizational-single/main.tf
+++ /dev/null
@@ -1,44 +0,0 @@
-terraform {
- required_providers {
- aws = {
- version = ">= 4.0.0, <4.51.0"
- configuration_aliases = [aws.member]
- }
- sysdig = {
- source = "sysdiglabs/sysdig"
- }
- }
-}
-
-provider "sysdig" {
- sysdig_secure_api_token = var.sysdig_secure_api_token
- sysdig_secure_url = var.sysdig_secure_url
-}
-
-provider "aws" {
- region = var.region
-}
-
-
-provider "aws" {
- alias = "member"
- region = var.region
- assume_role {
- # 'OrganizationAccountAccessRole' is the default role created by AWS for management-account users to be able to admin member accounts.
- #
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
- role_arn = "arn:aws:iam::${var.sysdig_secure_for_cloud_member_account_id}:role/OrganizationAccountAccessRole"
- }
-}
-
-module "cloudvision_aws_organizational" {
- providers = {
- aws.member = aws.member
- }
- source = "../../../examples/organizational"
- name = var.name
-
- sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
- deploy_benchmark_organizational = false
- deploy_image_scanning_ecr = false
- deploy_image_scanning_ecs = false
-}
diff --git a/test/fixtures/organizational-single/outputs.tf b/test/fixtures/organizational-single/outputs.tf
deleted file mode 100644
index e69de29b..00000000
diff --git a/test/fixtures/organizational-single/variables.tf b/test/fixtures/organizational-single/variables.tf
deleted file mode 100644
index e8489e21..00000000
--- a/test/fixtures/organizational-single/variables.tf
+++ /dev/null
@@ -1,30 +0,0 @@
-variable "sysdig_secure_api_token" {
- type = string
- sensitive = true
- description = "Sysdig secure api token"
-}
-variable "sysdig_secure_for_cloud_member_account_id" {
- type = string
- description = "organizational member account where the secure-for-cloud workload is going to be deployed"
-}
-
-
-
-
-variable "name" {
- type = string
- description = "Name is the prefix used in the resources will be created"
- default = "sfctest-org-ecs-single"
-}
-
-variable "region" {
- type = string
- description = "Region to be deployed"
- default = "eu-west-3"
-}
-
-variable "sysdig_secure_url" {
- type = string
- description = "Sysdig secure endpoint"
- default = "https://secure.sysdig.com"
-}
diff --git a/test/fixtures/organizational/main.tf b/test/fixtures/organizational/main.tf
index 7c964c51..6548c2dd 100644
--- a/test/fixtures/organizational/main.tf
+++ b/test/fixtures/organizational/main.tf
@@ -1,6 +1,7 @@
terraform {
required_providers {
aws = {
+ # major version pinned until this is solved: hashicorp/terraform-provider-aws#29042
version = ">= 4.0.0, <4.51.0"
configuration_aliases = [aws.member]
}
@@ -42,6 +43,10 @@ module "cloudvision_aws_organizational" {
deploy_image_scanning_ecs = true
enable_autoscaling = true
- min_replicas = 2
- max_replicas = 4
+ autoscaling_config = {
+ min_replicas = 1
+ max_replicas = 4
+ upscale_threshold = 60
+ downscale_threshold = 30
+ }
}
diff --git a/test/fixtures/single-account-apprunner/main.tf b/test/fixtures/single-account-apprunner/main.tf
index 2d4cd7d2..184ad02a 100644
--- a/test/fixtures/single-account-apprunner/main.tf
+++ b/test/fixtures/single-account-apprunner/main.tf
@@ -4,6 +4,7 @@ terraform {
source = "sysdiglabs/sysdig"
version = ">=0.5.33"
}
+ # version pinned until this is solved: hashicorp/terraform-provider-aws#29042
aws = {
source = "hashicorp/aws"
version = "<4.51.0"
diff --git a/test/fixtures/single-account-ecs/main.tf b/test/fixtures/single-account-ecs/main.tf
index 1d051be8..2dbf50ee 100644
--- a/test/fixtures/single-account-ecs/main.tf
+++ b/test/fixtures/single-account-ecs/main.tf
@@ -4,6 +4,8 @@ terraform {
source = "sysdiglabs/sysdig"
version = ">=0.5.33"
}
+
+ # version pinned until this is solved: hashicorp/terraform-provider-aws#29042
aws = {
source = "hashicorp/aws"
version = "<4.51.0"
@@ -28,6 +30,10 @@ module "cloudvision_aws_single_account_ecs" {
deploy_image_scanning_ecs = true
enable_autoscaling = true
- min_replicas = 2
- max_replicas = 4
+ autoscaling_config = {
+ min_replicas = 1
+ max_replicas = 4
+ upscale_threshold = 60
+ downscale_threshold = 30
+ }
}
diff --git a/test/fixtures/single-account-k8s/main.tf b/test/fixtures/single-account-k8s/main.tf
index c5636718..c383cfb1 100644
--- a/test/fixtures/single-account-k8s/main.tf
+++ b/test/fixtures/single-account-k8s/main.tf
@@ -3,6 +3,7 @@ terraform {
sysdig = {
source = "sysdiglabs/sysdig"
}
+ # version pinned until this is solved: hashicorp/terraform-provider-aws#29042
aws = {
source = "hashicorp/aws"
version = "<4.51.0"
diff --git a/test/trigger-events/README.md b/test/trigger-events/README.md
index c85b4fa7..19ef0fe9 100644
--- a/test/trigger-events/README.md
+++ b/test/trigger-events/README.md
@@ -49,7 +49,7 @@ $ terraform apply
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | 4.38.0 |
## Modules