fix: Remove v2 scanning (#111)

* Revert "chore: fix precommit (#106)" This reverts commit 0d9e416. * Revert "chore: fix precommit errors" This reverts commit 97c7c2c. * Revert "chore: fix precommit" This reverts commit 9efb2da. * Revert "feat: org cloud connector based on binary scanner" This reverts commit 26d85de. * Revert "chore: fix wrong paramter" This reverts commit 4b77cf5. * Revert "feat: apprunner cloud connector based on binary scanner" This reverts commit fe45088. * Revert "feat: ecs cloud connector based on binary scanner" This reverts commit 6d37ea0. * Revert "fix: missing comma" This reverts commit ed9aca5. * Revert "chore: fix missing paramter" This reverts commit 47d4286. * Revert "feat: permission are created based on binary scanner use" This reverts commit be40cda. * Revert "feat: create k8s config base on binary scanner use" This reverts commit 0631890. * Revert "feat: add standalone bianry scanner" This reverts commit 22d6c7c. * chore: fix precommit
sysdiglabs · Jun 29, 2022 · 29b399e · 29b399e
1 parent 0d9e416
commit 29b399e
Show file tree

Hide file tree

Showing 64 changed files with 72 additions and 602 deletions.
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -145,8 +145,8 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.20.1 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
 
 ## Modules
@@ -195,7 +195,6 @@ $ terraform apply
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
-| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
@@ -1,7 +1,3 @@
-locals {
-  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
-  deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
-}
 #-------------------------------------
 # resources deployed always in management account
 # with default provider
@@ -40,7 +36,7 @@ module "ssm" {
 # cloud-connector
 #-------------------------------------
 module "codebuild" {
-  count = local.deploy_scanning_infra ? 1 : 0
+  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
 
   providers = {
     aws = aws.member
@@ -66,7 +62,6 @@ module "cloud_connector" {
 
   deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
   deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
-  use_standalone_scanner    = var.use_standalone_scanner
 
   is_organizational = true
   organizational_config = {

diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
@@ -69,11 +69,7 @@ variable "deploy_image_scanning_ecs" {
   default     = false
 }
 
-variable "use_standalone_scanner" {
-  type        = bool
-  description = "true/false whether use inline scanner or not"
-  default     = false
-}
+
 #
 # benchmark configuration
 #

diff --git a/examples/single-account-apprunner/README.md b/examples/single-account-apprunner/README.md
@@ -104,7 +104,6 @@ $ terraform apply
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
-| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/examples/single-account-apprunner/main.tf b/examples/single-account-apprunner/main.tf
@@ -1,8 +1,3 @@
-locals {
-  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
-  deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
-}
-
 #-------------------------------------
 # general resources
 #-------------------------------------
@@ -24,7 +19,7 @@ module "ssm" {
 # cloud-connector
 #-------------------------------------
 module "codebuild" {
-  count = local.deploy_scanning_infra ? 1 : 0
+  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
 
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
@@ -50,7 +45,6 @@ module "cloud_connector" {
   cloudconnector_ecr_image_uri = var.cloudconnector_ecr_image_uri
   deploy_image_scanning_ecr    = var.deploy_image_scanning_ecr
   deploy_image_scanning_ecs    = var.deploy_image_scanning_ecs
-  use_standalone_scanner       = var.use_standalone_scanner
 
   cloudtrail_sns_arn = local.cloudtrail_sns_arn
   tags               = var.tags

diff --git a/examples/single-account-apprunner/variables.tf b/examples/single-account-apprunner/variables.tf
@@ -42,12 +42,6 @@ variable "deploy_image_scanning_ecs" {
   default     = false
 }
 
-variable "use_standalone_scanner" {
-  type        = bool
-  description = "true/false whether use inline scanner or not"
-  default     = false
-}
-
 #
 # benchmark configuration
 #

diff --git a/examples/single-account-ecs/README.md b/examples/single-account-ecs/README.md
@@ -110,7 +110,6 @@ $ terraform apply
 | <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when 'ecs\_cluster\_name' is not provided. | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
-| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/examples/single-account-ecs/main.tf b/examples/single-account-ecs/main.tf
@@ -1,7 +1,3 @@
-locals {
-  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
-  deploy_scanning_infra = local.deploy_image_scanning && !var.use_standalone_scanner
-}
 #-------------------------------------
 # general resources
 #-------------------------------------
@@ -25,7 +21,7 @@ module "ssm" {
 #
 
 module "codebuild" {
-  count = local.deploy_scanning_infra ? 1 : 0
+  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
 
