Deprecate cloud-bench (#99)

* Deprecate cloud-bench * Bump versions * Constrain major azure provider versions
sysdiglabs · Nov 11, 2024 · e804424 · e804424
1 parent b7bcc43
commit e804424
Show file tree

Hide file tree

Showing 45 changed files with 70 additions and 433 deletions.
diff --git a/.terraform-registry b/.terraform-registry
diff --git a/CONTRIBUTE.md b/CONTRIBUTE.md
@@ -3,7 +3,6 @@
 - Use **conventional commits** | https://www.conventionalcommits.org/en/v1.0.0
   - Current suggested **scopes** to be used within feat(scope), fix(scope), ...
     - threat
-    - bench
     - scan
     - docs
     - tests

diff --git a/README.md b/README.md
@@ -1,56 +1,18 @@
-# Sysdig Secure for Cloud in Azure
+# Sunset Notice
 
-Terraform module that deploys the [**Sysdig Secure for Cloud** stack in **Azure**](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-azure).
-<br/>
-
-Provides unified threat-detection, compliance, forensics and analysis through these major components:
-
-* **[Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/insights/)**: Tracks abnormal and suspicious
-  activities in your cloud environment based on Falco language. Managed through `cloud-connector` module. <br/>
-
-* **[Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/posture/compliance/compliance-unified-/)**: Enables the
-  evaluation of standard compliance frameworks. Requires both modules  `cloud-connector` and `cloud-bench`. <br/>
-
-* **[Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**:
-  Automatically scans images that run on the Azure workload (currently AzureContainerInstances).<br/>
-  Define an AzureRegistry (ACR) through `registry_name` and also scan all the repository images pushed to the
-  registry.<br/>
-  Managed through `cloud-connector`. <br/>Scanning is disabled by default, can be enabled through `deploy_scanning`
-  input variable parameters.<br/>
-
-For other Cloud providers check: [AWS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud)
-, [GCP](https://github.com/sysdiglabs/terraform-google-secure-for-cloud)
-
-<br/>
+> [!CAUTION]
+> Sysdig released a new onboarding experience for Azure in August 2024. We recommend connecting your cloud accounts by [following these instructions](https://docs.sysdig.com/en/docs/sysdig-secure/connect-cloud-accounts/).
+>
+> This repository should be used solely in cases where Agentless Threat Detection cannot be used.
 
 ## Usage
 
 There are several ways to deploy Secure for Cloud in you Azure infrastructure,
-- **[`/examples`](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples)** for the most common scenarios
-  - [Single Subscription](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/single-subscription/README.md)
-  - [Single Subscription with a pre-existing Kubernetes Cluster](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/single-subscription-k8s/README.md)
-  - [Tenant Subscriptions](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/tenant-subscriptions/README.md)
-  - Many module,examples and use-cases, we provide ways to **re-use existing resources (as optionals)** in your
-    infrastructure. Check input summary on each example/module.
+- [Single Subscription](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/single-subscription/README.md)
+- [Single Subscription with a pre-existing Kubernetes Cluster](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/single-subscription-k8s/README.md)
+- [Tenant Subscriptions](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/examples/tenant-subscriptions/README.md)
 
-Find specific overall service arquitecture diagrams attached to each example/use-case.
-
-<!--
-In the long-term our purpose is to evaluate those use-cases and if they're common enough, convert them into examples to make their usage easier.
--->
-
-If you're unsure about what/how to use this module, please fill the [questionnaire](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/use-cases/_questionnaire.md) report as an issue and let us know your context, we will be happy to help.
-
-
-
-### Notice
-* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud`<br/>
-* All Sysdig Secure for Cloud features but [Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/) are enabled by default. You can enable it through `deploy_scanning` input variable parameters.<br/>
-* **Deployment cost** This example will create resources that cost money. Run `terraform destroy` when you don't need them anymore
-* For **free subscription** users, beware that organizational examples may not deploy properly due to the [1 cloud-account limitation](https://docs.sysdig.com/en/docs/administration/administration-settings/subscription/#cloud-billing-free-tier). Open an Issue so we can help you here!
-
-
-<br/>
+If you're unsure about how to use this module, please contact your Sysdig representative. Our experts will guide you through the process and assist you in setting up your account securely and correctly.
 
