Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revamp cloudformation templates for Cloudlogs module #106

Merged
merged 4 commits into from
Oct 19, 2023
Merged

Revamp cloudformation templates for Cloudlogs module #106

merged 4 commits into from
Oct 19, 2023

Conversation

gi-erre
Copy link
Contributor

@gi-erre gi-erre commented Oct 16, 2023
edited
Loading

Revamp CloudLogs templates in order to provision all the necessary resoruces to fully support the organizational case. Now the end result is the same as applying the alternative terraform module(s).

Note that, before this change, only one CloudLogs template was used for both the Single and Organization case, while an additional role needed to be provisioned in the Organizational case for Sysdig's systems to properly work. This means that also the Makefile taking care of publishing the templates has been updated accordingly, along with the necessary changes in Sysdig's backend.

@gi-erre gi-erre force-pushed the fix/jojo/cloudlogs-org-revamp branch from 956ae60 to d0bdd02 Compare October 16, 2023 10:42
@gi-erre gi-erre changed the title Duplicate Cloudlogs module for ORG case (not implemented yet), update… Revamp cloudformation templates for Cloudlogs module Oct 16, 2023
@gi-erre gi-erre force-pushed the fix/jojo/cloudlogs-org-revamp branch from 4a78fa2 to e8df4cb Compare October 16, 2023 16:04
@gi-erre gi-erre marked this pull request as ready for review October 16, 2023 16:12
@gi-erre gi-erre requested review from a team as code owners October 16, 2023 16:12
nkraemer-sysdig
nkraemer-sysdig reviewed Oct 16, 2023
View reviewed changes
Copy link
Collaborator

@nkraemer-sysdig nkraemer-sysdig left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if I'm reading this correctly, after this change:

The single account (cloudlogs only) install will create:

  • A cloudlogs Role & policy in this account

The org (cloudlogs only) install will create:

  • A cloudlogs Role & policy in the management account only

The single (cloudlogs + CSPM) is unchanged, and will create:

  • A cloudlogs Role & policy in this account
  • A cspm Role & policy in this account

The org (cloudlogs + CSPM) will create:

  • a cspm role & policy in every account
  • a cloudlogs role & policy in only the management account

Noting that this will need changes in the cloudauth BE to encode the new template/changed template names

@gi-erre
Copy link
Contributor Author

gi-erre commented Oct 17, 2023

So if I'm reading this correctly, after this change:

The single account (cloudlogs only) install will create:

* A cloudlogs Role & policy in this account

Correct ✅

The org (cloudlogs only) install will create:

* A cloudlogs Role & policy in the management account only

In this case we are also creating a CSPM role in the management account only. This basically replicates what already is happening with terraform at UI level when we combine the different modules, in the CFT case we need to include everything in the same template. Please check this line for the CSPM role addition.

The single (cloudlogs + CSPM) is unchanged, and will create:

* A cloudlogs Role & policy in this account

* A cspm Role & policy in this account

Correct ✅

The org (cloudlogs + CSPM) will create:

* a cspm role & policy in **every** account

* a cloudlogs role & policy in **only** the management account

Correct ✅

Noting that this will need changes in the cloudauth BE to encode the new template/changed template names

Yep, there's an open PR about that where we change the references according to the changes made in this PR :)

@nkraemer-sysdig
Copy link
Collaborator

Perfect! That makes sense to me, thanks

@nkraemer-sysdig nkraemer-sysdig requested a review from a team October 17, 2023 22:28
cgeers
cgeers approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@cgeers cgeers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@gi-erre gi-erre merged commit f7e7e7e into main Oct 19, 2023
4 checks passed
@gi-erre gi-erre deleted the fix/jojo/cloudlogs-org-revamp branch October 19, 2023 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkraemer-sysdig nkraemer-sysdig nkraemer-sysdig approved these changes

@cgeers cgeers cgeers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gi-erre @nkraemer-sysdig @cgeers