From e2880671ffdd0a80ff09e3d16e9c3e94eaf55c38 Mon Sep 17 00:00:00 2001
From: Fede Barcelona <fede_rico_94@hotmail.com>
Date: Tue, 24 Jan 2023 14:51:04 +0100
Subject: [PATCH] feat: Enable autoscaling for organizational setups (#158)

---
 examples/organizational/README.md           |  3 +++
 examples/organizational/main.tf             |  4 ++++
 examples/organizational/variables.tf        | 22 +++++++++++++++++++++
 test/fixtures/organizational/main.tf        |  4 ++++
 test/fixtures/single-account-ecs/backend.tf |  9 ---------
 5 files changed, 33 insertions(+), 9 deletions(-)
 delete mode 100644 test/fixtures/single-account-ecs/backend.tf

diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index 69f16ae7..7ddcb566 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -202,7 +202,10 @@ $ terraform apply
 | <a name="input_ecs_vpc_id"></a> [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. If defaulted a new VPC will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required | `string` | `"create"` | no |
 | <a name="input_ecs_vpc_region_azs"></a> [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no |
 | <a name="input_ecs_vpc_subnets_private_ids"></a> [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. If defaulted new subnets will be created within the VPC. A minimum of two subnets is suggested. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `list(string)` | `[]` | no |
+| <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not | `bool` | `false` | no |
 | <a name="input_existing_cloudtrail_config"></a> [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created in the **management account**.<br>If provided through Option 1,  resources (cloudtrail,cloudtrail-s3) must exist in the management account.<br>Option 2, is mandatory to be used when the cloudtrail-s3 is in a different account than where SFC worklaod is installed.<br>Option 3, is an alterntive to Option1, to be able to ingest events through cloudtrail-s3-sns subscribed SQS, instead of just cloudtrail-sns<br>Check [use-cases](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/use-cases) for proper permission setup.<br><ul><br>  <li>cloudtrail\_s3\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail"</li><br>  <li>cloudtrail\_sns\_arn: Optional 1. ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block</li><br>  <li>cloudtrail\_s3\_role\_arn: Optional 2. ARN of the role to be assumed for S3 access. This role must be in the same account of the S3 bucket. Currently this setup is not compatible with organizational scanning feature</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_arn: Optional 3. ARN of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns</li><br>  <li>cloudtrail\_s3\_sns\_sqs\_url: Optional 3. URL of the queue that will ingest events forwarded from an existing cloudtrail\_s3\_sns<</li><br></ul> | <pre>object({<br>    cloudtrail_s3_arn         = optional(string)<br>    cloudtrail_sns_arn        = optional(string)<br>    cloudtrail_s3_role_arn    = optional(string)<br>    cloudtrail_s3_sns_sqs_arn = optional(string)<br>    cloudtrail_s3_sns_sqs_url = optional(string)<br>  })</pre> | <pre>{<br>  "cloudtrail_s3_arn": "create",<br>  "cloudtrail_s3_role_arn": null,<br>  "cloudtrail_s3_sns_sqs_arn": null,<br>  "cloudtrail_s3_sns_sqs_url": null,<br>  "cloudtrail_sns_arn": "create"<br>}</pre> | no |
+| <a name="input_max_replicas"></a> [max\_replicas](#input\_max\_replicas) | If autoscaling is enabled, this is the maximum number of replicas to run | `number` | `30` | no |
+| <a name="input_min_replicas"></a> [min\_replicas](#input\_min\_replicas) | If autoscaling is enabled, this is the minimum number of replicas to run | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
index 38998be7..2db67fe4 100644
--- a/examples/organizational/main.tf
+++ b/examples/organizational/main.tf
@@ -103,6 +103,10 @@ module "cloud_connector" {
   ecs_task_cpu                = var.ecs_task_cpu
   ecs_task_memory             = var.ecs_task_memory
 
+  enable_autoscaling = var.enable_autoscaling
+  max_replicas       = var.max_replicas
+  min_replicas       = var.min_replicas
+
   tags       = var.tags
   depends_on = [local.cloudtrail_sns_arn, module.ssm]
 }
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
index 7cea33c6..5a0532f6 100644
--- a/examples/organizational/variables.tf
+++ b/examples/organizational/variables.tf
@@ -188,3 +188,25 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+#
+# Autoscaling configurations
+#
+variable "enable_autoscaling" {
+  type        = bool
+  description = "Whether to enable autoscaling or not"
+  default     = false
+}
+
+
+variable "min_replicas" {
+  type        = number
+  default     = 1
+  description = "If autoscaling is enabled, this is the minimum number of replicas to run"
+}
+
+variable "max_replicas" {
+  type        = number
+  default     = 30
+  description = "If autoscaling is enabled, this is the maximum number of replicas to run"
+}
diff --git a/test/fixtures/organizational/main.tf b/test/fixtures/organizational/main.tf
index f00e7212..7c964c51 100644
--- a/test/fixtures/organizational/main.tf
+++ b/test/fixtures/organizational/main.tf
@@ -40,4 +40,8 @@ module "cloudvision_aws_organizational" {
   sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
   deploy_image_scanning_ecr                 = true
   deploy_image_scanning_ecs                 = true
+
+  enable_autoscaling = true
+  min_replicas       = 2
+  max_replicas       = 4
 }
diff --git a/test/fixtures/single-account-ecs/backend.tf b/test/fixtures/single-account-ecs/backend.tf
deleted file mode 100644
index 22615e5c..00000000
--- a/test/fixtures/single-account-ecs/backend.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Terraform state storage backend
-terraform {
-  backend "s3" {
-    bucket         = "secure-cloud-terraform-tests" # single examples deploy in qa org/cloudnative  account/s3 bucket
-    key            = "aws-single-account-ecs/terraform.tfstate"
-    dynamodb_table = "secure-cloud-terraform-tests"
-    region         = "eu-west-3"
-  }
-}