 ## Required Permissions
 
@@ -64,12 +26,9 @@ This would be an overall schema of the **created resources**, for the default se
 - Event Hub
 - Sysdig Workload: Container Instance / For K8s cluter is pre-requied, not create
 - For Scanning: Event-Grid, Event Hub, and Enterprise App in the ActiveDirectory
-- Sysdig Lighthouse definition for [Compliance](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/tree/master/modules/services/cloud-bench)
 
 ### Provisioning Roles
 
-- Compliance feature requires `Contributor` subcription-level role, in order to be able to check specific compliance rules.
-  -  However, it can be lowered to `Reader` role, at the cost of failing the control Requirement 9.1 “Ensure App Service Authentication is set up for apps in Azure App Service” from CIS Microsoft Azure Foundations Benchmark) as this needs contributor access to query App Service Auth Settings.
 - Threat Detection feature requires `Contributor` subscription-level role user assignment
     - For AD diagnostic on [selected log types](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud/blob/master/modules/infrastructure/eventhub/variables.tf#L80) `Security Administrator` role must be granted to at Organizational level.
       - Otherwise, it can be disabled setting `deploy_active_directory=false` on all examples

diff --git a/examples/single-subscription-k8s/README.md b/examples/single-subscription-k8s/README.md
@@ -11,8 +11,8 @@ Deploy Sysdig Secure for Cloud in a provided existing Kubernetes Cluster.
 ### Notice
 
 * All the required resources and workloads will be run under the same Azure subscription.
-* All Sysdig Secure for Cloud features **but [Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**
-  are enabled by default. You can enable it through `deploy_scanning` input variable parameters.<br/>
+* CDR is enabled by default **but [Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**
+  is not. You can enable it through `deploy_scanning` input variable parameters.<br/>
 * This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 * All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the
   resource-group `sysdig-secure-for-cloud`
@@ -71,23 +71,22 @@ See [inputs summary](#inputs) or module module [`variables.tf`](./variables.tf)
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.71 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >=2.3.0 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.27 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.71.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
-| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 1.12.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.16.1 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 1.38.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
 | <a name="module_infrastructure_container_registry"></a> [infrastructure\_container\_registry](#module\_infrastructure\_container\_registry) | ../../modules/infrastructure/container_registry | n/a |
 | <a name="module_infrastructure_enterprise_app"></a> [infrastructure\_enterprise\_app](#module\_infrastructure\_enterprise\_app) | ../../modules/infrastructure/enterprise_app | n/a |
 | <a name="module_infrastructure_eventgrid_eventhub"></a> [infrastructure\_eventgrid\_eventhub](#module\_infrastructure\_eventgrid\_eventhub) | ../../modules/infrastructure/eventhub | n/a |
@@ -108,7 +107,6 @@ See [inputs summary](#inputs) or module module [`variables.tf`](./variables.tf)
 |------|-------------|------|---------|:--------:|
 | <a name="input_cloud_connector_image"></a> [cloud\_connector\_image](#input\_cloud\_connector\_image) | Cloud-connector image to deploy | `string` | `"quay.io/sysdig/cloud-connector"` | no |
 | <a name="input_deploy_active_directory"></a> [deploy\_active\_directory](#input\_deploy\_active\_directory) | whether the Active Directory features are to be deployed | `bool` | `true` | no |
-| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_existing_registries"></a> [existing\_registries](#input\_existing\_registries) | existing  Azure Container Registry names to be included to  scan by resource group { resource\_group\_1 =  ["registry\_name\_11","registry\_name\_12"],resource\_group\_2 =  ["registry\_name\_21","registry\_name\_22"]}. By default it will create a new ACR | `map(list(string))` | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |

diff --git a/examples/single-subscription-k8s/cloudbench.tf b/examples/single-subscription-k8s/cloudbench.tf
diff --git a/examples/single-subscription-k8s/variables.tf b/examples/single-subscription-k8s/variables.tf
@@ -16,13 +16,6 @@ variable "deploy_scanning" {
   default     = false
 }
 
