[instruqt-setup-script] support install for cloudVision Terraform installer + isolate option to set region for track's sysdig tab

[pabloopez]

Context

Support cloud-training

This PR includes some basic changes to deploy the cloud-connector in the three major cloud vendors using the terraform installer. These changes will support the automatic installation of the tool for future tracks based on Sysdig Cloud features.

Support regions in cloud-envs

The Sysdig Monitor and Secure Dashboards (SDs) are available in multiple regions. There's not a unique URL and every one of them has different access URLs, endpoints, etc. Our Instruqt tracks include different types of tabs (Terminal, Services, WebPages). In order to include in our tracks an Instruqt tab with access to the SDs, we deploy nginx running in a host (important note: it is a VM, not a container. See below) with a redirect configuration, that points the tab to the right SDs region for every user (based on what they selected in the first challenge).

The environment that Instruqt provides to access cloud accounts (AWS, Azure, GCP) provides the next assets:

• a cloud account
• a container running a client to provide an nginx web server exposing the account details.

And the next tabs:

• The Service tab points to the cloud-client webserver. It exposes the account data for the user, but no access to the Cloud Dashboard. Just the credentials.
• A Terminal tab configured with the cloud-CLI tool (for example, aws-cli) and configured with the set of permissions we define in the course. This is really handy, as the user does not need to authenticate or spend time configuring the CLI.

We want to implement a consistent experience across all of our different tracks, including the cloud ones. To do so, we need a tab with access to the SDs.

Support set up region-only

The proposed changes in this PR will also add support to set up region only with the init.sh script we use to set up our tracks. This is aimed for tracks where we explain how to install the agent or the cloud-connector, where we don't want to automate the steps. But we want to ease other stuff like having direct access from the tab to the right Sysdig Dashboard domain name based on user region.

Problem statement

Our current tooling (common/init.sh and related scripts) runs normally in a host, where nginx runs as a service (managed with systemctl). This is not available in the container provided for cloud tracks. Of course, we can append to the sandbox a host, but we can use the provided container and webserver to keep it simple.

Solution

Modify the current script to reuse the existing nginx server in the track cloud container to expose the redirect that makes the SDs available in the Instruqt tabs.

I tested this manually with a similar approach with the help of @pmusa (thx for the pair programming time together!) and it worked fine. We just need to implement this now following the same tooling that we have right now.

Signed-off-by: pablopez [email protected]

[pabloopez]

This is ready for peer-review.

New options added that should be tested (I already did, but it is safer/better if someone else does too):

• --cloud: tested with AWS and GCP and working. It sets up the region, connects the account, and checks that the account is connected. It flags when an account is not connected.
• --region: adds to the existing script. It can be used for labs explaining how to install the agent. @theluke I believe you updated some of the latests labs for this, you might want to use this.
• --region-cloud: tested with East + Pacific.

It is also recommend to test that it does not break labs using the previous version (also done, with `k8s-network-security-policies).

Other considerations

1. Azure is not working yet on Instruqt, but AWS and GCP are. The cloud-native team is aware and I'll check later, it does not block the rest of the PR.

2. Sometimes an error from nginx appears:

   nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
   nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
   

   but it does not affect the lab. For some reason, it tries to expose a server on port 80 (there's nothing about it on nginx docs) that is used by the instruqt webserver with user's cloud account credentiales.

3. Agents installed fine with the code on this branch.
   

4. AWS test credentials (no worries account is deleted now)
   

5. Logs sample from cloud account install, all logs are removed from stdout.
   

[pabloopez]

@pmusa

[pmusa]

I added a few comments throughout the code.
One extra note, as this PR changes the script options, I think it should also update the README file.

[pabloopez]

hi @pmusa the problem with the gcp test is fixed and all of the comments above have been addressed. I suggest to merge this - even though azure is not working yet - and I'll open a new issue to track todos. This is quite new in our training assets and I am sure there are a lot of things to be improved, but this is good enough to get started. Let's close it and jump to the next thing.

[pmusa]

LGTM. Left some comments that are worth addressing IMO.

[pabloopez]

2 changes merged.
2 pending:

• 1 needs more details, please add them.
• another one tbd

[pabloopez]

@pmusa all changes applied, I'll merge them