Merge pull request #76 from draios/add-setup-cloud-env

[instruqt-setup-script] support install for cloudVision Terraform installer + isolate option to set region for track's sysdig tab

common/prepare-track/README.md

@@ -7,28 +7,30 @@ USAGE:
   init.sh [OPTIONS...]
 
 
-Environment start up script. It can be used to deploy a Sysdig Agent and/or set
-up some environment variables. When called with NO OPTIONS, it will deploy an
-Agent and will ask for Monitor and Secure API keys; same as calling with
-'-a/--agent -m/--monitor -s/--secure'. When using the product options"
-('-m/--monitor' and/or '-s/--secure'), API keys will be stored in file
-/opt/sysdig/user_data_${PRODUCT}_API_OK, and exported to envvar
-$SYSDIG_${PRODUCT}_API_TOKEN (where ${PRODUCT} is MONITOR or SECURE).
+Environment start up script. It can be used to:
+- deploy a Sysdig Agent 
+- deploy Sysdig Secure for Cloud (AWS, GCP, Azure)
+- and/or set up some environment variables.
 
-WARNING: This script is meant to be used in training materials. Do NOT use it
-in production.
+Review the options below to learn what's available.
+
+WARNING: This script is meant to be used in training materials.
+Do NOT use it in production.
 
 
 OPTIONS:
 
   -a, --agent                 Deploy a Sysdig Agent.
+  -c, --cloud                 Set up environment for Sysdig Secure for Cloud.
   -h, --help                  Show this help.
   -m, --monitor               Set up environment for Monitor API usage.
   -n, --node-analyzer         Enable Node Analyzer. Use with -a/--agent.
   -N, --node-image-analyzer   Enable Image Node Analyzer. Use with -a/--agent.
   -p, --prometheus            Enable Prometheus. Use with -a/--agent.
   -s, --secure                Set up environment for Secure API usage.
-
+  -r, --region                Set up environment with user's Sysdig Region for a track with a host.
+  -q, --region-cloud          Set up environment with user's Sysdig Region for cloud track with a cloud account.
+  -v, --vulnmanag             Enable Image Scanning with Sysdig Secure for Cloud. Use with -c/--cloud.
 
 ENVIRONMENT VARIABLES:
 
@@ -43,4 +45,5 @@ ENVIRONMENT VARIABLES:
   DOCKER_OPTS                 Additional options for Docker installation.
 