-# benchmark
-variable "deploy_benchmark" {
-  type        = bool
-  description = "whether benchmark module is to be deployed"
-  default     = true
-}
-
 # general
 variable "location" {
   type        = string

diff --git a/examples/single-subscription-k8s/versions.tf b/examples/single-subscription-k8s/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">=3.71.0"
+      version = "~>3.71"
     }
     helm = {
       source  = "hashicorp/helm"

diff --git a/examples/single-subscription/README.md b/examples/single-subscription/README.md
@@ -4,8 +4,8 @@ This module example deploy Sysdig Secure for Cloud in a single Azure subscriptio
 
 ### Notice
 
-* All Sysdig Secure for Cloud features **but [Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**
-  are enabled by default. You can enable it through `deploy_scanning` input variable parameters.<br/>
+* CDR is enabled by default **but [Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**
+  is not. You can enable it through `deploy_scanning` input variable parameters.<br/>
 * This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
 * All created resources will be created within the tags `product:sysdig-secure-for-cloud`, within the
   resource-group `sysdig-secure-for-cloud`
@@ -68,21 +68,20 @@ $ terraform apply
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.71 |
 | <a name="requirement_sysdig"></a> [sysdig](#requirement\_sysdig) | >= 0.5.27 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.71.0 |
-| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 1.12.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+| <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 1.38.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector | n/a |
 | <a name="module_infrastructure_container_registry"></a> [infrastructure\_container\_registry](#module\_infrastructure\_container\_registry) | ../../modules/infrastructure/container_registry | n/a |
 | <a name="module_infrastructure_enterprise_app"></a> [infrastructure\_enterprise\_app](#module\_infrastructure\_enterprise\_app) | ../../modules/infrastructure/enterprise_app | n/a |
@@ -103,7 +102,6 @@ $ terraform apply
 |------|-------------|------|---------|:--------:|
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | Number of CPU cores of the containers | `string` | `"0.5"` | no |
 | <a name="input_deploy_active_directory"></a> [deploy\_active\_directory](#input\_deploy\_active\_directory) | whether the Active Directory features are to be deployed | `bool` | `true` | no |
-| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | true/false, whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_existing_registries"></a> [existing\_registries](#input\_existing\_registries) | existing  Azure Container Registry names to be included to  scan by resource group { resource\_group\_1 =  ["registry\_name\_11","registry\_name\_12"],resource\_group\_2 =  ["registry\_name\_21","registry\_name\_22"]}. By default it will create a new ACR | `map(list(string))` | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |
@@ -112,7 +110,6 @@ $ terraform apply
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy secure for cloud stack | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
-| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/examples/single-subscription/cloud-bench.tf b/examples/single-subscription/cloud-bench.tf
diff --git a/examples/single-subscription/variables.tf b/examples/single-subscription/variables.tf
@@ -49,23 +49,6 @@ variable "existing_registries" {
   description = "existing  Azure Container Registry names to be included to  scan by resource group { resource_group_1 =  [\"registry_name_11\",\"registry_name_12\"],resource_group_2 =  [\"registry_name_21\",\"registry_name_22\"]}. By default it will create a new ACR"
 }
 
-#
-# benchmark
-#
-
-variable "deploy_benchmark" {
-  type        = bool
-  description = "whether benchmark module is to be deployed"
-  default     = true
-}
-
-variable "use_reader_role" {
-  type        = bool
-  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled"
-  default     = false
-}
-
-
 #
 # general
 #

diff --git a/examples/single-subscription/versions.tf b/examples/single-subscription/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">=3.71.0"
+      version = "~>3.71"
     }
     sysdig = {
       source  = "sysdiglabs/sysdig"