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
@@ -49,7 +45,6 @@ module "cloud_connector" {
 
   deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
   deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
-  use_standalone_scanner    = var.use_standalone_scanner
 
   is_organizational = false
 

diff --git a/examples/single-account-ecs/variables.tf b/examples/single-account-ecs/variables.tf
@@ -85,11 +85,6 @@ variable "deploy_image_scanning_ecs" {
   default     = false
 }
 
-variable "use_standalone_scanner" {
-  type        = bool
-  description = "true/false whether use inline scanner or not"
-  default     = false
-}
 
 #
 # benchmark configuration

diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
@@ -84,7 +84,7 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.6.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
 
@@ -121,7 +121,6 @@ $ terraform apply
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
-| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/examples/single-account-k8s/cloud-connector.tf b/examples/single-account-k8s/cloud-connector.tf
@@ -1,10 +1,5 @@
 locals {
-  deploy_image_scanning   = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
-  deploy_scanning_infra   = local.deploy_image_scanning && !var.use_standalone_scanner
-  ecr_standalone_scanning = var.deploy_image_scanning_ecr && var.use_standalone_scanner
-  ecs_standalone_scanning = var.deploy_image_scanning_ecs && var.use_standalone_scanner
-  ecr_scanning_with_infra = var.deploy_image_scanning_ecr && !var.use_standalone_scanner
-  ecs_scanning_with_infra = var.deploy_image_scanning_ecs && !var.use_standalone_scanner
+  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
 }
 
 #-------------------------------------
@@ -19,7 +14,7 @@ module "cloud_connector_sqs" {
 }
 
 module "codebuild" {
-  count  = local.deploy_scanning_infra ? 1 : 0
+  count  = local.deploy_image_scanning ? 1 : 0
   source = "../../modules/infrastructure/codebuild"
 
   name                         = var.name
@@ -73,8 +68,6 @@ resource "helm_release" "cloud_connector" {
 
   values = [
     yamlencode({
-      logging = "info"
-      rules   = []
       ingestors = [
         {
           cloudtrail-sns-sqs = {
@@ -83,26 +76,18 @@ resource "helm_release" "cloud_connector" {
         }
       ]
       scanners = local.deploy_image_scanning ? [
-        merge(
-          local.ecr_scanning_with_infra ? {
-            aws-ecr = {
-              codeBuildProject         = module.codebuild[0].project_name
-              secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
-            }
+        merge(var.deploy_image_scanning_ecr ? {
+          aws-ecr = {
+            codeBuildProject         = module.codebuild[0].project_name
+            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+          }
           } : {},
-          local.ecs_scanning_with_infra ? {
+          var.deploy_image_scanning_ecs ? {
             aws-ecs = {
               codeBuildProject         = module.codebuild[0].project_name
               secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
             }
-          } : {},
-          local.ecr_standalone_scanning ? {
-            aws-ecr-inline = {},
-          } : {},
-          local.ecs_standalone_scanning ? {
-            aws-ecs-inline = {},
-          } : {},
-        )
+        } : {})
       ] : []
     })
   ]

diff --git a/examples/single-account-k8s/credentials.tf b/examples/single-account-k8s/credentials.tf
@@ -2,8 +2,7 @@ module "iam_user" {
   source = "../../modules/infrastructure/permissions/iam-user"
   name   = var.name
 
-  deploy_image_scanning  = local.deploy_image_scanning
-  use_standalone_scanner = var.use_standalone_scanner
+  deploy_image_scanning = local.deploy_image_scanning
 
   ssm_secure_api_token_arn       = module.ssm.secure_api_token_secret_arn
   cloudtrail_s3_bucket_arn       = length(module.cloudtrail) > 0 ? module.cloudtrail[0].s3_bucket_arn : "*"

diff --git a/examples/single-account-k8s/variables.tf b/examples/single-account-k8s/variables.tf
@@ -54,11 +54,6 @@ variable "deploy_image_scanning_ecs" {
   default     = false
 }
 
-variable "use_standalone_scanner" {
-  type        = bool
-  description = "true/false whether use inline scanner or not"
-  default     = false
-}
 