   HOST_OPTS                   Additional options for Host installation.
+
 ```

common/prepare-track/cloud/aws/cloud-connector-aws.tf

@@ -0,0 +1,44 @@
+terraform {
+  required_providers {
+      sysdig = {
+        source  = "sysdiglabs/sysdig"
+      }
+  }
+}
+
+variable "training_secure_api_token" {
+  type        = string
+  description = "The Sysdig API token"
+}
+
+variable "training_secure_url" {
+  type        = string
+  description = "The Sysdig Secure URL"
+}
+
+variable "training_aws_region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+variable "deploy_scanner" {
+  type        = bool
+  description = "If true, deploys the Sysdig Scanner for ECR and Fargate"
+}
+
+provider "sysdig" {
+  sysdig_secure_url       = var.training_secure_url
+  sysdig_secure_api_token = var.training_secure_api_token
+}
+
+provider "aws" {
+  region = var.training_aws_region
+}
+
+module "secure-for-cloud_example_single-account" {
+  source = "sysdiglabs/secure-for-cloud/aws//examples/single-account"
+
+  deploy_image_scanning_ecs = var.deploy_scanner
+  deploy_image_scanning_ecr = var.deploy_scanner
+  deploy_beta_image_scanning_ecr = var.deploy_scanner
+}

common/prepare-track/cloud/azure/cloud-connector-azure.tf

@@ -0,0 +1,45 @@
+terraform {
+  required_providers {
+      sysdig = {
+        source  = "sysdiglabs/sysdig"
+      }
+  }
+}
+
+variable "training_secure_api_token" {
+  type        = string
+  description = "The Sysdig API token"
+}
+
+variable "training_secure_url" {
+  type        = string
+  description = "The Sysdig Secure URL"
+}
+
+variable "training_azure_subscription" {
+  type        = string
+  description = "Azure Subscription ID"
+}
+
+variable "deploy_scanner" {
+  type        = bool
+  description = "If true, deploys the Sysdig Scanner for ECR and Fargate"
+}
+
+provider "sysdig" {
+  sysdig_secure_url       = var.training_secure_url
+  sysdig_secure_api_token = var.training_secure_api_token
+}
+
+provider "azurerm" {
+  features { }
+  subscription_id = var.training_azure_subscription
+}
+
+module "secure_for_cloud_example_single_subscription" {
+  source = "sysdiglabs/secure-for-cloud/azurerm//examples/single-subscription"
+
+  deploy_scanning = var.deploy_scanner
+
+  deploy_active_directory = false
+} 

common/prepare-track/cloud/gcp/cloud-connector-gcp.tf

@@ -0,0 +1,60 @@
+terraform {
+  required_providers {
+      sysdig = {
+        source  = "sysdiglabs/sysdig"
+      }
+  }
+}
+
+variable "training_secure_api_token" {
+  type        = string
+  description = "The Sysdig API token"
+}
+
+variable "training_secure_url" {
+  type        = string
+  description = "The Sysdig Secure URL"
+}
+
+variable "training_gcp_region" {
+  type        = string
+  description = "The Sysdig Secure Region"
+}
+
+variable "training_gcp_project" {
+  type        = string
+  description = "The Sysdig Secure Region"
+}
+
+variable "gcp_creds" {
+  type        = string
+  description = "Auth credentials for the GCP SA from Instruqt"
+}
+
+variable "deploy_scanner" {
+  type        = bool
+  description = "If true, deploys the Sysdig Scanner for ECR and Fargate"
+}
+
+provider "sysdig" {
+  sysdig_secure_url       = var.training_secure_url
+  sysdig_secure_api_token = var.training_secure_api_token
+}
+
+provider "google" {
+  project = var.training_gcp_project
+  region = var.training_gcp_region
+  credentials = var.gcp_creds
+}
+
+provider "google-beta" {
+  project = var.training_gcp_project
+  region = var.training_gcp_region
+  credentials = var.gcp_creds
+}
+
+module "secure-for-cloud_example_single-project" {
+  source = "sysdiglabs/secure-for-cloud/google//examples/single-project"
+
+  deploy_scanning = var.deploy_scanner
+}

common/prepare-track/cloud/install_with_terraform.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+##
+# Deploy the Sysdig Secure for Cloud infra for different cloud vendors
+#
+# Usage:
+#   install_with_terraform.sh $PROVIDER $SYSDIG_SECURE_API_TOKEN $SECURE_URL $CLOUD_REGION $CLOUD_ACCOUNT_ID
+##
+
+# logs
+OUTPUT=/opt/sysdig/cloud/terraform_install.out
+mkdir -p /opt/sysdig/cloud/
+touch $OUTPUT
+
+PROVIDER=$1
+SYSDIG_SECURE_API_TOKEN=$2
+SECURE_URL=$3
+CLOUD_REGION=$4
+CLOUD_ACCOUNT_ID=$5
+
+cd /root/prepare-track/cloud
+
+if [ "$PROVIDER" == "aws" ]
+then
+    cd aws
+    echo "  Initializing Terraform modules, backend and provider plugins" \
+    && terraform init >> ${OUTPUT} 2>&1 \
+    && echo "    Terraform has been successfully initialized. Applying... (this will take a few minutes)" \
+    && terraform apply -auto-approve \
+        -var="training_secure_api_token=$SYSDIG_SECURE_API_TOKEN" \
+        -var="training_secure_url=$SECURE_URL" \
+        -var="training_aws_region=$CLOUD_REGION" \
+        -var="deploy_scanner=$USE_CLOUD_SCAN_ENGINE" \
+        >> ${OUTPUT} 2>&1 \
+    && echo "    Terraform apply completed! Check all TF deployment logs at: $OUTPUT"
+fi
+
+if [ "$PROVIDER" == "gcp" ]
+then
+    cd gcp
+    echo "  Initializing Terraform modules, backend and provider plugins" \
+    && terraform init >> ${OUTPUT} 2>&1 \
+    && echo "    Terraform has been successfully initialized. Applying... (this will take a few minutes)" \
+    && terraform apply -auto-approve \
+        -var="training_secure_api_token=$SYSDIG_SECURE_API_TOKEN" \
+        -var="training_secure_url=$SECURE_URL" \
+        -var="training_gcp_region=$CLOUD_REGION" \
+        -var="training_gcp_project=$CLOUD_ACCOUNT_ID" \
+        -var="gcp_creds=$GOOGLE_CREDENTIALS" \
+        -var="deploy_scanner=$USE_CLOUD_SCAN_ENGINE" \
+        >> ${OUTPUT} 2>&1 \
+    && echo "    Terraform apply completed! Check all TF deployment logs at: $OUTPUT"
+fi
+
+if [ "$PROVIDER" == "azure" ]
+then
+    cd azure
+    terraform init && terraform apply -auto-approve \
+        -var="training_secure_api_token=$SYSDIG_SECURE_API_TOKEN" \
+        -var="training_secure_url=$SECURE_URL" \
+        -var="training_azure_subscription=$CLOUD_ACCOUNT_ID" \
+        -var="deploy_scanner=$USE_CLOUD_SCAN_ENGINE" #\
+        #-y >> ${OUTPUT} 2>&1
+fi