 #
 # benchmark configuration

diff --git a/examples/trigger-events/README.md b/examples/trigger-events/README.md
@@ -49,7 +49,7 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/cloudtrail/README.md b/modules/infrastructure/cloudtrail/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/cloudtrail_s3-sns-sqs/README.md b/modules/infrastructure/cloudtrail_s3-sns-sqs/README.md
@@ -46,7 +46,7 @@ EVENT FILTER/fine-tunning, regarding what we want to send to Sysdig Cloud-Connec
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/codebuild/README.md b/modules/infrastructure/codebuild/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/ecs-vpc/README.md b/modules/infrastructure/ecs-vpc/README.md
@@ -13,7 +13,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/permissions/cloud-connector/README.md b/modules/infrastructure/permissions/cloud-connector/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/permissions/cloud-scanning/README.md b/modules/infrastructure/permissions/cloud-scanning/README.md
@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 
@@ -34,7 +34,6 @@ No modules.
 | <a name="input_scanning_codebuild_project_arn"></a> [scanning\_codebuild\_project\_arn](#input\_scanning\_codebuild\_project\_arn) | ARN of codebuild to launch the image scanning process | `string` | n/a | yes |
 | <a name="input_sfc_user_name"></a> [sfc\_user\_name](#input\_sfc\_user\_name) | Name of the IAM user to provision permissions | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
-| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/modules/infrastructure/permissions/cloud-scanning/main.tf b/modules/infrastructure/permissions/cloud-scanning/main.tf
@@ -1,5 +1,4 @@
 resource "aws_iam_user_policy" "cloud_scanner" {
-
   name   = "${var.name}-cs"
   user   = data.aws_iam_user.this.user_name
   policy = data.aws_iam_policy_document.cloud_scanner.json
@@ -18,18 +17,16 @@ data "aws_iam_policy_document" "cloud_scanner" {
     resources = [var.cloudtrail_subscribed_sqs_arn]
   }
 
-  dynamic "statement" {
-    for_each = var.use_standalone_scanner ? [1] : []
-    content {
-      sid    = "AllowScanningCodeBuildStartBuild"
-      effect = "Allow"
-      actions = [
-        "codebuild:StartBuild"
-      ]
-      resources = [var.scanning_codebuild_project_arn]
-    }
+  statement {
+    sid    = "AllowScanningCodeBuildStartBuild"
+    effect = "Allow"
+    actions = [
+      "codebuild:StartBuild"
+    ]
+    resources = [var.scanning_codebuild_project_arn]
   }
 
+
   statement {
     sid    = "AllowScanningECRRead"
     effect = "Allow"

diff --git a/modules/infrastructure/permissions/cloud-scanning/variables.tf b/modules/infrastructure/permissions/cloud-scanning/variables.tf
@@ -14,11 +14,6 @@ variable "scanning_codebuild_project_arn" {
   description = "ARN of codebuild to launch the image scanning process"
 }
 
-variable "use_standalone_scanner" {
-  type        = bool
-  description = "true/false whether use inline scanner or not"
-  default     = false
-}
 
 #---------------------------------
 # optionals - with default

diff --git a/modules/infrastructure/permissions/general/README.md b/modules/infrastructure/permissions/general/README.md
@@ -15,7 +15,7 @@ General permissions that apply to both cloud-connector and cloud-scanning module
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 

diff --git a/modules/infrastructure/permissions/iam-user/README.md b/modules/infrastructure/permissions/iam-user/README.md
@@ -45,7 +45,7 @@ Note: Contact us if this authentication system does not match your requirement.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.20.1 |
 
 ## Modules
 
@@ -72,7 +72,6 @@ Note: Contact us if this authentication system does not match your requirement.
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_scanning_codebuild_project_arn"></a> [scanning\_codebuild\_project\_arn](#input\_scanning\_codebuild\_project\_arn) | ARN of codebuild to launch the image scanning process | `string` | `"*"` | no |
 | <a name="input_ssm_secure_api_token_arn"></a> [ssm\_secure\_api\_token\_arn](#input\_ssm\_secure\_api\_token\_arn) | ARN of the security credentials for the secure\_api\_token | `string` | `"*"` | no |
-| <a name="input_use_standalone_scanner"></a> [use\_standalone\_scanner](#input\_use\_standalone\_scanner) | true/false whether use inline scanner or not | `bool` | `false` | no |
 
 ## Outputs